Edit tour

Windows Analysis Report
#U8865#U4e01#U6253#U5305.exe

Overview

General Information

Sample name:	#U8865#U4e01#U6253#U5305.exe renamed because original name is a hash value
Original sample name:	.exe
Analysis ID:	1558248
MD5:	3f64df9616321b718366e70eab655e0c
SHA1:	9cb754e4471a26957f5aad0e37a3c705358fbde2
SHA256:	c1ebd4c1595fa80d6521320a9500d22b55693bd7ce20af58492a1018b8ccf18e
Tags:	exemalwareNeshtauser-Joker
Infos:

Detection

Bdaejec, Neshta, Ramnit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Bdaejec

Yara detected Neshta

Yara detected Ramnit

AI detected suspicious sample

Creates an undocumented autostart registry key

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Found evasive API chain (may stop execution after checking mutex)

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Sample is not signed and drops a device driver

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May infect USB drives

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential browser exploit detected (process start blacklist hit)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Classes Autorun Keys Modification

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

#U8865#U4e01#U6253#U5305.exe (PID: 2096 cmdline: "C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe" MD5: 3F64DF9616321B718366E70EAB655E0C)

#U8865#U4e01#U6253#U5305.exe (PID: 4948 cmdline: "C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe" MD5: 05D4C9A45A77E6862739FC5F29AAB804)

OMmJKXpD.exe (PID: 1012 cmdline: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)

WerFault.exe (PID: 8832 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1524 MD5: C31336C1EFC2CCB44B4326EA793040F2)

#U8865#U4e01#U6253#U5305Srv.exe (PID: 3172 cmdline: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe MD5: FF5E1F27193CE51EEC318714EF038BEF)

DesktopLayer.exe (PID: 6116 cmdline: "C:\Program Files (x86)\Microsoft\DesktopLayer.exe" MD5: FF5E1F27193CE51EEC318714EF038BEF)

iexplore.exe (PID: 2976 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 3460 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:17410 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

svchost.com (PID: 5896 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.55\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a MD5: 811C79A695A4715D805A61F5EF41264D)

ie_to_edge_stub.exe (PID: 280 cmdline: C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.55\BHO\ie_to_edge_stub.exe --from-ie-to-edge=3 --ie-frame-hwnd=1045a MD5: 473F645F28F5CF7E02FA17D3EB361298)

svchost.com (PID: 3544 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a MD5: 811C79A695A4715D805A61F5EF41264D)

msedge.exe (PID: 4828 cmdline: C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1045a MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7356 cmdline: "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=2120,i,3596338841407944912,4963749005619563787,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

svchost.com (PID: 5100 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new MD5: 811C79A695A4715D805A61F5EF41264D)

ssvagent.exe (PID: 3424 cmdline: C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe -new MD5: F9A898A606E7F5A1CD7CFFA8079253A0)

svchost.com (PID: 7508 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 811C79A695A4715D805A61F5EF41264D)

msedge.exe (PID: 7544 cmdline: C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1045a --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7824 cmdline: "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2436,i,4521782591517298122,15665570468173289233,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 8552 cmdline: "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5884 --field-trial-handle=2436,i,4521782591517298122,15665570468173289233,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
neshta	Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."	No Attribution	https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html https://www.mandiant.com/resources/pe-file-infecting-malware-ot https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest https://www.virusradar.com/en/Win32_Neshta.A/description	https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

Name	Description	Attribution	Blogpost URLs	Link
Ramnit	According to Check Point, Ramnit is primarily a banking trojan, meaning that its purpose is to steal login credentials for online banking, which cybercriminals can sell or use in future attacks. For this reason, Ramnit primarily targets individuals rather than focusing on particular industries.Ramnit campaigns have been observed to target organizations in particular industries. For example, a 2019 campaign targeted financial organizations in the United Kingdom, Italy, and Canada.	No Attribution	http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html http://www.secureworks.com/research/threat-profiles/gold-fairfax http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html https://artik.blue/malware4	https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2150847642.0000000000400000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
00000000.00000002.2904723688.0000000000409000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000005.00000002.2146063623.0000000000400000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
Process Memory Space: #U8865#U4e01#U6253#U5305.exe PID: 2096	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
Process Memory Space: OMmJKXpD.exe PID: 1012	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Process Memory Space: #U8865#U4e01#U6253#U5305Srv.exe PID: 3172	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
Process Memory Space: DesktopLayer.exe PID: 6116	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.#U8865#U4e01#U6253#U5305.exe.4d1573.1.raw.unpack	MAL_Ramnit_May19_1	Detects Ramnit malware	Florian Roth
5.2.#U8865#U4e01#U6253#U5305Srv.exe.404031.1.raw.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
6.2.DesktopLayer.exe.404031.0.raw.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
6.0.DesktopLayer.exe.400000.0.unpack	MAL_Ramnit_May19_1	Detects Ramnit malware	Florian Roth
5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
6.2.DesktopLayer.exe.400000.1.raw.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
5.0.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.unpack	MAL_Ramnit_May19_1	Detects Ramnit malware	Florian Roth
5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.raw.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
6.2.DesktopLayer.exe.400000.1.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Classes Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe, ProcessId: 2096, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.55\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a, CommandLine: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.55\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a, CommandLine|base64offset|contains: o{h`, Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:17410 /prefetch:2, ParentImage: C:\Program Files (x86)\Internet Explorer\iexplore.exe, ParentProcessId: 3460, ParentProcessName: iexplore.exe, ProcessCommandLine: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.55\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a, ProcessId: 5896, ProcessName: svchost.com

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files\Internet Explorer\iexplore.exe, ProcessId: 2976, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-19T09:06:04.066477+0100	2838522	1	Malware Command and Control Activity Detected	192.168.2.6	51213	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: #U8865#U4e01#U6253#U5305.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Avira: detection malicious, Label: W32/Delf.I

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	ReversingLabs: Detection: 93%
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	ReversingLabs: Detection: 96%

Multi AV Scanner detection for submitted file

Source: #U8865#U4e01#U6253#U5305.exe	ReversingLabs: Detection: 97%
Source: #U8865#U4e01#U6253#U5305.exe	Virustotal: Detection: 90%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: #U8865#U4e01#U6253#U5305.exe

Joe Sandbox ML: detected

Source: #U8865#U4e01#U6253#U5305.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb@@4 source: jp2launcher.exe.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msqry32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSQRY32.EXE.0.dr
Source:	Binary string: mpextms.pdb source: mpextms.exe0.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.9.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdateBroker_unsigned.pdb source: MicrosoftEdgeUpdateBroker.exe.9.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection.pdb source: Common.DBConnection.exe.9.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\postc2rcross\x-none\msoxmled.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOXMLED.EXE.9.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb# source: aimgr.exe0.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController64.exe.9.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.9.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb source: OLicenseHeartbeat.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdbbroker.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OfficeScrSanBroker.exe.9.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\postc2rcross\x-none\msoxmled.pdb source: MSOXMLED.EXE.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdb source: OfficeScrSanBroker.exe.9.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.0.dr, AppSharingHookController64.exe.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController64.exe.9.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe.9.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb source: aimgr.exe0.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\orgchart.pdb source: ORGCHART.EXE.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\orgchart.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: ORGCHART.EXE.9.dr
Source:	Binary string: maintenanceservice.pdb source: maintenanceservice.exe.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\wordconv.pdb source: Wordconv.exe.9.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.9.dr
Source:	Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdate.exe.9.dr
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\.* source: #U8865#U4e01#U6253#U5305.exe, 00000000.00000002.2904919162.00000000007A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.9.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection.pdbn#n source: Common.DBConnection.exe.9.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: LICLUA.EXE.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLicenseHeartbeat.exe.0.dr
Source:	Binary string: maintenanceservice.pdb` source: maintenanceservice.exe.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenotem.pdb source: ONENOTEM.EXE.9.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.0.dr
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\.M source: #U8865#U4e01#U6253#U5305.exe, 00000000.00000002.2904919162.00000000007A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe.9.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\wordconv.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: Wordconv.exe.9.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdateCore_unsigned.pdbd source: MicrosoftEdgeUpdateCore.exe.9.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenotem.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: ONENOTEM.EXE.9.dr
Source:	Binary string: lper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: LICLUA.EXE.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source:	Binary string: in32.pdb source: officeappguardwin32.exe.9.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.9.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.9.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdateCore_unsigned.pdb source: MicrosoftEdgeUpdateCore.exe.9.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
Source:	Binary string: mpextms.pdbGCTL source: mpextms.exe0.0.dr
Source:	Binary string: broker.pdb source: OfficeScrSanBroker.exe.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msqry32.pdb source: MSQRY32.EXE.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe0.9.dr

Spreading

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2904723688.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8865#U4e01#U6253#U5305.exe PID: 2096, type: MEMORYSTR

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: #U8865#U4e01#U6253#U5305Srv.exe	Binary or memory string: [autorun] action=Open icon=%%WinDir%%\system32\shell32.dll,4 shellexecute=.\%s shell\explore\command=.\%s USEAUTOPLAY=1 shell\Open\command=.\%s
Source: #U8865#U4e01#U6253#U5305Srv.exe	Binary or memory string: autorun.inf
Source: #U8865#U4e01#U6253#U5305Srv.exe, 00000005.00000002.2146063623.0000000000400000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: autorun.inf
Source: #U8865#U4e01#U6253#U5305Srv.exe, 00000005.00000002.2146063623.0000000000400000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: [autorun]
Source: #U8865#U4e01#U6253#U5305Srv.exe, 00000005.00000002.2146063623.0000000000400000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: //--></SCRIPT>RmNautorun.infRECYCLER.exe[autorun]
Source: #U8865#U4e01#U6253#U5305Srv.exe, 00000005.00000002.2146063623.0000000000400000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: //--></SCRIPT>RmNautorun.infRECYCLER.exe[autorun]
Source: DesktopLayer.exe	Binary or memory string: [autorun] action=Open icon=%%WinDir%%\system32\shell32.dll,4 shellexecute=.\%s shell\explore\command=.\%s USEAUTOPLAY=1 shell\Open\command=.\%s
Source: DesktopLayer.exe	Binary or memory string: autorun.inf
Source: DesktopLayer.exe, 00000006.00000002.2150847642.0000000000400000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: autorun.inf
Source: DesktopLayer.exe, 00000006.00000002.2150847642.0000000000400000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: [autorun]
Source: DesktopLayer.exe, 00000006.00000002.2150847642.0000000000400000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: //--></SCRIPT>RmNautorun.infRECYCLER.exe[autorun]
Source: DesktopLayer.exe, 00000006.00000002.2150847642.0000000000400000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: //--></SCRIPT>RmNautorun.infRECYCLER.exe[autorun]

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00460890 FindFirstFileA,FindNextFileA,FindClose,FindClose,	2_2_00460890
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00460BC0 FindFirstFileA,FindNextFileA,FindClose,	2_2_00460BC0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00412D40 FindNextFileA,FindClose,FindFirstFileA,FindClose,	2_2_00412D40
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00460E30 FindFirstFileA,FindNextFileA,FindClose,FindClose,	2_2_00460E30
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0041B220 FindFirstFileA,FindClose,	2_2_0041B220
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00479FDA __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	2_2_00479FDA
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00409FA0 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	2_2_00409FA0
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Code function: 3_2_00DC29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	3_2_00DC29E2
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Code function: 5_2_004011DF FindFirstFileA,FindClose,	5_2_004011DF
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_2_004011DF FindFirstFileA,FindClose,	6_2_004011DF

Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe

Code function: 3_2_00DC2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

3_2_00DC2B8C

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Process created: C:\Windows\svchost.com

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2838522 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup : 192.168.2.6:51213 -> 1.1.1.1:53

Source: global traffic

TCP traffic: 192.168.2.6:49703 -> 44.221.84.105:799

Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 44.221.84.105 44.221.84.105

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe

Code function: 2_2_00426400 ioctlsocket,recvfrom,

2_2_00426400

Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.facebook.com/% equals www.facebook.com (Facebook)
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.facebook.com/favicon.ico1 equals www.facebook.com (Facebook)
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico equals www.myspace.com (Myspace)
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rambler.ru/ equals www.rambler.ru (Rambler)
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico equals www.rambler.ru (Rambler)

Source: global traffic	DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: OMmJKXpD.exe, 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmp, OMmJKXpD.exe, 00000003.00000003.2126314350.0000000000780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: integrator.exe.0.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: OLicenseHeartbeat.exe.0.dr	String found in binary or memory: http://CodeTypeIsExpectedOffice.System.ResultGlobal
Source: OfficeScrSanBroker.exe.9.dr	String found in binary or memory: http://SoftwareMicrosoft16.0CommonDebugHKEY_LOCAL_MACHINEHKEY_CURRENT_USER
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://amazon.fr/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://amazon.fr/H
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.bing.c
Source: VC_redist.x64.exe.0.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.icor
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://asp.usatoday.com/t
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://auone.jp/favicon.icoLz
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.igbusca.com.br/n
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.orange.es/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscador.terra.es/J
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: Uninstall.exe.0.dr, maintenanceservice.exe.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr, javaw.exe0.9.dr, maintenanceservice.exe.9.dr, GoogleUpdate.exe.9.dr, jp2launcher.exe.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E199000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: Uninstall.exe.0.dr, maintenanceservice.exe.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr, javaw.exe0.9.dr, GoogleUpdate.exe.9.dr, jp2launcher.exe.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, Uninstall.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr, javaw.exe0.9.dr, maintenanceservice.exe.9.dr, GoogleUpdate.exe.9.dr, jp2launcher.exe.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, Uninstall.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr, javaw.exe0.9.dr, maintenanceservice.exe.9.dr, GoogleUpdate.exe.9.dr, jp2launcher.exe.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.icog
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cnet.search.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cnet.search.com/3
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: Au3Check.exe.9.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Au3Check.exe.9.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Au3Check.exe.9.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Au3Check.exe.9.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Au3Check.exe.9.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr, javaw.exe0.9.dr, maintenanceservice.exe.9.dr, GoogleUpdate.exe.9.dr, jp2launcher.exe.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Uninstall.exe.0.dr, maintenanceservice.exe.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Uninstall.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E199000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr, javaw.exe0.9.dr, GoogleUpdate.exe.9.dr, jp2launcher.exe.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, Uninstall.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr, javaw.exe0.9.dr, maintenanceservice.exe.9.dr, GoogleUpdate.exe.9.dr, jp2launcher.exe.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: jp2launcher.exe.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Uninstall.exe.0.dr, maintenanceservice.exe.9.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Uninstall.exe.0.dr, maintenanceservice.exe.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Uninstall.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E199000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, ssvagent.exe.0.dr, javaw.exe0.9.dr, GoogleUpdate.exe.9.dr, jp2launcher.exe.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: armsvc.exe.0.dr, AdobeARMHelper.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Uninstall.exe.0.dr, maintenanceservice.exe.9.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: OMmJKXpD.exe, 00000003.00000002.3360687440.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: OMmJKXpD.exe, 00000003.00000002.3360687440.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/mandconnroutehelper.dll
Source: OMmJKXpD.exe, 00000003.00000002.3360687440.000000000093C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: OMmJKXpD.exe, 00000003.00000002.3360687440.000000000093C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar#
Source: OMmJKXpD.exe, 00000003.00000002.3360687440.000000000093C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarO
Source: OMmJKXpD.exe, 00000003.00000002.3360687440.000000000093C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarZ6
Source: OMmJKXpD.exe, 00000003.00000002.3360687440.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarg
Source: OMmJKXpD.exe, 00000003.00000002.3361722167.000000000246A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarp
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://de.search.yahoo.com/:z
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://es.ask.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://find.joins.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fr.search.yahoo.com/pzaA
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.altervista.org/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it.search.yahoo.com/Zz
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jobsearch.monster.com/E
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://list.taobao.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: #U8865#U4e01#U6253#U5305.exe, 00000000.00000002.2904652511.0000000000190000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.9.dr, Uninstall.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E199000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, Uninstall.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr, javaw.exe0.9.dr, GoogleUpdate.exe.9.dr, jp2launcher.exe.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, Uninstall.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr, javaw.exe0.9.dr, maintenanceservice.exe.9.dr, GoogleUpdate.exe.9.dr, jp2launcher.exe.9.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, Uninstall.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr, javaw.exe0.9.dr, maintenanceservice.exe.9.dr, GoogleUpdate.exe.9.dr, jp2launcher.exe.9.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Uninstall.exe.0.dr, maintenanceservice.exe.9.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, Uninstall.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr, javaw.exe0.9.dr, maintenanceservice.exe.9.dr, GoogleUpdate.exe.9.dr, jp2launcher.exe.9.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Au3Check.exe.9.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Au3Check.exe.9.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Au3Check.exe.9.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Au3Check.exe.9.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.icoIpPA
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://price.ru/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://price.ru/favicon.ico#i
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico(
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://recherche.tf1.fr/z
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://rover.ebay.com
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://rover.ebay.comu
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.about.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.alice.it/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.alice.it/favicon.icoE
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.aol.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.aol.in/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.auone.jp/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.books.com.tw/Gj
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico1
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.chol.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.chol.com/favicon.icodp
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.cn.yahoo.com/TzEA
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.daum.net/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.icoq
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.dreamwiz.com/si
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico3
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico8
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.de/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.es/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.es/C
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.in/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.it/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.it/9
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.empas.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico9
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.goo.ne.jp/nzOA
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.interpark.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ipop.co.kr/1i
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E0D7000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3361280155.000002599B226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: iexplore.exe, 00000007.00000002.3361280155.000002599B20D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&FORM=AS5S
Source: iexplore.exe, 00000007.00000002.3361280155.000002599B20D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&FORM=AS6Z
Source: iexplore.exe, 00000007.00000002.3361280155.000002599B20D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&FORM=CBPW
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E0D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&FORM=IE7BOX&src=%7Breferrer:source?%7D
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E0D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&FORM=IE7RE&src=%7Breferrer:source?%7DW
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E0D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&FORM=MSNIE7&src=%7Breferrer:source?%7D
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E0D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&Form=IE8SRC&src=%7Breferrer:source%7D
Source: iexplore.exe, 00000007.00000002.3361280155.000002599B226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&mkt=%7BLanguage%7D&FORM=IE8SRC&src=%7Breferr
Source: iexplore.exe, 00000007.00000002.3361280155.000002599B181000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&src=%7Breferrer:source?%7D
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E0D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&src=%7Breferrer:source?%7D&Form=IE8SRC
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E0D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&src=IE-SearchBox&Form=IE8SRC
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico?
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.lycos.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: iexplore.exe, 00000007.00000002.3361280155.000002599B20D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=%7BsearchTerms%7D&FORM=AS5
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=%7BsearchTerms%7D&FORM=AS6
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=%7BsearchTerms%7D&FORM=CBPW=
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362880259.000002599E184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: iexplore.exe, 00000007.00000002.3361280155.000002599B20D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=%7BsearchTerms%7D&FORM=AS5
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=%7BsearchTerms%7D&FORM=AS6W
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=%7BsearchTerms%7D&FORM=CBPW
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E0D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: iexplore.exe, 00000007.00000002.3361280155.000002599B20D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=%7BsearchTerms%7D&FORM=AS5
Source: iexplore.exe, 00000007.00000002.3361280155.000002599B20D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=%7BsearchTerms%7D&FORM=AS6
Source: iexplore.exe, 00000007.00000002.3361280155.000002599B20D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=%7BsearchTerms%7D&FORM=CBPW
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.nate.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.naver.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.naver.com/oj3A(
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.nifty.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.nifty.com/Fz
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.orange.co.uk/f
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.icoG
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.rediff.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.sify.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.icow
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahoo.co.jp7i
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yam.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: Au3Check.exe.9.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Au3Check.exe.9.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/qp
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.aol.de/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.lycos.de/R
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.web.de/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.web.de/4z%A%
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.web.de/favicon.icoJ
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://tempuri.org/
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUser
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUserResponse
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUser
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUserResponse
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfig
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfigResponse
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettings
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettings
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse
Source: officeappguardwin32.exe.9.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://udn.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uk.ask.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uk.search.yahoo.com/hzIA
Source: Amcache.hve.LOG1.26.dr	String found in binary or memory: http://upx.sf.net
Source: upx.exe.9.dr	String found in binary or memory: http://upx.sf.netT
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://video.globo.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.ask.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.alarabiya.net//i
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&camp=1789&creativ
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.de/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aol.com/favicon.icop
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico_
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ask.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico7
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.baidu.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.baidu.com/favicon.icoRpkA
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cdiscount.com/?
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ceneo.pl/bzSA
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico&
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.icoO
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, Uninstall.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr, javaw.exe0.9.dr, maintenanceservice.exe.9.dr, GoogleUpdate.exe.9.dr, jp2launcher.exe.9.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico6
Source: #U8865#U4e01#U6253#U5305.exe	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gmarket.co.kr/)i
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.co.in/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.co.uk/I
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com.br/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com.sa/4
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.cz/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.cz/W
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.de/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.de/Q
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.es/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.fr/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.fr/X
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.it/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.pl/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.ru/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.si/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iask.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.kkbox.com.tw/=i
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.icoNpWA
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.merlin.com.pl/vzgA
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mtv.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mtv.com/G
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.najdi.si/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.najdi.si/l
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nate.com/favicon.icodk5A
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico#
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.orange.fr/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.icoo
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rtl.de/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.servicios.clarin.com//
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sogou.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sogou.com/Aj%A%
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.soso.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.soso.com/Mj
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.taobao.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.target.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tesco.com/
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.univision.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.univision.com/D
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.walmart.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.walmart.com/&z
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico:j
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www3.fnac.com/O
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.icoW
Source: iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation=ItemSea
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: msedge_pwa_launcher.exe.0.dr, elevation_service.exe.9.dr, identity_helper.exe.0.dr, pwahelper.exe.0.dr, elevation_service.exe.0.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: msedge_pwa_launcher.exe.0.dr, elevation_service.exe.9.dr, identity_helper.exe.0.dr, pwahelper.exe.0.dr, elevation_service.exe.0.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: OMmJKXpD.exe, 00000003.00000002.3360687440.000000000093C000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3361280155.000002599B1E4000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3361280155.000002599B20D000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362880259.000002599E199000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: OLicenseHeartbeat.exe.0.dr	String found in binary or memory: https://login.windows.net/commonhttps://login.windows.netDBSFetcher::CreateRequestHeader
Source: Uninstall.exe.0.dr, maintenanceservice.exe.9.dr	String found in binary or memory: https://mozilla.org0/
Source: integrator.exe.0.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: integrator.exe.0.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: Au3Check.exe.9.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Uninstall.exe.0.dr, maintenanceservice.exe.9.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Au3Check.exe.9.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ramnit

Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2150847642.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2146063623.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8865#U4e01#U6253#U5305Srv.exe PID: 3172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 6116, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe

Code function: 2_2_0042F460 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,

2_2_0042F460

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe

Code function: 2_2_0042F460 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,

2_2_0042F460

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe

Code function: 2_2_0042F5C0 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0042F5C0

Source: OfficeScrSanBroker.exe.9.dr

Binary or memory string: RegisterRawInputDevices

memstr_c9b60b7a-e

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0047E6B4 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	2_2_0047E6B4
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0047CB8D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	2_2_0047CB8D
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0041B3D0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	2_2_0041B3D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_004196C0 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow,	2_2_004196C0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0042DCC0 GetKeyState,GetKeyState,GetKeyState,CopyRect,	2_2_0042DCC0

E-Banking Fraud

Yara detected Ramnit

Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2150847642.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2146063623.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8865#U4e01#U6253#U5305Srv.exe PID: 3172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 6116, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.#U8865#U4e01#U6253#U5305.exe.4d1573.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Ramnit malware Author: Florian Roth
Source: 6.0.DesktopLayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Ramnit malware Author: Florian Roth
Source: 5.0.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Ramnit malware Author: Florian Roth

PE file contains section with special chars

Source: #U8865#U4e01#U6253#U5305.exe.0.dr	Static PE information: section name: I}u
Source: MyProg.exe.3.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: #U8865#U4e01#U6253#U5305.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OMmJKXpD.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Code function: 5_3_01F204CC NtQuerySystemInformation,	5_3_01F204CC
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Code function: 5_3_01F21457 NtFreeVirtualMemory,	5_3_01F21457
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Code function: 5_3_01F20335 NtAllocateVirtualMemory,	5_3_01F20335
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Code function: 5_3_01F20814 NtProtectVirtualMemory,	5_3_01F20814
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Code function: 5_3_01F227A0 NtAllocateVirtualMemory,	5_3_01F227A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Code function: 5_3_01F23519 NtQuerySystemInformation,	5_3_01F23519
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Code function: 5_2_01F227A0 NtAllocateVirtualMemory,	5_2_01F227A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Code function: 5_2_01F22740 NtFreeVirtualMemory,	5_2_01F22740
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Code function: 5_2_01F23519 NtQuerySystemInformation,	5_2_01F23519
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_01F204CC NtQuerySystemInformation,	6_3_01F204CC
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_01F21457 NtFreeVirtualMemory,	6_3_01F21457
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_01F20335 NtAllocateVirtualMemory,	6_3_01F20335
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_01F20814 NtProtectVirtualMemory,	6_3_01F20814
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_01F227A0 NtAllocateVirtualMemory,	6_3_01F227A0
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_01F23519 NtQuerySystemInformation,	6_3_01F23519
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_2_004019D4 NtQueryInformationProcess,	6_2_004019D4
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_2_01F227A0 NtAllocateVirtualMemory,	6_2_01F227A0
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_2_01F22740 NtFreeVirtualMemory,	6_2_01F22740
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_2_01F23519 NtQuerySystemInformation,	6_2_01F23519

Source: C:\Windows\svchost.com

File created: C:\Windows\directx.sys

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Windows\svchost.com			Jump to behavior
Source: C:\Windows\svchost.com	File created: C:\Windows\directx.sys

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0042A0C0	2_2_0042A0C0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0044E200	2_2_0044E200
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0044A360	2_2_0044A360
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00464470	2_2_00464470
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0044E430	2_2_0044E430
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0043C4E0	2_2_0043C4E0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00424660	2_2_00424660
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00454610	2_2_00454610
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0043C810	2_2_0043C810
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0044C810	2_2_0044C810
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00414830	2_2_00414830
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0043C9A0	2_2_0043C9A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00454AB0	2_2_00454AB0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0044AB50	2_2_0044AB50
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00466B60	2_2_00466B60
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00462B00	2_2_00462B00
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0044CD29	2_2_0044CD29
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0044EE70	2_2_0044EE70
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00440E10	2_2_00440E10
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00466E90	2_2_00466E90
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0043EF3D	2_2_0043EF3D
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0046B110	2_2_0046B110
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0044D1E6	2_2_0044D1E6
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_004111B0	2_2_004111B0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_004672C0	2_2_004672C0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00413350	2_2_00413350
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00449360	2_2_00449360
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0045D3D0	2_2_0045D3D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0044D4D1	2_2_0044D4D1
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0043F4A2	2_2_0043F4A2
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0045F500	2_2_0045F500
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00459520	2_2_00459520
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0044D684	2_2_0044D684
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0045B750	2_2_0045B750
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0041D710	2_2_0041D710
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0044D8FE	2_2_0044D8FE
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_004498A0	2_2_004498A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0045D950	2_2_0045D950
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0045392E	2_2_0045392E
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0043FA00	2_2_0043FA00
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00445AC0	2_2_00445AC0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00463AF0	2_2_00463AF0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0041BA90	2_2_0041BA90
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00453B7E	2_2_00453B7E
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00467C90	2_2_00467C90
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00465CA0	2_2_00465CA0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0044DD30	2_2_0044DD30
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00445DD0	2_2_00445DD0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0047BE2E	2_2_0047BE2E
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00475EC1	2_2_00475EC1
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00463EE0	2_2_00463EE0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00459FC0	2_2_00459FC0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0044BFD0	2_2_0044BFD0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00471FB6	2_2_00471FB6
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Code function: 3_2_00DC6076	3_2_00DC6076
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Code function: 3_2_00DC6D00	3_2_00DC6D00

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe A3C4641D4CB4608AF18CD06E4C01339C65C25B9289F0AA01CABE0E5C250A0E15

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: String function: 004450F0 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: String function: 00445500 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: String function: 0046C2B4 appears 94 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: String function: 0047AEEE appears 45 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: String function: 00445280 appears 39 times

Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1524

Source: MyProg.exe.3.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: #U8865#U4e01#U6253#U5305.exe	Binary or memory string: OriginalFilename vs #U8865#U4e01#U6253#U5305.exe
Source: #U8865#U4e01#U6253#U5305.exe, 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamenedwp.exe0 vs #U8865#U4e01#U6253#U5305.exe

Source: #U8865#U4e01#U6253#U5305.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 2.2.#U8865#U4e01#U6253#U5305.exe.4d1573.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Ramnit_May19_1 date = 2019-05-31, hash1 = d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3, author = Florian Roth, description = Detects Ramnit malware, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 6.0.DesktopLayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Ramnit_May19_1 date = 2019-05-31, hash1 = d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3, author = Florian Roth, description = Detects Ramnit malware, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 5.0.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Ramnit_May19_1 date = 2019-05-31, hash1 = d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3, author = Florian Roth, description = Detects Ramnit malware, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Source: OMmJKXpD.exe.2.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: OMmJKXpD.exe.2.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: OMmJKXpD.exe.2.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: MpCmdRun.exe2.0.dr	Binary string: IdImageFileNameFirst Resource TypeTypeScan SourceFirst Resource PathuserIdResource CountReasonProcessMessagePIDStartStopDataIsSignedFile\Device\\\?\\FI_UNKNOWN\drivers\error: invalid data: System Windows path changed during the trace from "%ls" to "%ls"
Source: OfficeScrSanBroker.exe.9.dr	Binary string: \Device\Afd\WepollNtCreateFilentdll.dllNtReleaseKeyedEventRtlNtStatusToDosErrorNtDeviceIoControlFileNtWaitForKeyedEventNtCreateKeyedEventwsipcudptcppipe_ != NULLopensource\libzmq\src\channel.cpp%s (%s:%d)

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@55/283@11/4

Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe

Code function: 3_2_00DC119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

3_2_00DC119F

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe

Code function: 5_2_004027E0 GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

5_2_004027E0

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe

Code function: 2_2_0047A662 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,

2_2_0047A662

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe

File created: C:\Program Files (x86)\Microsoft\px578B.tmp

Jump to behavior

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery

Jump to behavior

Source: C:\Windows\svchost.com	Mutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush. svchost.com n X . t N t h ` T 5 @
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Mutant created: \Sessions\1\BaseNamedObjects\KyUffThOkYwRRtgPP
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1012

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe

File created: C:\Users\user\AppData\Local\Temp\3582-490

Jump to behavior

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: integrator.exe.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: integrator.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: #U8865#U4e01#U6253#U5305.exe	ReversingLabs: Detection: 97%
Source: #U8865#U4e01#U6253#U5305.exe	Virustotal: Detection: 90%

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe

File read: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe "C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe"
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe "C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe"
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Process created: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Process created: C:\Program Files (x86)\Microsoft\DesktopLayer.exe "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.55\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.55\BHO\ie_to_edge_stub.exe --from-ie-to-edge=3 --ie-frame-hwnd=1045a
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe -new
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1045a
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=2120,i,3596338841407944912,4963749005619563787,262144 /prefetch:3
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1045a --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2436,i,4521782591517298122,15665570468173289233,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5884 --field-trial-handle=2436,i,4521782591517298122,15665570468173289233,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1524
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe "C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Process created: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Process created: C:\Program Files (x86)\Microsoft\DesktopLayer.exe "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.55\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.55\BHO\ie_to_edge_stub.exe --from-ie-to-edge=3 --ie-frame-hwnd=1045a
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe -new
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1045a
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=2120,i,3596338841407944912,4963749005619563787,262144 /prefetch:3
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1045a --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2436,i,4521782591517298122,15665570468173289233,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5884 --field-trial-handle=2436,i,4521782591517298122,15665570468173289233,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\svchost.com	Section loaded: apphelp.dll
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: uxtheme.dll
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb@@4 source: jp2launcher.exe.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msqry32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSQRY32.EXE.0.dr
Source:	Binary string: mpextms.pdb source: mpextms.exe0.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.9.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdateBroker_unsigned.pdb source: MicrosoftEdgeUpdateBroker.exe.9.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection.pdb source: Common.DBConnection.exe.9.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\postc2rcross\x-none\msoxmled.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOXMLED.EXE.9.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb# source: aimgr.exe0.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController64.exe.9.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.9.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb source: OLicenseHeartbeat.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdbbroker.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OfficeScrSanBroker.exe.9.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\postc2rcross\x-none\msoxmled.pdb source: MSOXMLED.EXE.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdb source: OfficeScrSanBroker.exe.9.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.0.dr, AppSharingHookController64.exe.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController64.exe.9.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe.9.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb source: aimgr.exe0.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\orgchart.pdb source: ORGCHART.EXE.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\orgchart.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: ORGCHART.EXE.9.dr
Source:	Binary string: maintenanceservice.pdb source: maintenanceservice.exe.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\wordconv.pdb source: Wordconv.exe.9.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.9.dr
Source:	Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdate.exe.9.dr
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\.* source: #U8865#U4e01#U6253#U5305.exe, 00000000.00000002.2904919162.00000000007A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.9.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection.pdbn#n source: Common.DBConnection.exe.9.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: LICLUA.EXE.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLicenseHeartbeat.exe.0.dr
Source:	Binary string: maintenanceservice.pdb` source: maintenanceservice.exe.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenotem.pdb source: ONENOTEM.EXE.9.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.0.dr
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\.M source: #U8865#U4e01#U6253#U5305.exe, 00000000.00000002.2904919162.00000000007A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe.9.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\wordconv.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: Wordconv.exe.9.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdateCore_unsigned.pdbd source: MicrosoftEdgeUpdateCore.exe.9.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenotem.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: ONENOTEM.EXE.9.dr
Source:	Binary string: lper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: LICLUA.EXE.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source:	Binary string: in32.pdb source: officeappguardwin32.exe.9.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.9.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.9.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdateCore_unsigned.pdb source: MicrosoftEdgeUpdateCore.exe.9.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
Source:	Binary string: mpextms.pdbGCTL source: mpextms.exe0.0.dr
Source:	Binary string: broker.pdb source: OfficeScrSanBroker.exe.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msqry32.pdb source: MSQRY32.EXE.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe0.9.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe

Unpacked PE file: 3.2.OMmJKXpD.exe.dc0000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe

Code function: 2_2_004D1006 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateMutexA,GetLastError,ReleaseMutex,CloseHandle,GetModuleFileNameA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,FreeLibrary,

2_2_004D1006

Source: initial sample

Static PE information: section where entry point is pointing to: I}u

Source: #U8865#U4e01#U6253#U5305.exe.0.dr	Static PE information: section name: .rmnet
Source: #U8865#U4e01#U6253#U5305.exe.0.dr	Static PE information: section name: I}u
Source: OMmJKXpD.exe.2.dr	Static PE information: section name: .aspack
Source: OMmJKXpD.exe.2.dr	Static PE information: section name: .adata
Source: Uninstall.exe.3.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.3.dr	Static PE information: section name: PELIB
Source: MyProg.exe.3.dr	Static PE information: section name: Y\|uR

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0046C2B4 push eax; ret	2_2_0046C2D2
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0046A5F0 push eax; ret	2_2_0046A61E
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Code function: 3_2_00DC1638 push dword ptr [00DC3084h]; ret	3_2_00DC170E
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Code function: 3_2_00DC2D9B push ecx; ret	3_2_00DC2DAB
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Code function: 3_2_00DC6014 push 00DC14E1h; ret	3_2_00DC6425
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Code function: 3_2_00DC600A push ebp; ret	3_2_00DC600D
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Code function: 5_3_01F2178F push eax; ret	5_3_01F222AF
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Code function: 5_3_01F2067A push eax; ret	5_3_01F222AF
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Code function: 5_2_01F2178F push eax; ret	5_2_01F222AF
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_01F2178F push eax; ret	6_3_01F222AF
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_01F2067A push eax; ret	6_3_01F222AF
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_2_01F2178F push eax; ret	6_2_01F222AF

Source: #U8865#U4e01#U6253#U5305.exe.0.dr	Static PE information: section name: .rmnet entropy: 7.772332911835861
Source: OMmJKXpD.exe.2.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.3.dr	Static PE information: section name: EpNuZ entropy: 6.933734169984848
Source: MyProg.exe.3.dr	Static PE information: section name: Y\|uR entropy: 6.934506391620042

Persistence and Installation Behavior

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2904723688.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8865#U4e01#U6253#U5305.exe PID: 2096, type: MEMORYSTR

Yara detected Ramnit

Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2150847642.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2146063623.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8865#U4e01#U6253#U5305Srv.exe PID: 3172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 6116, type: MEMORYSTR

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe

Executable created and started: C:\Windows\svchost.com

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Windows\svchost.com

File created: C:\Windows\directx.sys

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	File created: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	File created: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe	Jump to dropped file

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to dropped file

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Boot Survival

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2904723688.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8865#U4e01#U6253#U5305.exe PID: 2096, type: MEMORYSTR

Yara detected Ramnit

Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2150847642.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2146063623.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8865#U4e01#U6253#U5305Srv.exe PID: 3172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 6116, type: MEMORYSTR

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Yara detected Ramnit

Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2150847642.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2146063623.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8865#U4e01#U6253#U5305Srv.exe PID: 3172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 6116, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_004164E0 DestroyCursor,IsWindowVisible,IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMenu,DeleteMenu,GetSystemMenu,	2_2_004164E0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0041A8B0 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,	2_2_0041A8B0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00416BB0 IsIconic,IsZoomed,	2_2_00416BB0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00468C42 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_00468C42
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_004111B0 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus,	2_2_004111B0

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe

Code function: 5_2_00401848 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00401848

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-1195

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_3-936

Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess

Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe

API coverage: 4.5 %

Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe

Code function: 3_2_00DC1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00DC1754h

3_2_00DC1718

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00460890 FindFirstFileA,FindNextFileA,FindClose,FindClose,	2_2_00460890
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00460BC0 FindFirstFileA,FindNextFileA,FindClose,	2_2_00460BC0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00412D40 FindNextFileA,FindClose,FindFirstFileA,FindClose,	2_2_00412D40
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00460E30 FindFirstFileA,FindNextFileA,FindClose,FindClose,	2_2_00460E30
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0041B220 FindFirstFileA,FindClose,	2_2_0041B220
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00479FDA __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	2_2_00479FDA
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_00409FA0 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	2_2_00409FA0
Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	Code function: 3_2_00DC29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	3_2_00DC29E2
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	Code function: 5_2_004011DF FindFirstFileA,FindClose,	5_2_004011DF
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_2_004011DF FindFirstFileA,FindClose,	6_2_004011DF

Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe

Code function: 3_2_00DC2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

3_2_00DC2B8C

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior

Source: Amcache.hve.LOG1.26.dr	Binary or memory string: VMware
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: OMmJKXpD.exe, 00000003.00000002.3360687440.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, OMmJKXpD.exe, 00000003.00000002.3360687440.0000000000953000.00000004.00000020.00020000.00000000.sdmp, OMmJKXpD.exe, 00000003.00000002.3360687440.0000000000918000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362880259.000002599E18C000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3361280155.000002599B181000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362880259.000002599E1AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: iexplore.exe, 00000007.00000002.3363522905.00000259A02CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\3 !XE
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: iexplore.exe, 00000007.00000003.2152045193.000002599B1A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll99x-
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: vmci.sys
Source: iexplore.exe, 00000007.00000002.3363522905.00000259A02CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe	API call chain: ExitProcess graph end node	graph_3-911
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	API call chain: ExitProcess graph end node

Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe

2_2_004D1006

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe

Code function: 2_2_004E0044 mov eax, dword ptr fs:[00000030h]

2_2_004E0044

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe

Code function: 2_2_00438940 GetProcessHeap,OleInitialize,GetModuleFileNameA,SetCurrentDirectoryA,LoadCursorA,GetStockObject,GetCurrentThreadId,

2_2_00438940

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0047512D SetUnhandledExceptionFilter,		2_2_0047512D
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe	Code function: 2_2_0047513F SetUnhandledExceptionFilter,		2_2_0047513F

HIPS / PFW / Operating System Protection Evasion

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe			Jump to dropped file
Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe			Jump to dropped file

Source: C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe "C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe"			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe

Code function: 2_2_0046C7CA GetLocalTime,GetSystemTime,GetTimeZoneInformation,

2_2_0046C7CA

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe

Code function: 2_2_0046C7CA GetLocalTime,GetSystemTime,GetTimeZoneInformation,

2_2_0046C7CA

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe

Code function: 2_2_00483B95 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

2_2_00483B95

Source: Amcache.hve.LOG1.26.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.LOG1.26.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: OMmJKXpD.exe PID: 1012, type: MEMORYSTR

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2904723688.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8865#U4e01#U6253#U5305.exe PID: 2096, type: MEMORYSTR

Yara detected Ramnit

Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2150847642.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2146063623.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8865#U4e01#U6253#U5305Srv.exe PID: 3172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 6116, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: OMmJKXpD.exe PID: 1012, type: MEMORYSTR

Yara detected Ramnit

Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U8865#U4e01#U6253#U5305Srv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2150847642.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2146063623.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8865#U4e01#U6253#U5305Srv.exe PID: 3172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 6116, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	13 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	21 Input Capture	12 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 Windows Service	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Windows Service	3 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Process Injection	12 Software Packing	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	322 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U8865#U4e01#U6253#U5305.exe	97%	ReversingLabs	Win32.Virus.Neshuta
#U8865#U4e01#U6253#U5305.exe	90%	Virustotal		Browse
#U8865#U4e01#U6253#U5305.exe	100%	Avira	W32/Delf.I
#U8865#U4e01#U6253#U5305.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	97%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	94%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Uninstall.exe	97%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	100%	ReversingLabs	Win32.Virus.Neshuta

Source	Detection	Scanner	Label
http://msk.afisha.ru/	0%	Avira URL Cloud	safe
http://www.merlin.com.pl/favicon.ico	0%	Avira URL Cloud	safe
http://search.ebay.com/favicon.ico8	0%	Avira URL Cloud	safe
http://search.chol.com/favicon.ico	0%	Avira URL Cloud	safe
http://img.shopzilla.com/shopzilla/shopzilla.ico	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=%7BsearchTerms%7D&FORM=AS6	0%	Avira URL Cloud	safe
http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation=ItemSea	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=%7BsearchTerms%7D&FORM=AS5	0%	Avira URL Cloud	safe
http://search.ebay.com/favicon.ico3	0%	Avira URL Cloud	safe
http://search.ebay.it/9	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	Avira URL Cloud	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://search.hanafos.com/favicon.ico	0%	Avira URL Cloud	safe
http://www.etmall.com.tw/favicon.ico	0%	Avira URL Cloud	safe
http://www.ya.com/favicon.ico	0%	Avira URL Cloud	safe
http://it.search.dada.net/favicon.ico	0%	Avira URL Cloud	safe
http://www.paginasamarillas.es/favicon.icoo	0%	Avira URL Cloud	safe
http://search.auction.co.kr/	0%	Avira URL Cloud	safe
http://sads.myspace.com/	0%	Avira URL Cloud	safe
http://browse.guardian.co.uk/favicon.ico	0%	Avira URL Cloud	safe
http://google.pchome.com.tw/	0%	Avira URL Cloud	safe
http://www.pchome.com.tw/favicon.ico	0%	Avira URL Cloud	safe
http://openimage.interpark.com/interpark.ico	0%	Avira URL Cloud	safe
http://search.sify.com/	0%	Avira URL Cloud	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://api.bing.c	0%	Avira URL Cloud	safe
http://search.nifty.com/	0%	Avira URL Cloud	safe
http://www.gmarket.co.kr/	0%	Avira URL Cloud	safe
http://busca.orange.es/	0%	Avira URL Cloud	safe
http://search.rediff.com/favicon.ico/	0%	Avira URL Cloud	safe
http://search.orange.co.uk/favicon.ico	0%	Avira URL Cloud	safe
http://search.centrum.cz/favicon.ico	0%	Avira URL Cloud	safe
http://search.cn.yahoo.com/TzEA	0%	Avira URL Cloud	safe
http://search.goo.ne.jp/nzOA	0%	Avira URL Cloud	safe
http://jobsearch.monster.com/E	0%	Avira URL Cloud	safe
http://ariadna.elmundo.es/	0%	Avira URL Cloud	safe
http://www.iask.com/	0%	Avira URL Cloud	safe
http://service2.bfast.com/	0%	Avira URL Cloud	safe
http://www.tiscali.it/favicon.ico	0%	Avira URL Cloud	safe
http://www.servicios.clarin.com/	0%	Avira URL Cloud	safe
http://www.kkbox.com.tw/	0%	Avira URL Cloud	safe
http://search.goo.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.asharqalawsat.com/favicon.ico	0%	Avira URL Cloud	safe
http://ie.search.yahoo.com/os?command=	0%	Avira URL Cloud	safe
http://search.gismeteo.ru/	0%	Avira URL Cloud	safe
http://www.etmall.com.tw/	0%	Avira URL Cloud	safe
http://www.auction.co.kr/auction.ico	0%	Avira URL Cloud	safe
http://search.ipop.co.kr/	0%	Avira URL Cloud	safe
http://search1.taobao.com/	0%	Avira URL Cloud	safe
http://buscador.terra.com/favicon.ico	0%	Avira URL Cloud	safe
http://search.gamer.com.tw/favicon.ico9	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chrome.cloudflare-dns.com	162.159.61.3	true	false		high
ddos.dnsnb8.net	44.221.84.105	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mercadolivre.com.br/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.ebay.it/9	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.merlin.com.pl/favicon.ico	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dailymail.co.uk/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tempuri.org/	officeappguardwin32.exe.9.dr	false		high
http://fr.search.yahoo.com/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://in.search.yahoo.com/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation=ItemSea	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.ebay.com/favicon.ico3	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.msn.co.jp/results.aspx?q=%7BsearchTerms%7D&FORM=AS5	iexplore.exe, 00000007.00000002.3361280155.000002599B20D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.msn.co.jp/results.aspx?q=%7BsearchTerms%7D&FORM=AS6	iexplore.exe, 00000007.00000002.3362880259.000002599E184000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.ebay.com/favicon.ico8	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://msk.afisha.ru/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://busca.igbusca.com.br//app/static/images/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ya.com/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.etmall.com.tw/favicon.ico	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://it.search.dada.net/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.hanafos.com/favicon.ico	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.msn.co.jp/results.aspx?q=	iexplore.exe, 00000007.00000002.3362880259.000002599E184000.00000004.00000020.00020000.00000000.sdmp	false		high
http://buscar.ozu.es/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ask.com/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.live.com/results.aspx?FORM=SOLTDF&q=	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.it/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.auction.co.kr/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.amazon.de/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.paginasamarillas.es/favicon.icoo	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sads.myspace.com/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.de/Q	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sogou.com/Aj%A%	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://list.taobao.com/browse/search_visual.htm?n=15&q=	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.pchome.com.tw/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://browse.guardian.co.uk/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRoamingSettingsService/EnableUser	officeappguardwin32.exe.9.dr	false		high
http://google.pchome.com.tw/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rambler.ru/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://uk.search.yahoo.com/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ozu.es/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://openimage.interpark.com/interpark.ico	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.yahoo.co.jp/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.gmarket.co.kr/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.nifty.com/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.si/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.soso.com/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://api.bing.c	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://busca.orange.es/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cnweb.search.live.com/results.aspx?q=	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.rediff.com/favicon.ico/	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.target.com/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse	officeappguardwin32.exe.9.dr	false		high
http://jobsearch.monster.com/E	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.live.com/results.aspx?q=%7BsearchTerms%7D&src=%7Breferrer:source?%7D&Form=IE8SRC	iexplore.exe, 00000007.00000002.3362880259.000002599E0D7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.cn.yahoo.com/TzEA	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.orange.co.uk/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iask.com/	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRoamingSettingsService/GetConfigResponse	officeappguardwin32.exe.9.dr	false		high
http://search.goo.ne.jp/nzOA	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.centrum.cz/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://service2.bfast.com/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ariadna.elmundo.es/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.news.com.au/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cdiscount.com/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.tiscali.it/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://it.search.yahoo.com/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ceneo.pl/favicon.ico	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.servicios.clarin.com/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.daum.net/favicon.ico	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://asp.usatoday.com/favicon.icor	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.kkbox.com.tw/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.goo.ne.jp/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.msn.com/results.aspx?q=	iexplore.exe, 00000007.00000002.3362880259.000002599E0D7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://list.taobao.com/	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.books.com.tw/favicon.ico1	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.taobao.com/favicon.ico	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.etmall.com.tw/	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ie.search.yahoo.com/os?command=	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cnet.com/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.linternaute.com/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.amazon.co.uk/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cdiscount.com/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.asharqalawsat.com/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.fr/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.live.com/results.aspx?FORM=IEFM1&q=	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.gismeteo.ru/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rtl.de/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.soso.com/favicon.ico	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.univision.com/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.ipop.co.kr/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.auction.co.kr/auction.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.orange.fr/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/commonhttps://login.windows.netDBSFetcher::CreateRequestHeader	OLicenseHeartbeat.exe.0.dr	false		high
http://video.globo.com/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.co.uk/	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://buscador.terra.com/favicon.ico	iexplore.exe, 00000007.00000002.3362880259.000002599E14F000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search1.taobao.com/	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.gamer.com.tw/favicon.ico9	iexplore.exe, 00000007.00000002.3362817450.000002599DE40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
44.221.84.105	ddos.dnsnb8.net	United States	14618	AMAZON-AESUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558248
Start date and time:	2024-11-19 09:05:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#U8865#U4e01#U6253#U5305.exe renamed because original name is a hash value
Original Sample Name:	.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@55/283@11/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 41 Number of non-executed functions: 269
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.89.167, 2.23.209.189, 2.23.209.185, 2.23.209.186, 2.23.209.182, 2.23.209.193, 2.23.209.181, 2.23.209.130, 2.23.209.187, 2.23.209.183, 13.107.42.16, 204.79.197.239, 13.107.21.239, 142.250.185.110, 204.79.197.200, 142.250.186.174
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, e11290.dspg.akamaiedge.net, go.microsoft.com, e86303.dscx.akamaiedge.net, clients2.google.com, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, l-0007.l-msedge.net, ieonline.microsoft.com, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, edge.microsoft.com, any.edge.bing.com, l-0007.config.skype.com, go.microsoft.com.edgekey.net, clients.l.google.com, dual-a-0036.a-msedge.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.61.3	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	FRSSDE.exe	Get hash	malicious	Remcos	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	Unlock_Tool_v2.6.5.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
239.255.255.250	https://192381.clicks.goto-9.net/track/click?u=3634028&p=3139323338313a323a323a303a303a30&s=9805e720a8572b6bbbb06f2979714af5&m=5819	Get hash	malicious	Unknown	Browse
	https://blacksaltys.com	Get hash	malicious	Unknown	Browse
	https://packedbrick.com	Get hash	malicious	Unknown	Browse
	https://recociese.za.com/wpcones/excel.html	Get hash	malicious	Unknown	Browse
	https://sp792669.sitebeat.crazydomains.com	Get hash	malicious	Unknown	Browse
	NTS_eTaxInvoice.html	Get hash	malicious	Unknown	Browse
	https://gmailnliz19.ebtrk3.com/openurl?lid=5808098873966592&nid=4863316211269632&c=&s=&ci=&e_id=	Get hash	malicious	Unknown	Browse
	https://fixedzip.oss-ap-southeast-5.aliyuncs.com/replace.txt	Get hash	malicious	Unknown	Browse
	http://178.215.224.252/v10/ukyh.php	Get hash	malicious	Unknown	Browse
	http://185.147.124.40/Capcha.html	Get hash	malicious	Unknown	Browse
44.221.84.105	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	hehckyov.biz/of
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	hehckyov.biz/sdgvcmfo
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	gahyhiz.com/login.php
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	gadyciz.com/login.php
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php
	Z8eHwAvqAh.exe	Get hash	malicious	Simda Stealer	Browse	gahyhiz.com/login.php
	WlCVLbzNph.exe	Get hash	malicious	Simda Stealer	Browse	gadyciz.com/login.php
	Bpfz752pYZ.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	FRSSDE.exe	Get hash	malicious	Remcos	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	Unlock_Tool_v2.6.5.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
ddos.dnsnb8.net	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse	44.221.84.105
	ib.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	1hdqYXYJkr.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(193).exe	Get hash	malicious	Bdaejec, Stealc	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(212).exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(216).exe.dll	Get hash	malicious	Bdaejec, Sality	Browse	44.221.84.105
	A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.81.208
	https://gmailnliz19.ebtrk3.com/openurl?lid=5808098873966592&nid=4863316211269632&c=&s=&ci=&e_id=	Get hash	malicious	Unknown	Browse	104.21.92.214
	Swift copy.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.188.199
	https://fixedzip.oss-ap-southeast-5.aliyuncs.com/replace.txt	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	104.21.85.146
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.188.199
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.81.208
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.81.208
	https://gmailnliz19.ebtrk3.com/openurl?lid=5808098873966592&nid=4863316211269632&c=&s=&ci=&e_id=	Get hash	malicious	Unknown	Browse	104.21.92.214
	Swift copy.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.188.199
	https://fixedzip.oss-ap-southeast-5.aliyuncs.com/replace.txt	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	104.21.85.146
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.188.199
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.81.208
AMAZON-AESUS	owari.mips.elf	Get hash	malicious	Unknown	Browse	44.194.145.154
	owari.sh4.elf	Get hash	malicious	Unknown	Browse	34.234.216.71
	owari.mpsl.elf	Get hash	malicious	Unknown	Browse	54.139.242.167
	owari.x86.elf	Get hash	malicious	Unknown	Browse	18.232.119.218
	mips.elf	Get hash	malicious	Mirai	Browse	54.10.208.229
	https://uymtnxoiutrbebdxcfngvhbjnklijuygtfbrdxevfcgvhbjn.b-cdn.net/updatinggeneral004/index.html?b=Y3VzdG9tZXJzZXJ2aWNldGVhbUB3YWl0cm9zZS5jby51aw==	Get hash	malicious	Unknown	Browse	54.221.78.146
	https://uymtnxoiutrbebdxcfngvhbjnklijuygtfbrdxevfcgvhbjn.b-cdn.net/updatinggeneral004/index.html?b=Y3VzdG9tZXJzZXJ2aWNldGVhbUB3YWl0cm9zZS5jby51aw==	Get hash	malicious	Unknown	Browse	54.221.78.146
	phish_alert_sp1_1.0.0.0(1).eml	Get hash	malicious	KnowBe4	Browse	3.221.71.218
	phish_alert_sp1_1.0.0.0.eml	Get hash	malicious	Unknown	Browse	52.6.56.188
	900092839283982.exe	Get hash	malicious	DBatLoader, VIP Keylogger	Browse	3.5.8.191

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\AutoIt3\Au3Check.exe	OXrZ6fj4Hq.exe	Get hash	malicious	Neshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWorm	Browse
	svchost.exe	Get hash	malicious	Neshta, XWorm	Browse
	Botkiller.exe	Get hash	malicious	Neshta, Njrat	Browse
	dump.exe	Get hash	malicious	Neshta	Browse
	ORDER_SL.EXE.exe	Get hash	malicious	AgentTesla, Neshta	Browse
	Build.exe	Get hash	malicious	DBatLoader, Neshta	Browse
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse
	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	275560
Entropy (8bit):	6.292868175467042
Encrypted:	false
SSDEEP:	3072:zr8WDrCoP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwOvO9:Puo4VQjVsxyItKQNhigibKCM
MD5:	5BFFBD5E0AC5D8C8E8F7257912599415
SHA1:	5A9F6AB857410BB9F3108A5A6ACF8A7EBA58361F
SHA-256:	A3C4641D4CB4608AF18CD06E4C01339C65C25B9289F0AA01CABE0E5C250A0E15
SHA-512:	D576DEE2BF7C66293758F07B2A19B8659BA5A65D2FA9C05BA254008F30B46447871FC66B7DED6AD6796B34FB91406F17536DF6E8E2465723138A31A9C8DA5B36
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Joe Sandbox View:	Filename: OXrZ6fj4Hq.exe, Detection: malicious, Browse Filename: svchost.exe, Detection: malicious, Browse Filename: Botkiller.exe, Detection: malicious, Browse Filename: dump.exe, Detection: malicious, Browse Filename: ORDER_SL.EXE.exe, Detection: malicious, Browse Filename: Build.exe, Detection: malicious, Browse Filename: F.exe, Detection: malicious, Browse Filename: x.exe, Detection: malicious, Browse Filename: java_update.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	217704
Entropy (8bit):	6.601006983838455
Encrypted:	false
SSDEEP:	3072:zr8WDrC7xFVaK4T6fWSlXe0lJQafeyrR0kr/yh5DEU/Pk13TfwqiTP0McBUNnUxW:PuV2K4TSFo5Y683TdiQMcGNUl4N
MD5:	633E57697FE20B13A19E565EFB15550B
SHA1:	4D789F99FD6D9E3024E2E1A35922E875E5F3F113
SHA-256:	55075BDACF914AF03AD6CD417AFFC3A604A73AFD3D06A2256A1835CBF0F39B5E
SHA-512:	8C49A2C57A51C209E1B032C554AB2251F3DB6FA8FE0609B9EFE9A60412C9018A90B22F61D9027895432FC3615DB54A25DCD55CF5210BFAD7C73B3CF5906A15DB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	237160
Entropy (8bit):	6.436536629191244
Encrypted:	false
SSDEEP:	3072:zr8WDrCIyRnuBGwl/1Gc9QnvGqyWQ93kr/yh5DEU/P5kP0zU35iuvQBUeGMLu:Pu7l3wdYtcH9b5Y651zU77Ea
MD5:	80D5957764641A059A246ACC3B876FD8
SHA1:	379F4A825CF3B9EA2CBF96D0AFAA6F5192BE25A0
SHA-256:	B904C8888CD019FAD590E1135E917D944BC16340757BC90DDD3511359766B8BB
SHA-512:	4FE0AECD7F5B44FA5AC52165C566EEE57145AAA2AF59FBB449B7629511C3A727F09E3A91082DE7845490329619C90CA4ACAF4094CFD7888A97B7FBE1F70A7EAB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1675872
Entropy (8bit):	7.454506618256521
Encrypted:	false
SSDEEP:	24576:PC51xB6B9YNgqe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+l:YK0eqkSR7Xgo4TiRPnLWvJY
MD5:	14FA88A275AB539403725314719128FA
SHA1:	2008F40C314CAE10B55206801AA1B1610F0A872F
SHA-256:	15D3823B1CB8C10E2F0A0882BC273093742E957F0E7DB05B98B8FF020897559D
SHA-512:	61CB80AD2D4D2E7AC85AADA0E97C5E9596F9AB26473EBDBB911D139BCD7E5EFA60F67B0D7EDAD98E9BBAD9C3E460082D06EBFBC045F536C786F3E98E53C28E23
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1841760
Entropy (8bit):	7.347582112627405
Encrypted:	false
SSDEEP:	24576:tEeK2NocwiN/jc41p3qp11JsqbhOUe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+i:PfYP1JsEDkSR7Xgo4TiRPnLWvJD
MD5:	B7EAC627FCC70BC9F0368BA3D63DCCFC
SHA1:	553FEDAA430E83E64650D0BEE5062D4DA2CBF07D
SHA-256:	1DC472EF534923F12EFCA5AE928CC3E8545D1E468F905E693DF88D241C614A46
SHA-512:	1556951F835F60830738084CB17639BAC7F1E9DF6592F0F4D3D66365924C0395164CA76DC8F8D8E1AE0847E316D702D96D2D6152B62B69D29ADE3681566102D7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346624
Entropy (8bit):	7.902529878602557
Encrypted:	false
SSDEEP:	6144:PuEpXDXz7yIrozs0WuNd3ojusBdgnNW6r4F53ttuGENGFdVCLEYnPO1D7YYoSyZV:59zGImAjJdcH4j3ttzFdVCLNSfHoSWCG
MD5:	49D006F81FC856B0ED3A6744396C6E82
SHA1:	9285A78391AA44520B5134F5EA46BD7FC4E01A2E
SHA-256:	FE301BD4EE2124BA25B1CE60C9BC9A7604089514C8A5CFE72F6E1AB2A17A8F1D
SHA-512:	3EB2D67DD36230C6468D2810E13EE7FCF25D84E5D099612F803C4F2AF309724FCC1896034A124DDFDA35FBB401DBC5D1030D87F4BF4F08FFDCD1682F0BA1A634
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 94%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	165976
Entropy (8bit):	6.135299341821214
Encrypted:	false
SSDEEP:	3072:zr8WDrCovkvQ4gXIRSG+7IJqC3CJyoDjpBnjkP0XGx2SYg+b/Q+y1s3:PugnGZLknnj1X62SYdb4I
MD5:	BA8EA53268BDE311893484210DB5D175
SHA1:	CED5F2D8D56A2E35FC12722ADA4B6F89D2D18987
SHA-256:	11B0A81DF6BB3DF63262042E1D7ACC55B057B44C9264B60F5F145A98E0FB966D
SHA-512:	B8708FB369CAD49A0B1A804C3D0E098CBD1E3B67A37D5249D84F95A29CD07381BEBEE5E81D6AC9E3B4125A784550DBE2292540CD8561321D70B3C5514AEF87C3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1113176
Entropy (8bit):	6.446467711397749
Encrypted:	false
SSDEEP:	24576:kTC6Rb6qu1PyC+NRLtpScpzbtT7pyOolKL8Sq/jrc5xaNIBg:k+6AqSPyC+NltpScpzbtvpJoMQSq/jrL
MD5:	7EED01A3E7667D1DC5E9A8F19C31A4D3
SHA1:	ABD806F0580C5B56BE794BFE44650D7641A6D71A
SHA-256:	31F7CDBC86FF5CBB03CB43D30F13DC8280997AB285BDACA68BE731BC82C5C1FC
SHA-512:	00949C67DA8561B33FD6D7B83FDDAB5B2340604FDA26737F9F24858A29D1DD54984B67EE4F25505477C4E30150EF62192515656EB70F4430E9B82E08358CFBE8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590607899532191
Encrypted:	false
SSDEEP:	384:1FsS56XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:9wQGPL4vzZq2o9W7GsxBbPr
MD5:	03B5F3A18D29398CA5AC08C0A6E4E28B
SHA1:	B24E110CBFD1F93E93D2EBBF0BEF19DF3D781542
SHA-256:	FA4016E7053A36AF89B9D1D244C282FE20E25521A51B87B0F4EFFD5C5F3AB39B
SHA-512:	DB63D30A2D0BC13A4461CD64D4E91EC6BA0DB09CD5B91AFD006EBBBE2E495DA3BE7C3DB1EE3307B0E92593B7347F4D06D618C5D59FF54E2F6A2BBFE10D26DEB8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2430976
Entropy (8bit):	6.732829742769487
Encrypted:	false
SSDEEP:	49152:G1GSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxLi:s4OEtwiICvYMpfC
MD5:	C07114CD921A07869220565889C98347
SHA1:	B2DA5A46F8EC10DC03E5B18BBE5DD9C7D3A16105
SHA-256:	99A92157F6C3A36A19B114425118AF719D335B26EFB2B27882F968873B8369F1
SHA-512:	F98131F13C179957216ACBDB9EB9533ECD1B98F08DE4E580562C467439F58F63C6E22C70A7E8D145972803291E9C02C65D0A798E0748D1F271510B79535C42DB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Uninstall.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	113233
Entropy (8bit):	6.7789810493984115
Encrypted:	false
SSDEEP:	3072:zr8WDrCFCrMGEtajbefY/TU9fE9PEtuGCrK:PuFCrfEt+cYa6YCrK
MD5:	0FF71A744E70F7F7E1CE56FC4298E688
SHA1:	939DEB068D6BCB5BAB11AF96CF6040F26B5EDB8B
SHA-256:	3214538D265FB6BFB3A0620229FCD979A0225C0477F0FE0578FB443AE7EC4FDA
SHA-512:	0037311257AFC9CFC0E6C1439AFC8E9B9BC83CF19D7E9FF7D24292A37917F56CC95071ACF4909D4FD869C2FB4D596FBABB9CF97C7591DB079549A401132372DB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	451080
Entropy (8bit):	6.439169362059255
Encrypted:	false
SSDEEP:	6144:PuUvqF1Ged2RYbguEuFuTkdj+zRGa7JkjrXyPyMMWvpBVOaqahUqjAGku:UbgvuFuQdj+zRTJkX8yMhB3jhBA
MD5:	8189A6A7CC6AE9A6EA107AC91D53BBFD
SHA1:	1371FB968538F5FC8A6A738BA3D11FD409629EE4
SHA-256:	03FB6550BBA35AECCCA1FBC4F910919F150348F17A5FE5BEC2912D756DD542B1
SHA-512:	02CDF4761F703A28A027AAB659061FCFA6A943949DBBC2A17DBDCBD660B982DB7B3654A9BB6F900AEBC10C67548D6D0FE77742058DE9878D797EFCA18D51748A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	214512
Entropy (8bit):	6.488889881948425
Encrypted:	false
SSDEEP:	3072:zr8WDrCDGnUI/9FXK4+PoSZSb5qURwubvvnzdl1CkTlxAenDl3SoxceC76JNKjzc:PuDGUcsvZZvUmubv7hTHA8l3yROJyDI5
MD5:	F085722D23BDED9EB6D55AE1232725CC
SHA1:	19C09DFC582FE436B06B536DAC110E26F596FCC2
SHA-256:	60EAEFFA9F5182AAFAD9D945DC601590A92782AA102AEF9AE10E19088E7C6179
SHA-512:	5BDDCC02CB2D9B0B7270D3D1F1387F94A14047CCAC7810CEEBDE8357A7B2C4D5F79BDA3902CDA2BB5E25558D0D0FA44AFF3DD5846D45AD380FC58CAB364DDDD1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	568400
Entropy (8bit):	6.67219335276453
Encrypted:	false
SSDEEP:	12288:lyvTCXdXikLj2jR7trg6Qi3vYsKTU00vq:lyyLj8trn3wsq0vq
MD5:	B41B153CA4DFE9D557899142C6FDD767
SHA1:	D7310F560839E21A7968DA46E27231290B25A312
SHA-256:	FC1577451D4743DBE1B27A1828EA536522CF5C9CBE952A48F58345F53A85D72A
SHA-512:	8CE84911CA279CCB86E8D4398CEC16B00E9E29FDF25F766FC0792E71154B2A8FBC22CC8F69387A6F5EC5992AC264556A39C1B9AD940F2AA674538DC4F50502D6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1252432
Entropy (8bit):	6.763252873451025
Encrypted:	false
SSDEEP:	24576:d0n7Ubxk/uRvJqLGJLQ4a56duA/85RkV4l7/ZeoMOp:m4iwwGJra0uAUfkVy7/ZX
MD5:	9F7E59075683E964E4D6DF66A92AAF0B
SHA1:	60EE788C42034ECE4FDB47C325E4EC2BC9DF67AA
SHA-256:	D5759CFE49A74CAA1A6A7FA8DB17DE9D570F1BE8DA9FE75AB48E67076ECFF8E1
SHA-512:	077D5D9FE8102144D458283ED099DC5C2F51F90B0ECE7DABB0BDA66E9B97F6D12A83527067877A802C0AD46DA974C494DD5EF954AC494D0838DAC87ACF06BADD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	790096
Entropy (8bit):	6.745221507787877
Encrypted:	false
SSDEEP:	12288:bMvcR0D0B6PyxoxIlZwM+R6R4uFjs1Z7FMN0TzJqccvbXkN58AuimIh:/R0gB6axoCfyR6RLQRF/TzJqe58BimIh
MD5:	ECF5236F6653F2D0F55FB26B2ABE3D4F
SHA1:	60AC40919543275E088CE78F063DBA998964DFF7
SHA-256:	273F4F789C6DAB5593C5273845020DC3E172C98833E38729C9DA159C53AE5623
SHA-512:	06F844A46C9AE9B4588C167F809A1023DC88CE7853C61D1DE92841ADC7128C91CB0EC5B5F32E7E6E86C5B81D3161915767F98CF090AF19F6BE680FC1347255DC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	562776
Entropy (8bit):	6.433164069541556
Encrypted:	false
SSDEEP:	6144:PuJ0dzerObMhDGJ9UM3sunrXj9BMHmD1tYFLqY/W5R02qO7VKCy7KCzDSEBPj:BeqbWqB3sunrT9+aYFLq3ny7JSEBPj
MD5:	8DA8BD2BDE4B0EEAA83DD9B17289F169
SHA1:	284502E7ABD3A84AF988CC6D2F4EA87D08D027B6
SHA-256:	794C922912321E663916EBF1B11646CE10DBC0842E0FF68571770672FCFAB214
SHA-512:	63EEE0EEFC46141F7B94DA48F420326630C9182E4C9CEB44104CE7302832A7219D361F2F61D52CD83B9E1E81CAC1ED86C8C44C8CE805299ABA74A7FA81D235D9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	127512
Entropy (8bit):	6.330981765539028
Encrypted:	false
SSDEEP:	3072:zr8WDrCsPo10JOSdnvEhEyr1hg9uCRFRzsxeZ:Pusg1MOc81hmRFJs0Z
MD5:	A70C749F32B95B9C01A9919E8F96205D
SHA1:	7A43A28D2FCDBF663B4D61E969CD6160F1A444AC
SHA-256:	39C83EC2727FFCC589106D1AD4C7BE154C7752382C958252FF510A61F65E24C2
SHA-512:	1341ADCD4FEDA85A9425348310A2FA86A1D9AFA705ABFF7FCA2C39FDDFA9C3176239BB87553216743DCBB662211DB0E3C90B644A3CC8DEBE80CD38BBE7ACBAE7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299136
Entropy (8bit):	6.7881128883409
Encrypted:	false
SSDEEP:	6144:PuGXLYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:xXEbH0j4x7R6SvyCMqn
MD5:	BB745A9E59BFDC3FED3D6ACC5EB1969E
SHA1:	B569EF5567BF533C49F4C59441D1881726DEA540
SHA-256:	5C257F423AFD510D6EE9EAB80273CC673995F966932466C9AD74EB2AA613A892
SHA-512:	B43198FC36F9DECB3767E6888B632093550394DF5D5826540A0BBDAE711931F595B398CE59C5F4676C1FDA7953C0702D57CC98D3E18309DEA517C536AB63CCCD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299136
Entropy (8bit):	6.790537251287294
Encrypted:	false
SSDEEP:	6144:PuGkXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:xkXCs/YAh/elvhI7Wd
MD5:	57150329C07A1CCA1C715687BBD681A0
SHA1:	EA1805323441B728107A98C5C88EB1609116F70E
SHA-256:	AFB4A253B3CFEFB7FA8C8AAB7FE10060AF5A33C10147EDBA4501C5089F407023
SHA-512:	2BD0008D28BDBBBDB0F6A8D01121FFCF9A6AD18147110F100D1EB3CD7B93EC3481F8D0358E427F94D53F01764B246C54FC49F57CFDBAB1831672218197DFC444
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	437888
Entropy (8bit):	6.42435194722595
Encrypted:	false
SSDEEP:	12288:xXNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:hKiBLZ05jNTmJWExixM
MD5:	E96B5A5F7432CF95AC667CC32CAB7CE1
SHA1:	F5729409A0AD909360DD9938FE05681E8C98BEA7
SHA-256:	22345B680E235E582820160A73A5221A98550D7947DC1F22FE768C51788B3614
SHA-512:	BF03F48889EA86C4C39B32B32760FE57293D85C5E6A88D3695CF4D7F7AB23B3F4ED07588987619B084AFFB51A61B3C7404E2D8177A29EC4AF343FCBD66F7C560
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	343328
Entropy (8bit):	6.643174471027498
Encrypted:	false
SSDEEP:	6144:PutkTpB8HHvBjruphfgesnAhAOQp2EwckjQx+m8zhPLlZp3:GklinJruphfg26p2Ewix+m8Nln3
MD5:	C6DCB652B36FD0F69EF1C6C28C3F3D3E
SHA1:	B9FA38B704D6BDDA1E203422207E09D2FB49C216
SHA-256:	A2D68D17A3E61E41CD6E9389058D6A36036BEC91AFD4CF6A2F587FAF0CDCDD5B
SHA-512:	1B184AC17FDD6F28956F619CD772697EEA6684C70B4E74222BD75C58ACFF62C1BF66D9AFB840A9735A0BACD3792405E063701AA29C909EFB5F3B6DF5AF284FB3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	443680
Entropy (8bit):	6.396943856678141
Encrypted:	false
SSDEEP:	12288:z3gaHC2zUM2WJoROZVXk8hbodzbaw8x0Cx+wnx:zx5k8hb0Haw+x5x
MD5:	689EC8C9ABDBA5399058B31A494353E7
SHA1:	2940C3D9852341884ED269B06804C0383F9A6056
SHA-256:	B168963DD38A08EE00E540180FF0BB2480E72D6439C6F3E386BFDEACCC725F95
SHA-512:	AE28934023D46D5D36A894F31A0A2232DF9D968B20D7176BCD37058C13FE9B1BA41387CEBBE824BC6FAFF0ECB35354C1A69C585BC39A4468B713B9F458CCB107
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	203552
Entropy (8bit):	6.1311659126541285
Encrypted:	false
SSDEEP:	3072:zr8WDrC6aKavT/DvbEvK9aobNI2B+Nl4jz+b0atWH1TmFtotpcat8iKdlVST31Oa:Pu6aK2h9H/B+rEtiPC
MD5:	5C85C6CF32D2443AE5A7E4FAD8CB7CCF
SHA1:	D23CB4A5961CD7B7C4DA100EBE98E5A4CB8B2FCF
SHA-256:	4EBA2A6D96466D63B206E0760B4E9319D26B4458A8F030460DDE896AAF227682
SHA-512:	FBC3D48FCF80DBAA328DCDF326638C57CEF445A31FA269AF6D47BFC03E112BCD0143721C78F041A3D1C7AEAF44BE135484B33D170AA1EA550CFE5AB15242F694
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	149792
Entropy (8bit):	6.503976503009816
Encrypted:	false
SSDEEP:	3072:zr8WDrC/4vzT+PjZpsB+2h+EOXkMxJ7Rfp8K172YPrp:PulpsB+09zMH7cCxPd
MD5:	EAAD727FE492030433EBADE57325EA69
SHA1:	6008DE3C0DD2203E737A68ADB562A81DE1BD4349
SHA-256:	8294521F6F0C2936F76C92743BF193937619C13FC0CFCBE2DA1238605D07F79B
SHA-512:	803E85A412536591F05DC3C6065B84919B11460AD08DD8F5833E47C9FFA00E1D33DE6092658D219C819220B867CEFFFBED8BAF822E372E95CBD8D48AD9351DE7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	227104
Entropy (8bit):	6.2330769171298925
Encrypted:	false
SSDEEP:	6144:PuKWt9h8QlLISZWVRohcq7dvni3F8QrBA/:by9hdFIdRoGUxi35rBU
MD5:	19E917EB830D0429C0E2E8F64114212B
SHA1:	5351AA18D019E6ED9123460431B4B28A0187A065
SHA-256:	6133D3AF6F4C30C1337C63B71947056FB3A46E2A269EB4F2E996E53DD8E95754
SHA-512:	A5CFFE837ADAC6B05C3D4F413C9461BD368A7CAFC3142DD5472BE292F1D17FB74571BC05FC8204F0781138016D76085DB843EEFC787033984FB42546F8DF24D3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	264480
Entropy (8bit):	6.638998317491867
Encrypted:	false
SSDEEP:	6144:PumwCtJmRqyFmB6AOKmiMGwIAfx+iQ+FfFyLgG1da6edo:tw6JmRI6Bitwpx+iQafFykG1da6edo
MD5:	CC6410226CC9A5A311864C905A41F69D
SHA1:	C2E9C75DC6382238B2D7697576C5BB47A09AA1EF
SHA-256:	6118343C2990A8414501F08A6FC70E2888E8CDC193054E0410D5B5FF3EF63898
SHA-512:	DAE7626F1BFADCE4E9108CC20FBF84D5F86D1E9EBF7AA58B6386613C52718AF2C91ABFDD539F87297DBC2A5FB486619F4048FC831B96DC4AD924C61785AFA6AB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	149792
Entropy (8bit):	6.504334063798769
Encrypted:	false
SSDEEP:	3072:zr8WDrCz4qR8vSZksB+2hdqecER5AhC48S1m2YPrZ:Pu5ksB+0YlEXAe6QPt
MD5:	3782AA85B64BBBFD331D8170B86BCB0A
SHA1:	2FE109D8CDDC028910DC40DF789B90D8997B1557
SHA-256:	390F98A5B31D514641DFB13DDBCA0C071F4D8FD4F094C25859C98A672572B0C1
SHA-512:	D1DEBFF36BB931F544B48D611E0D513FFE7BA5A36650932F007B2C6198BDF8E4E1F253D0CCF24A25AF9066C5278EEEDA568EBA6FEE20B404377D4BB1A68253DF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1631792
Entropy (8bit):	7.974979800124763
Encrypted:	false
SSDEEP:	24576:TR1kyOX3l3PScicR9iK5vS8dU+0BeId7JfroHKExAuRBAHToF4rMTgZYhA5QR5sN:DkVX3lfrFfR0BecCqKBs+4o8YhAKi
MD5:	3D04EE3450C730CFDA46C28B33176F2E
SHA1:	DB5E017288EE49E5CC7486A5E4ADF2865D052451
SHA-256:	2DF36D4FB0D0CD7C14D58AD80CA0749A3D827FF6DB0C2E4D51587D9832FDC5DE
SHA-512:	8336B3A1CFAA2320BAF875950C8D83232184E8ECEA21F3B4E230BB15E2D93614B000D6458BBCB0A7D1F226764528C8E4D9A28CA826A712EFBCF9AAE4AA154A73
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1631792
Entropy (8bit):	7.974979800124763
Encrypted:	false
SSDEEP:	24576:TR1kyOX3l3PScicR9iK5vS8dU+0BeId7JfroHKExAuRBAHToF4rMTgZYhA5QR5sN:DkVX3lfrFfR0BecCqKBs+4o8YhAKi
MD5:	3D04EE3450C730CFDA46C28B33176F2E
SHA1:	DB5E017288EE49E5CC7486A5E4ADF2865D052451
SHA-256:	2DF36D4FB0D0CD7C14D58AD80CA0749A3D827FF6DB0C2E4D51587D9832FDC5DE
SHA-512:	8336B3A1CFAA2320BAF875950C8D83232184E8ECEA21F3B4E230BB15E2D93614B000D6458BBCB0A7D1F226764528C8E4D9A28CA826A712EFBCF9AAE4AA154A73
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299136
Entropy (8bit):	6.7881128883409
Encrypted:	false
SSDEEP:	6144:PuGXLYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:xXEbH0j4x7R6SvyCMqn
MD5:	BB745A9E59BFDC3FED3D6ACC5EB1969E
SHA1:	B569EF5567BF533C49F4C59441D1881726DEA540
SHA-256:	5C257F423AFD510D6EE9EAB80273CC673995F966932466C9AD74EB2AA613A892
SHA-512:	B43198FC36F9DECB3767E6888B632093550394DF5D5826540A0BBDAE711931F595B398CE59C5F4676C1FDA7953C0702D57CC98D3E18309DEA517C536AB63CCCD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	135808
Entropy (8bit):	6.38873877226639
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCGrmKJGyeVK7qjh3rmKPNbS7cZPxyqPEoCW/ids8nBs+s8nK:zr8WDrCGqzyutjZqMNbSgxbFrj8m
MD5:	3DFB05D09AB50A01B467398603BEADB5
SHA1:	D8A8AD789717B3E83608AE510FBFF096861DC271
SHA-256:	A4844081CA91828B55104253A954E3B073D6E762D66A4EFA8F22AF9C4D995833
SHA-512:	D6FD943FA97432F80CD81621D5186D7D6CB8F7622604278BE31CFEEBF98A46A9007E3C71F6E392B9B41563CA5BC6BD9B86AAA3D6A4CF1B148179D7692F7A9A99
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299136
Entropy (8bit):	6.790537251287294
Encrypted:	false
SSDEEP:	6144:PuGkXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:xkXCs/YAh/elvhI7Wd
MD5:	57150329C07A1CCA1C715687BBD681A0
SHA1:	EA1805323441B728107A98C5C88EB1609116F70E
SHA-256:	AFB4A253B3CFEFB7FA8C8AAB7FE10060AF5A33C10147EDBA4501C5089F407023
SHA-512:	2BD0008D28BDBBBDB0F6A8D01121FFCF9A6AD18147110F100D1EB3CD7B93EC3481F8D0358E427F94D53F01764B246C54FC49F57CFDBAB1831672218197DFC444
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	437888
Entropy (8bit):	6.42435194722595
Encrypted:	false
SSDEEP:	12288:xXNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:hKiBLZ05jNTmJWExixM
MD5:	E96B5A5F7432CF95AC667CC32CAB7CE1
SHA1:	F5729409A0AD909360DD9938FE05681E8C98BEA7
SHA-256:	22345B680E235E582820160A73A5221A98550D7947DC1F22FE768C51788B3614
SHA-512:	BF03F48889EA86C4C39B32B32760FE57293D85C5E6A88D3695CF4D7F7AB23B3F4ED07588987619B084AFFB51A61B3C7404E2D8177A29EC4AF343FCBD66F7C560
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	163456
Entropy (8bit):	6.2758220261788
Encrypted:	false
SSDEEP:	3072:zr8WDrCm446dewltB2mNd/HOrveW1dexk834fRZ5Nyc:Pum446d7T/H4X
MD5:	51117D59430CF4C0EA72319AD8930BED
SHA1:	0A7AB6E54B1F62D9FEE7F48A594AFD0E3F7ED846
SHA-256:	CE688EDA6A1F081C10E862422F2C13F24797F21D2DA248E85C0CC81D96BF3010
SHA-512:	E05E6DA3D9728F5E04F5F4D2BF9B875BEA8CCD287BA207B2469D83F49BB6AA759C608B29A107D33BF8460F71840EADAB34CB1924DA3EE8F9E5DE741FB45045BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	127104
Entropy (8bit):	6.059161475634893
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCds8nBs5s8nBskEsz2zy77hPxIAbBsnzA3QDkrDW8Kq5ns8w:zr8WDrCwUkEsqzy7pxI8BszFJqkb
MD5:	EF3C7B1D99C49F679F1DE40119454E82
SHA1:	E3869B9D17411A1DFB49630E8E9D0A379CCA1599
SHA-256:	4ECF5FCDD95ABA50DF6137D45EDB89467D33A31347525B422AA2A9B36809233B
SHA-512:	71D00F7B07E909CE5C54FBD85DDAAC2752B6B2AE2ED76EDADB4AA07AB1F7BDF25ECD77CB1742EEBAFBFA98087A4582879D4A2D277965D3D39F9E6ADEBA9170F5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	223360
Entropy (8bit):	6.084515656741608
Encrypted:	false
SSDEEP:	3072:zr8WDrC+ySSyyXC2BZC5vHa2L8jv+UII6qS2AroAxYN35gwxcPXtxdTsVcCXFzlb:PuuSyMZOy406qS2AroAxnw6f9JCXN1
MD5:	278E935C540125EB737FF60459E06954
SHA1:	3F2F868109AB1BE159D75FE1FCB78D5AB0F39A29
SHA-256:	7DD8239708026320DC7B738BF5B1F90117475EBF88BE8DA06B99E6A3E860596F
SHA-512:	21E3181E34FCC0D304F5A8EEFA0B92B676DF815BE984792D034FEB61E3189D73020AD5B6D82A5DF2434CD97AB2D1F48AD223B7007695F0673A2ECA8803D2C825
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	203264
Entropy (8bit):	6.625450286768847
Encrypted:	false
SSDEEP:	3072:zr8WDrC6wl0hzyfN7T34oshWGrAUdaz2w9Lf0M/RHym:Pu3iFIf34hcUsz225/
MD5:	241380ED43DD374CF6415E50B83CD0BD
SHA1:	5F4F79F4DBEB1201DFC3D3A83BB1D5400D11F045
SHA-256:	D3CA30B886E1F07EC6AC3989C091EBD5E97F1196D9BD554A2546EF3B4DF61EA4
SHA-512:	D4BF86E17996171B67900847372EFECDC41E7F87621F831FD882E8DEAE49F5A45B218E375AE2347E862C438C11906E2CC67E062A0BC2D1265C968789FA8F68E4
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	209912
Entropy (8bit):	6.335658991643739
Encrypted:	false
SSDEEP:	3072:zr8WDrCUfSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:PuUfSoD7q/fji2SUKz7VHwmmtj
MD5:	0DB388DA73178AB846638C787D1DD91E
SHA1:	64D79EC424EF95DE05D484C3BDC446642552879B
SHA-256:	E71DDCCD4996D121D5C7901A367E024266727C4C713635A25B74EB0C132CD59F
SHA-512:	94288DB9B2615FDA0BD27A46EEDBDB3F8FE3E8C2B2985D2B69244B47A7369AD5F357D060DE52FD4C5E9746CF7A3343417A77476A153F49058D8F8C2E61EBFB11
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	209912
Entropy (8bit):	6.335658991643739
Encrypted:	false
SSDEEP:	3072:zr8WDrCUfSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:PuUfSoD7q/fji2SUKz7VHwmmtj
MD5:	0DB388DA73178AB846638C787D1DD91E
SHA1:	64D79EC424EF95DE05D484C3BDC446642552879B
SHA-256:	E71DDCCD4996D121D5C7901A367E024266727C4C713635A25B74EB0C132CD59F
SHA-512:	94288DB9B2615FDA0BD27A46EEDBDB3F8FE3E8C2B2985D2B69244B47A7369AD5F357D060DE52FD4C5E9746CF7A3343417A77476A153F49058D8F8C2E61EBFB11
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	264144
Entropy (8bit):	5.859978790158535
Encrypted:	false
SSDEEP:	3072:zr8WDrC2PEGT3EB2e1aWGNU6ITL85x0HRerzJ0YF6OYLy0PPDq29BA+7891:Pu2PEC0QjWGNU6ITL1H0zvjkBA+7891
MD5:	B2A0013F6770F98CD5D22419C506CD32
SHA1:	D1B9E2EBBE6255A386AFE69A9523B7D2BE1E05EA
SHA-256:	87C62BFBF6609662EE24C1B9FD1AB2CF261F68E5F1402CB7E2F6755023A29841
SHA-512:	3302A6D3AB1DC7CB725F4E0DA1A82ECEC7207C7CDF2050410625AFF4E51C17B3A38DB8630ED34E111344C66BC603C3939A46E52A3EE6E1EF282DB1E93E61036F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	430680
Entropy (8bit):	6.625803592345581
Encrypted:	false
SSDEEP:	6144:Puvmmt0fSoD7ZAOhPiURg/4KAaxZTTlvIfaUcuI4hWxBP9SGO0zyqEL:Pmt0LDdOUO42ZdocuI4kxBgGONqEL
MD5:	2463BF0CFD3790EACDB9BFCCA012D2D2
SHA1:	B3EAED3711C1A369A3359BD6ECEF26DDB824B9D2
SHA-256:	FD879B6629EBDFB190FAB80B29DEA52997A75FC44845749552815DA18EA07532
SHA-512:	494FAECC19D7B59548E04CA1CDDE618B9636ED3FC159D526ECC9E4F05DBDF0A96F3C0ABECD4B90BCC1ED7ACA57A9E38400CDCF06C19936D3407D3D5A10B9CC6B
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4473576
Entropy (8bit):	6.5697251244545924
Encrypted:	false
SSDEEP:	98304:9kkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:9kkCqaE68eV+0y8E6L1
MD5:	A0E84CEDA4163F189BE5349FD432B1CB
SHA1:	204335080CD8BA8D46E52DFB29F1461D7BF84CA1
SHA-256:	9A8C97840B4745ABA6BE44CAE7DE9EC0E7960AE31E52DFDE4ACCB1C24B6C4DA7
SHA-512:	BE941C507F9A607087E96CDBA94358F4882BA231CC08E6AAE8480301A5FF82940630134F9DB780B9527F43DD83ABE5D4868759854D2517A6D6A87A26903FCC9F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4316096
Entropy (8bit):	3.9254629343592016
Encrypted:	false
SSDEEP:	98304:jPNLniBaEJhRELqS/rhwov59SRZ5Vb9sybbsK+0rnsQ:TNLniBPJhRELqS/rhb59SRZ5Vb9sybb9
MD5:	AB9C308CB62C689AEC4171AF74B99607
SHA1:	2AFBE3B52505B17653C30E8C51A8A434BB83433D
SHA-256:	5B23BCB1EB5124A1FA7160014A7BE5A546CAFE00AE7FFFCFB19C237552281499
SHA-512:	688D62C8CC8B7E699D379FE5FDA6DC808787E11C369C5CBDFA3559E2B61B607C0AF252232775BA04C2AD082C21DBA2224E6C34E131381EDD52EF0C2539C70484
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	94600
Entropy (8bit):	6.430762305801649
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCuELjOzHKd1XI/etzCJQx0cxnIO/IOmOe:zr8WDrCuE/OTKXI/etG8ICILJ
MD5:	29065F4177E1DFFC20CF409E15644D07
SHA1:	2A506101526624DF3C693E3F9501E7FD0332A5F3
SHA-256:	A572BFF875EA91F7324C87C4966ED38AE29C87A3B999E9EEDCF82730921F1AEA
SHA-512:	611B4D7DF2C4D2B37E6C152B0416A047166B78C999B1C7A6B39D11FE73CB80BA55F4822B9503642CB289730D90A608FA08DC909A845F77A8A13C967689A3C00B
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	101496
Entropy (8bit):	6.2393274170193935
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCcvpz3ktxGvpzvy5ZWGalHFmMTK0KRTS8bOzc:zr8WDrCKToATzvmN0KRm8bOzc
MD5:	16918B2CAE1E6169BB9725597CB7383D
SHA1:	F7539B44190222E9917B3D404A1BBAE7D32D9925
SHA-256:	CB2DFD05D0EFDBEE9DA0E844020762C3124C9BDEEE868534F5E6A383FE312DD1
SHA-512:	A4DF06513B73244A4F04B1F9F38DABB1045B7D4539B0E3D7AE88304EB0554BCC7F38A4B93CDA67C538D49242AA7F3B0524A39B395DBA74E372A754DFB26E803D
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	455760
Entropy (8bit):	5.892284558826893
Encrypted:	false
SSDEEP:	6144:Pu5wACThwS0vn9IdRsLGEJTdPA6lDfZNAB:SwACThwSSn2dRANtlF
MD5:	05627379496A3CA82D7F01103B8CF512
SHA1:	67B52E3ABD0ECB3477F4690F34A7D3C33DF89597
SHA-256:	7D2DE91B25C659B067F5FCEF656BC329E7DDB9F42D5FAE1FCF3FED4592BE2146
SHA-512:	A1C1AC254E15EC0A7A741E6CE3562AC8D16245AB1CB0C0971B59F9A8D3165234081DA50EC9D63ACCC49563F403F86ACC44256F18CBEF759B607777DAAF003F98
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	225704
Entropy (8bit):	6.245888252421863
Encrypted:	false
SSDEEP:	3072:zr8WDrCNLqB8edYkIrv6TXRw9xwqazULDjkAJZo0RAjUIqXfkRC:PuRjilq8OPwRzso6AQ5yC
MD5:	58FCC2021F6669D332B12379F34E6ABA
SHA1:	C261CF77942748482EA6423B2816071BAC404855
SHA-256:	099D81B808C4A1507092974E4C79187470FC4D5BC1049DE99B7D87D68FFD8A8D
SHA-512:	2637E583059CA760EACB66649519751191FC96FD3589DE8E17D0AC73C957D9256A50105D03727D19A1193DFB61FF1450AD65DEEA8692EF2D947051D85062E8C1
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	84928
Entropy (8bit):	6.484542699354416
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCh67wZClMML07MiapFmPRHyzMwzobtM+zf:zr8WDrCh67wZClMMQ7MiawHyzMwsL
MD5:	6E3355F8734F6DA5FAC15DF47A197B0F
SHA1:	C933D5E414F6594D61E56FEC641373E33AD3C3ED
SHA-256:	052C62D09235DDD70A3C52C7071D20711F2D4F1F7F653AEA54FB023EC2626B12
SHA-512:	1B108643E2DF6476B167E233B7A3E249A2BCB89006B3C87FEEB90FC96214B52E0BC466C010AE03ED6BECF18864F96B0D5EED6F4720A1CDA70829B4631D3917FD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83816
Entropy (8bit):	6.536836051910162
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrC+0s7wZClMML072apFmPcnGzLHyxz5pOEtmwxz5E:zr8WDrC+t7wZClMMQ72ahnGzextQyxtE
MD5:	D713C72B72F2554BC5F57573AD79C596
SHA1:	82F518A57C167F1CFE80D7D43ED28084C2D57933
SHA-256:	22CC2A1543DC27CC8F1925ACB173E34141C4FF9E1A012C572E932BB6FD91B4C1
SHA-512:	D0DCB842E46D1F372DBFF6CF1D3DEF6BA5461770400DE2BB7DFD9CB0DB35E80DC721C779E2CF8F852BA9B9EA9E5937D6C4DA31989D399107B6075C6771928486
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	233832
Entropy (8bit):	6.440520521123031
Encrypted:	false
SSDEEP:	3072:zr8WDrCqW32GhNvMQ/58sl2U2Gszlz4SNBZCgMWku:Puf2GhN0lsdspzPgg1
MD5:	605C2C89F9F2A47F991EF737877F2FB6
SHA1:	14E316AFBCA1D6590C6105B7BF76A72339C3ADEF
SHA-256:	E96F113D251169D2B4DB5F51BFBF5F20609702F7B0BEA5FEA55CD4DF71A70682
SHA-512:	506E962224D44478E14FDA6A093E861E225745E36A3B32B7BC98E337F1B492A3664AD84497ECBFB427A967D3CA0390CED92D11FD9E8EF3D7887D2D9415243D5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	502632
Entropy (8bit):	6.717621615137878
Encrypted:	false
SSDEEP:	6144:PuyWDxGH79J2VX5gEpvm7JA8I6BHAlSpFG/+Ls3ze30xB7zq2zs:0MxCvm7JK6JAB/6N30xpI
MD5:	A18560DD287C61996F6C3498FF2B6F8F
SHA1:	B81EF528445CCE2BA94A933385FAF56DA526CC25
SHA-256:	551C24CB52C55EB77300FAE5F77A9EE565848DA83A5CEBC4587C5912C94C0A92
SHA-512:	2B94CA43D2F41EE88A81121889DBCFF7B014622FFA2B3048DB7CCA1C6FB7CB3D18CCCB9F4791002E166040A658FA317E42B520D44929973E034B56B7ED9C62C9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	352704
Entropy (8bit):	6.382223038880705
Encrypted:	false
SSDEEP:	6144:PuoEshacHeGXduZtZ9zHVcI3uv7FgR3FTzWQ/ZZyp1:6sHHrtuZtPvh3FuQ/jyp1
MD5:	E517FFDADC37CBB8E4DF9D8C4595BAEB
SHA1:	CAC4F749D83EFAE571B6A581F0579F5EF0F5CFA1
SHA-256:	6B837B2B22A40521E234CE3B11A961C631927951B443DD47EF5E37E54390D907
SHA-512:	500B9C4AABEDAA1D430AE07651C65CABB226B482426960307F457B665686FB846C740B7F26EDE1C4607D8F294467547DAB8590E3C017EDDE4855F3C4934914F7
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4395184
Entropy (8bit):	5.936769631564012
Encrypted:	false
SSDEEP:	98304:eXuo5RMru45b5dZlAj0sqW7YDKMzVwgBWMTwLe7G:gR345NRAgsr7QH6h93
MD5:	79B2B70DAC7CA2C9EB315575E068755C
SHA1:	CF384F4ED6E51DC0C61853DF080F4CB38738FEA5
SHA-256:	76E95029FD569C640C864AF19AE98DFA5DEA2C6162B0BDA0137EB283A3DFA496
SHA-512:	4EEE60388342062701C05C633C1820E8A46836DFAEAEB5EEEBFC4B4104885D3A9219DFDD7012B815F66A45DF6BBE8C3EC9C1AC27E7EE56B1EFE08A6D9149DD8E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	603928
Entropy (8bit):	6.5283708663431606
Encrypted:	false
SSDEEP:	12288:/zKRgqBDxoiPCLXHLuk/Wg4Reh2mbeF+IGboJdx:rKgMxoiPoXruPi/++IvJdx
MD5:	C05D4CEB93DF5A97C92332C30BFBBEFE
SHA1:	756FE7D0F337C9434F289D4210C1FDD8AEFE3D5D
SHA-256:	C896D6442442C7A1254A64A9C1934CCD4D26A2776E8B89231F22B0E09D086A40
SHA-512:	06ED302B61C0DA6C490ADFB097A25F4C6F9D03085828CDEAE8A7AEB69769B3A41149A7645C9D198BEF862B18047B99606B5891064A0BD09C36178AFB3017EC7A
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	507024
Entropy (8bit):	6.142966147544941
Encrypted:	false
SSDEEP:	6144:Pu3yrmBq0RYSv3A5DhW15yChMFt2XTNJWLgCWzzYhPRt+:BrmBjYuALWJMn2XTmL7hPH+
MD5:	28AD0BC8CBF0F937FA0793A069EEE72C
SHA1:	190CEF5090018E9BE02DCB8D80193323449BD938
SHA-256:	2A9FBCE0BF953A54CFA2124AE4E699B981D4CB9485543F40B28CD952C65D8744
SHA-512:	478EFDF0D097B6977495FFBA953D7494FD72E98DFBFF4C70808378F2EE3FD90C79722E70698081E20540242FA005DF756857BE18BDA3EBEE5BE952BBC61A3254
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	251560
Entropy (8bit):	6.617081143188022
Encrypted:	false
SSDEEP:	6144:PuDomAAOwPcPIqk4Vsvt0uews+qZP9zOPBxGiryKI:0sAETlVsKzZPixGBKI
MD5:	6ED3FDB228C401F308ADA52D82C6A2AC
SHA1:	D5AFF2386B2708D10F68515D0D010E83CABA20E6
SHA-256:	D5A201D9C7373DD91395EA5B24985E9984F3ADA0CBAD869248EC975B80707184
SHA-512:	5431E81924400874EA1173F02B2404BB7C43E8BC158E092C43F4FA071810472E845AC76DEB7716A265A79F357BB07106D2574E3E6F5D2448761BE74F8A694493
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	751720
Entropy (8bit):	6.630099780481392
Encrypted:	false
SSDEEP:	12288:vdI8PdgELg6eaBlnjlZcTerWv+xdeFhvCs9TukINOW:va8PWELTBlZ+erw+xdeFUsUkEh
MD5:	7503967B649C070ECF4324AD7B82C67D
SHA1:	BA5AA539F9AFF806A5B83417290BF1251D24490A
SHA-256:	2C336BF005CD201043984D768114341FB8B0E8C626A11465A60DF854EF0B2984
SHA-512:	EEABBA2E510054D3A93E9EAE0563CAF46474757E9AD72F79D2D254C783345067D6D0FB46E85A631030A0242789FA3F3B918EDECC8DCC953EDF0283447C19565B
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	161968
Entropy (8bit):	6.521602439211849
Encrypted:	false
SSDEEP:	3072:zr8WDrCmNDS5lSkjITI1FeBT77NDS5lS3j+Wzy6oUSA7hZ:PumNDS5lSyFeBTfNDS5lS7zUrsZ
MD5:	B3E7C226A4A331C7E684E40A5EA2F167
SHA1:	A2DAF5332D21746897EEC7B131374026FC0A6F4E
SHA-256:	8D819080F7EF8DCD45E539C64026D93F09C51C80DBC86BE86843D09A6B5FAFA5
SHA-512:	2D2DE9E732D6E63BFB666BA7B80F6A36BF85FC56E43F6064C62BCC557D1372F29C97510304201BC3AEBF6B6FF821F3226BFFA11457D868D5430566CE260499D5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	159560
Entropy (8bit):	6.570907498262082
Encrypted:	false
SSDEEP:	3072:zr8WDrCGklWPsom9TiWWWWWWWQM+FtWAzhIwaeENinkf8xw3xUFv2tGPrtPmF:Pukb5zPaNQnBxw34Oita
MD5:	C59DC4806618B251A7D2DF183DC2F424
SHA1:	F1DC673B63BAA54B719167BAFDB33FF6C31BA67C
SHA-256:	A4817EA9A097D7F66D25BE68972A63E0C5BA7B6FF75FEA4A962C848CAFAB35B8
SHA-512:	71E9945E2E097640D4143198C13C5DBEC8340F8278306A34E017C3DE4A9BD0E88FB2C8DCF3A074935ACA32F329C440760980D1E8D47612F77958B108AE5581D0
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2233240
Entropy (8bit):	6.296579565439519
Encrypted:	false
SSDEEP:	24576:HDZgOA74U4o//sbtwvZTqFDk9sg71SmY90gh/G7QJoma+9duNGeVG29H:jqHVhTr5UmY90sGE5dIDG29H
MD5:	F1DE18FEED22A8E7630AEC79D099A8D4
SHA1:	7F500779BD5900802BE6378DDC6914D865823614
SHA-256:	34A7FBF7E86EED217C78BEB3D623DA57628EBFA8C5BC9EE2565BDAA51538A696
SHA-512:	C1EF91874D23626BAD6BB799ED2F1ED238429FA147F5EAEB955EDC51CAAD7F6325CEB6C554E3D15D598E4A54C77EF077D903FCC3DA093F0375765E68E6B40A75
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	214432
Entropy (8bit):	5.989123271366133
Encrypted:	false
SSDEEP:	3072:zr8WDrCeVFptXofXXXXXXuh9gLzltw6Q1hqOJHrtTh:PuytXofXXXXXXASLzb9uhqK
MD5:	9F2A347123D639951FEE07457AAF9843
SHA1:	7519B79067F897D426E58DB4904F02ACEF2593A8
SHA-256:	C3AA5CFB1C2128BDD9A182170F993EA252CC57A69F2568B9BE61107AFD5CB512
SHA-512:	0402D3741F1C4A22835C59CD5A944D7762C0568E836CBDE8BC7BC389C7CF784D0A0C9F8A03B44A4241F6CE2545334222046B847A2B56AD5E4E182C959AA0A090
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	620840
Entropy (8bit):	6.5831228635669286
Encrypted:	false
SSDEEP:	12288:moBdI/BUQtsfBCegl2eccL1q/xRyye7BfcwqEhDe:moM/BB0Bml2m1q/xRPCcwFC
MD5:	6892F37A015DB48C0CA5FA54DF6D7CB2
SHA1:	65B2ABD3F0868D94F913387DD198336E9EAA2B57
SHA-256:	9E7D2DCF0E2B775911356828FCD8A6DC3217031ED3E746D31DE5855238D7289B
SHA-512:	6A7222CECE8289A43290E90F118CFD452F81023420491933FEDEA439D3D6AB7FF7488F41FE99F339B51A775AA27F1A717FBBAF08FCF29DDECE0CCA459139BC6E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1568248
Entropy (8bit):	5.675085165215227
Encrypted:	false
SSDEEP:	12288:uwF+k53zCG2tIuQ6DtJQSZDhLOhkZzV5i9w/lmd+jrcUiACW:rFXG6uQ6D9L2uV50AlmsjYUiAB
MD5:	F2FEC0ED0FCF36092C073FC597FD1C55
SHA1:	42C48161899442B2DB934156B56F971ABF1E2038
SHA-256:	9A3AEEE8B7D73C4F99C36B0039840B748F0AC01B9A4A3C4B5FA2B092636C0B88
SHA-512:	A7FBA18577A07B30F7E1417B318A5904CA355F2D126A8120E22466B4FA9D028E24E03B79D661D361B6DD38DFABA1A5096634E0E36E63A7D27C396D3625A22FA0
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	634800
Entropy (8bit):	6.707249248874713
Encrypted:	false
SSDEEP:	12288:ff/4sOdw+RfEB6tuAlnWhGZco6ijmn5jFTSt7yCPUkazi7JThVoSZeR6aQTJ:X/4Vdw+Ra6V6g2kazidN6SoEVF
MD5:	566DCF1D1A91B81E2353CAD864F7C959
SHA1:	A8A04AD99971D86C04C154B62AB309DD114FDC3E
SHA-256:	B1C16EA839550EAE959FDECA318372B0FE11613F581445BB4CFB0AEA77D0FADC
SHA-512:	3D233B07750A27792370E553B03A9479390A589942FAE8A0447A2CA08C27EFC719DFC4BF51051531C605F7E247430471F38C2FB2F603C4299494136EFF0C8A82
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	748192
Entropy (8bit):	6.7117628320084215
Encrypted:	false
SSDEEP:	12288:mKxLM1deLycUTc1kZi7zb1QRHhhj7WGvF5PYcdTFtZ3G97aSDGGHrbTwqFwydBf6:myY14evTc1kZi7zb1KHL8vbTlwOBC
MD5:	A51DD395B5FF4E05F08B338BBDFAF609
SHA1:	660F1465BB464AEC6C3E6D7D1D3336DB6D5D9CF3
SHA-256:	EB23B91782FCFEB4CE7032F285E6DA040C68000CA460A7FBBE161978125EC349
SHA-512:	2370CAA42CB55AE3414ED2CC5ED8AD47BB077A581055891836C74A237FE467960AFDB78DC21B0B9461D6FAA1E27EF6F584886113D5D6CDD188B41266E47D54B5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1917048
Entropy (8bit):	3.839578576312592
Encrypted:	false
SSDEEP:	6144:PuoBeXsm81c57ZXFzY5Ucyw4TapP25xxlq4cUcMeTOMzwMwZ:TKs78A5UcyOPexxPcUcMeyvZ
MD5:	451A02B8E292FBD664B654C28C31F8B9
SHA1:	7FFA3FE4C28716A3BC2D80779BDD7F23C54F5327
SHA-256:	0C7DECF13C25A15488EF9E271A1181BBE8A36A183250997ABB1BD21D7BF097F4
SHA-512:	DB59EEFBEFD8734F2B80E314B0F4DE21EBDAA23042226FDEE4671B04A7292F0ABFD6A8E20BDFF977C39EA6FDE37FA02BE69EB2342D65A335E53748314374CDE2
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4099520
Entropy (8bit):	3.7214924488610253
Encrypted:	false
SSDEEP:	12288:jyKs7cvZIFpCYVIUN2mGsb8HtkLaHLH04cLbUBRjLmP29DyZbT9oc/m06aCzE6hE:jyKsY+dy0ZScIBqBT11S0
MD5:	2D199B2128DB10FAB5D5B9E42012C0C3
SHA1:	B62D19530CE4FE15B51617B1E3A2B7049BFB0A6F
SHA-256:	A121D7A3A63D19B05BE33BA7C2391F206E47681FA284E7CA291A5431661B67FB
SHA-512:	022EF54CDCF41E1C8FF0511D9E5AF928394213321571B1C9BF1E6B3AA1D5FB1E29061E5C191B7669F7E2A739B9746312C091D7DDD7F8882145F09FD8B346F4B3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	452120
Entropy (8bit):	6.064959023307563
Encrypted:	false
SSDEEP:	6144:Pu7vhCpFviM0OKAOVf3m+2fCz29fx8/eAeTu:CEpFVKj3mFn9q
MD5:	34D25D2E6B58568411FAD456684772FD
SHA1:	5D9146208EBD9CD2AB1A7B83D90A60205AA2EE9E
SHA-256:	1273B781FF6EE61A3C58A43AF145B03E36274A6B16297BB8A2E13164349242B2
SHA-512:	87DCB3986A415E45C274F2855EB7DA68AA3C36D7A71AC77DAE3E027018003D47BC330B2587AEE4DF7F62BEAE7B4ABB0BA5F0A672D8E0DA23CB6B066AF75BA234
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	116664
Entropy (8bit):	6.585821757768255
Encrypted:	false
SSDEEP:	3072:zr8WDrCtuGaz7jFQ68ICP5q0WISDr34W+wst:PutRazrA5q0WISDrZS
MD5:	40A8D5EE6521EA8FC13C48C47C9B57B6
SHA1:	5FB8A2379097B79DBB9B165F7C487D20DC1625F2
SHA-256:	AC909FA0CFE8E16CB2A414A4B0F0B44E0D10085ECAE1D9F53A8C202DC054154C
SHA-512:	333184A3A961A38C6F09B279B7BF1A31FA4FBB0405CD4D39075A52554ECB8A1C23454D02CA63698327C70C5AE1C32340561C0C6F33A88ABDEF544F65AD42F35E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	167392
Entropy (8bit):	6.5469411407981974
Encrypted:	false
SSDEEP:	3072:zr8WDrCcWKZbTKeR3Tzp+8IxR8jYYrjHaVLIPSL1CgNX:PucWK11Rp+8II5SLUgp
MD5:	67496215F23C3D121C3716927553975E
SHA1:	3FB19B3855F6FEDCFCEAE694DC5C28683E3653F4
SHA-256:	D0C2DF02E3DED17200DC56B693F52B47E7D960D05C6B6B5F7716997419303ECB
SHA-512:	0EB0D378F109604C568C732A197D9412A65221A4AD36889873EA3652D5D0382D40C9D5B38BD51F501E4BD55BFE2A326AE4D06F485D3129C9A2AC1C11CAFC0567
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	670928
Entropy (8bit):	6.023912988523441
Encrypted:	false
SSDEEP:	12288:+wbRB+ZRhFfGNpzX5PtiPWRnTLtx5eq4/RnYRoS2Ds+2EYR1XLlShtg7ksyST2Rz:+wbT+ZR3fGrzX5PtiPWRnTLtx5eq4/R9
MD5:	2B5B1A87C47D9C38BFA8D1F52BACF31E
SHA1:	A995A7645E47DE7EE659286613BAA71B531BB7AD
SHA-256:	2AF58E681F49488E146E626D3D94F366C5A58D0B78729D491D2688D214264A4D
SHA-512:	78F8F078E2924E7CD977F068533E98AB80AC8DBA11960BC2A5D9AB4ADC93A0A72D62A9F2D920EDA5F1D5E4C18085E6171AA9AF075C3872AFCC06B06077EF1A96
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	115920
Entropy (8bit):	6.214080793399046
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCiwyK75Rp1Ukkz2zct/rzdaBotnMuvWM6TUaE:zr8WDrCiwyK1Fiz2ir+o5vWM6TUaE
MD5:	851430DBF73C5925ED0C0AB46B4704FF
SHA1:	794C0FF390BE93A23BF28DDBE9DD26B81604BF5E
SHA-256:	F6F47F6D0027988B9DD6171C72257050C195ABDA9CE45346C01D000AD35998B1
SHA-512:	A8A081DFEB1D4491392013A1C14F95A40AB8DEF526294DD47B5F289ECC5C232D7437E4E0AA0E21A817F049F5FCD9EC7859E8A32FECE58749F89A34F6FCF83882
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	137776
Entropy (8bit):	6.525052332322423
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrC1LS+I1HtQdiHN4zbyezltnzGd1XuDxhkrTJwNZ5wmW1aHba:zr8WDrC2Mi+zWeXdswvqiHm
MD5:	27361BE6CB3788839CD6DF5A0A636A6E
SHA1:	A8D3D9E774B7D76F00D10AB28DE26BBCCBC676DB
SHA-256:	A92037FDB4FE25E454D66D24177DD12FE89FAA6F11D0CEEADC687EF824CC3DE1
SHA-512:	3E8E821A4419C45FFA5F15AE574673684B25BDF310D48ED143D2EE6DE19F32F75C7DA0B9AFAFD3C4B27136E0C8632C092E365101E31E559AF731802D38B180F9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1206680
Entropy (8bit):	4.882283973567494
Encrypted:	false
SSDEEP:	12288:Y61ZFViRpx5tuwZl4asd/arEISgX0IkEMhTy:Y61jViRTfVINdCr6gX0hEl
MD5:	F0692573BEC940B10989FB076CF592CF
SHA1:	767783B45CB33834116997839FD3FE8CC197A906
SHA-256:	5ACCAE35532575F704C11E35DE05F5EC6C3A30D56AF91C2D22510157FC131607
SHA-512:	8F0F2881459C49C2F4F2A2E74D463871C157610ACF4FDBBE48FBD14B1798FEE8820822B4A5ED32F7FE871429E91A94859EAA7FD2798062723E594CDBA1364644
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	400336
Entropy (8bit):	6.659452867927771
Encrypted:	false
SSDEEP:	12288:w1rOCPapfd5bhooUBuFiExw/LXa20Dj6EzfJ:8rfIbbhooUBu3wzXa/Dj64
MD5:	3F124E3F206A45B5250F2C1F482B2352
SHA1:	2F23D83DC65BDEE9E726FB20052F01AA53D693F0
SHA-256:	D9D8BDCD8F5BBC87F755DBD7D8D0C7EF52C98A0E3539C8D27C08D3C45888C2C0
SHA-512:	C186E181EEAB666FA4E97FA5B750394421832221B5DF740BA6985AE8EBC49EF67969FD6F429C8F6094CC94EC548CBB3E10A473EE8A2FD52FA00110B6DA44B214
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1662344
Entropy (8bit):	4.281575468495792
Encrypted:	false
SSDEEP:	3072:zr8WDrCPK2OKsuWoZEsVK2OKsuWoZEckAQckAIDpAPfKrss1yyKrss1yAZDvYbNs:PulztkAzkAZqrEdrEAZUCwFjNNYEzcL
MD5:	0861465FD197D10AC5A8C37CE7B6AA62
SHA1:	2D76D722FD6806A45ABB733FD1E54288DFD3A05C
SHA-256:	7812FB1CD726D81ACC193605C5C9EEDF84FCB4A3A912FD5B9012A1A0DD27D5A2
SHA-512:	C019C0EB50A41C009E5878FA4AD38EDA155F79573C9755F2E334BAB3D75B480BB2C20988A560C1CAEAD8198A1AD60A0A4FECC74EEC2EE016CC37D2300B72BBFD
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3531712
Entropy (8bit):	3.7839855914258114
Encrypted:	false
SSDEEP:	6144:Pu/gSRJQYKV++VYwjatvsDVpDsehRAKzYM:yQYZTWbDj5
MD5:	ACFE1EB24D010D197779C47023305858
SHA1:	5EF31BA99319ED468EC9DCB8BF43C888B5A8B48F
SHA-256:	D937B616BB6403C2D0AA39C3BDEFC7A07023C18B2FE1F4AFBB9400AFF2CBEB1F
SHA-512:	048FEEE926AD593265180CE8E07858E28BDB2876A6A41250B9AEDA024429CA89D9A17C1C7FFA2ED73E0349B3F681A92F22730CEE69F411D3698FD5557A5CD027
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83880
Entropy (8bit):	6.544402115664437
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCSKfEBr3fHT4nAzHGkYJ+ziw6+zb:zr8WDrCSPh3IAzHGEJn
MD5:	9A1EAF11C3B1BEE44C0D97E873DB00C9
SHA1:	BD3A58C465171616D344DA00D97D5D49D4097FDC
SHA-256:	A1C8367E088D3CC9FD2D7428A2A220AA76E64096155932A6622023DE677CF804
SHA-512:	6A4A27DFF5939A527C9BE720FDEB7F65558D1A948AF175CD3244E87D9EFCA085B6A51D93E09D5178F05B29DC1334644E9532066C5A47F5C65BC60D27509C14D2
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4319112
Entropy (8bit):	3.816408890865793
Encrypted:	false
SSDEEP:	6144:PuXUh82lTMY/C3uuQyMyquNlBXYJ7M444IB:okyIgG47B
MD5:	0DF102A9ED5DDD0C490485998934BED6
SHA1:	B973807A3692668055A35A29C53C7F38669C8856
SHA-256:	9B42DD935106C8B407E7C607D3CD0AF533DFA3076576AC7EA2D838901CC6B4E2
SHA-512:	497E2C814A5B8B412540018D9BB5B3A47E0545FC7C280DB710052C8F77FF593E58881348B237FA892F7E208B632921D0962266E60CC5797389DA0122525AD496
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	785448
Entropy (8bit):	3.938581251810774
Encrypted:	false
SSDEEP:	6144:PurWSXeSC+hBMdNRneNMToeGYeneqjpGtBlmF:2LevUEcLe9l2
MD5:	B3C5F9613FB03A2AA578C29371295F77
SHA1:	32F9D3D1BF7BA8F34742900B9DA4A0FCF0F975CF
SHA-256:	08320B97919246079B98A5BFD40A67B5DA1452B166F2B9859E21D339998162D1
SHA-512:	5037960BC459159BA3D534B7585D6CD172A5563E075FE98EF1932EBA2BD65BCA37B99D782B1EAB5C33ADBA30DC63E8627140D60BD9028112D01BB9EE5A02EF15
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1081280
Entropy (8bit):	3.77728660153312
Encrypted:	false
SSDEEP:	3072:zr8WDrCqyTUawK12P04ti0o5gmQNJDJnJG20FxPlJPJSS12Zzwww6G:Puqs4wqmQN59wtSS2zwmG
MD5:	1D272485264476CF04C454866CFB49BA
SHA1:	9D13F47B98D36D3A64AFF45A9A04B17925898F5C
SHA-256:	F66B02E79D6DE29DBA8C76616B3F47DF597B386AB58DB30FA7E805E36FA7982E
SHA-512:	797B422388439BC78DA413ECC6749945ED4EA94D354ECEB21C1BEC10C5FA9A955DD02EC79626EB8996CEB36A82FD9D0EBB2F43EA1DF7CE94E8B0CD2D75A1A69C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1722808
Entropy (8bit):	6.4866587360850705
Encrypted:	false
SSDEEP:	49152:Ruoh1EWXRkd+h9y6NsRZ9MtL4kD5G5LVuhqITJemL9SQM3:RuohO2km9PNsRZ9MtL4ktG5LV93
MD5:	17B2C86B269267F4B810DBC51E6D793A
SHA1:	C14E9803B1D7DFBE027BE258957E23D7240C1625
SHA-256:	1EFA16D52D508905C4DBBDE4F450AE4511572E20DFC2AC930623C307410CB735
SHA-512:	B57B92283117554D2F7EF7E85613501F8EB3619980260CE427EAF443729417409BF8C6FA6FB4E1599BFD6EF0B3AC51955CA5CDCB63E9A7B9D680C960FE6545EC
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	307784
Entropy (8bit):	6.541340621340083
Encrypted:	false
SSDEEP:	6144:Pue+OpwoajoJ/cLr6eNI0A2kg79zge/ceeE1+v:3DWhS5g72veeU+v
MD5:	84FFBDBA0110417D41CECC2E90471C0B
SHA1:	3BD410023FAAB616BD19316FC7DA4CF8061843E0
SHA-256:	4C46A3280A95DA909745B05317CC39ABF3C631F79F127F191F1E5AE202A636C9
SHA-512:	FA4B33C8848F4A31D8ABF850997C2311B246EE0103A28A23A688F8FD8DBB2621AB7272DA1CE0C8447F6E8BF4ED97A007599CCBA36A431E5E0CD2BB4E5768FEF7
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	97920
Entropy (8bit):	6.434533395747017
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrC8zKAtCz72I/Q/RPTO5piDDFwzS:zr8WDrC8uFvgy5piDD6zS
MD5:	B35E1DBEB6DE3D98F0D02D5FE062688A
SHA1:	F4C8399B000865937C933ED4D3F7443A6395136A
SHA-256:	BD9D62FD719401FAE645118FBB811EEFA626A2E796FAAF41FF43AE971C46F9C2
SHA-512:	D61B9DE832AD9E160B108640E372DB887D32A4B6CA62652E04410BE0DA0859B79E76FA48B5DB95FFD4A8FFC786D7BC3AC1ECC1964CB3D03385BB2A2AFD923818
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1994448
Entropy (8bit):	6.5494262482330186
Encrypted:	false
SSDEEP:	49152:7l8U9+tiqfG7C+5I6ZOX0Bh4MdDHc/EBRXXZUABfmcQ:7l8+++7hOXODHc/EdQ
MD5:	611A0196619175CA423FC87C3C2B0D17
SHA1:	426524B4E733928688F2CA5E61E110D9BA5E98EA
SHA-256:	EA42CCC4A3105C8D1081D6803C17D7F898F8AE86AFAE34BB3718B15CE1087D55
SHA-512:	6C130A7C935B867353F7E77D0C84BC3F3EE0176ED2327D60969838C409ADC51B2C3B00AC449EFED7327DCFB07007C3D02ED708D2D37837BCB754F25CC60CE7B4
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	275872
Entropy (8bit):	4.230454715080273
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCj6gJJRaCAd1uhNRu7z3zHt4s+zbCtbCc0xXNmi9RHYOqEWu:zr8WDrCj6gxe7z3OzY+9jTYbE+la
MD5:	22141258122C8809D46DA57222A24EEE
SHA1:	CC72AAA1EA2A67D33DA8538B31089041F666B8AF
SHA-256:	7259EFF7EA95C215CEFE5961BD9F4B7387836AE18722ADC9E075552AC20CD23F
SHA-512:	33BE388FFD3654417966295BF29141550D23DFC1A9832565AE50D488C2C0FD0078E69862CBB2B105A491EED02009B40FEC16EE498BADD06F4D2BB5B18D2CEA5B
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	751520
Entropy (8bit):	6.5225913014857735
Encrypted:	false
SSDEEP:	12288:DccV8BFJ0kz4uP9V6wY2M48aVNfffNfYRweSat8UVNfffNfRtAUUn4lDW7f5sBzl:DOFJbl/6r2M48aVNfffNfWVNfffNfDw+
MD5:	5FB2510E2322EB38DBE1414EB158EF02
SHA1:	974C5E74E4D9CBEB1A1BFBA2348E13659578BC38
SHA-256:	7BEA8CDAEEEAB13F9E3C82D520AFD1C8F33A34B519D1FF6B62628DD5C3D9974C
SHA-512:	066195CBFFE4C2EE4D8E39D0C1D7F58A8E54388F22BFF619CCC0E1CD2BCF350A8D81D254C6045F6506EC33F3CB7ACE2C3CA7E77DD05DD05AD6B18F87BB457359
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	182712
Entropy (8bit):	6.321044292407141
Encrypted:	false
SSDEEP:	3072:zr8WDrC3DbGpEPwVH+lMCNy0GEVVS1ikLrDdevXqHai8MBEL4:Pu3XSSwVgvfkhvzHcWEM
MD5:	D6A43031983F75E73D90D8F8F6EE65F3
SHA1:	891DE44CFCE6AC6BC790C766971D94872E8A5073
SHA-256:	28BDD891C54357A87F38A2BF6705BC1B2B6989B5BD3BF4CA750829FBD7FA2B51
SHA-512:	0A96059DE916DC162D297D78AC26B8FAB136E475E2A622CF736E84FCEFAE57C2861D24121E6B87FA70F25401BC8870BB9F2434DFFF77B70E396AE3775DDB2416
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5174360
Entropy (8bit):	7.263145839410475
Encrypted:	false
SSDEEP:	49152:v/xFnOvtaWIDn0apLKkLJU9nU2foKhA4vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPp:RtLK3BDhtvS0Hpe4zbpaAKQkroGIz
MD5:	24FC272DC719890D04C1E6804B0E3D70
SHA1:	8806FFAF77CC4AC229326C83A05472FD7CBB422D
SHA-256:	4400C0D026FD13A51AE0CF1154B2A165BD488EBBC7B1FE8BE9649D72D13DA4AB
SHA-512:	F0D1B9E257B95883AE5F259D749CCAD6B1CF51DD229F602731F377786E161A62784D4F6B96C6535E412761E8D1154B8449A77D05DF8890F2561FBDE5A9D62F38
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	139712
Entropy (8bit):	6.519874180004667
Encrypted:	false
SSDEEP:	3072:zr8WDrCGU5adWAKmzUccnzkVBgEuKjj0WWtPPoI:Put+EjzCg+j6P3
MD5:	7939D58529E97846AD3CE93D63C2778B
SHA1:	36E2D3DAF36C2D0208971A66DAA273B627D43D9E
SHA-256:	131DB672352CDE0AB0154F4E5EE0FD28F93494F5D35FE9572BE2C6BE29467838
SHA-512:	05D79A0F03D4087C970B5E4EA7B08AFAA3C86EB8B8CB4E5F3658DB71CC2DAD969351A1B37FF5384513132846B7B9F022AA5863D02245FBDBE32E4609E3729C9E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	380368
Entropy (8bit):	6.674833575620702
Encrypted:	false
SSDEEP:	6144:PulzgSb/029S2P/7nzGxFrRN0r0ivCZci1FXiO8DaS4wwE0CBlFJmcx:Xw/2q/roN7ivCZci1FC74wdBlFYU
MD5:	10DAF38B33648DB8EC4CAF569EFB8325
SHA1:	D226C4CB3EAC2BBB40C7070DF3360DA6087EF85D
SHA-256:	3ED456CAFC1F681A4823411C4F931DB89A14DD1F4C439814E3C69780F489FB33
SHA-512:	8D0975F6C992DEA085532A41B8542D44CBA540DF7BABF1F81E1EF5A5CFA2CCBA010264B2E96F92CFBFF0A8EEEF18BA90CEC3A0639999FBEBF98EFC4188BD24DC
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1269696
Entropy (8bit):	3.7496395278811394
Encrypted:	false
SSDEEP:	6144:PuTvk8/0NhFYAddenZhUhTNnLUrh+9nTGLljX4wuSzVF:C4wXF
MD5:	622DF9CBD4454B7D31D93A8FF26986A7
SHA1:	D9B343BDE5D6038757BD9D3FC3A1DB5D44FCC406
SHA-256:	1BC8B5224D1EC7C1A84FE6BE3D1FC2584C4407F4776BE701311B5F59CC6B2F72
SHA-512:	CB62A86DF9A944F1BA87FEB86CCBB4C8FE34518F5701B513FC0C837E37E9E0F3D2BCB392FAC866C30D6AED8DFF4B65789134FDFA21B62A049FA701C2BBD86272
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	266648
Entropy (8bit):	4.185481008908313
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCyRaCAd1uhNRuiazvhzpwtWhz7I3EWwwrwYx6RPWdn6ysl4a:zr8WDrCgezzvhF1h3wEWwwbx6ksl4D
MD5:	63852098CCC25D5425C739E6CAD65F4E
SHA1:	DE0C1A4DCA860867D769B155909B5B26323FE00E
SHA-256:	1DF1BE777988330F8D3E437175CA8B9D1CF4AB2C6328EA700013A5A0D766715A
SHA-512:	E6893FD4B8D212754383C86CF493242C8A15408742FF6DBD01A8B6B056EE6F6C359E6E87ABD63628FB54D3719B4C0C9731CA7712C7C78D0CDE7E1231BF814081
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	715760
Entropy (8bit):	6.522162821709477
Encrypted:	false
SSDEEP:	12288:U4tuuLntIMDXw5vde5EFf1Pmbd3lSz3dfp1Swf5M0blmFKuJOJZM30j3:7tFDKMg4iX3djfy0blmFlme303
MD5:	6F1E23677F89E09E3B4D7CBBFAA8E9D6
SHA1:	3BFA1C0F2AF97A85C282E141DD9E7D36D2466211
SHA-256:	CCACC1332115B620976CDB004CF6CFE426AD8CD008F8F0DED6D6F5CB71D8D8F1
SHA-512:	D7E6E401DECBF9989C51EE3F4BEE09F696BF25F13FD723AE7BFDDBFD7B7C2C21367D91289AFC4571B6EF34E541920A307F1F4A09F1680A97A2970E7D3412426A
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	619944
Entropy (8bit):	6.637875601699727
Encrypted:	false
SSDEEP:	12288:NM/Of/Bboj+clWnIKgrP6TFPLNWuX4Pemn3oi8ky9Q8WSe/aSqizuO1qukdQAPnQ:u8JgryFPLNWuX40RulAPn1OcnGVNfffl
MD5:	7A16124F85B72495EE1FE9F639B9231C
SHA1:	6BEC7715F9FBA90EA72176E9211A7D2B66CD2711
SHA-256:	6EC71D7BD6697603174EF482893A6AB891B7C056F407AB7071C4C05B905D3360
SHA-512:	55B7DE7FF27C529E2A13E37C8A5973592865D19FF493F01C6413F6D2921EB08A6225614A9B1A0CF9701397EFF8917C1DB84C3789A915FBDBDC0ACF9BC63ABA17
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	150416
Entropy (8bit):	6.494866167569868
Encrypted:	false
SSDEEP:	3072:zr8WDrCsQPtLW7twRxI5mc5TNN3AsdVgNwihwT3RqEM6ZOfHXb42:PusQMzhdV0nh4Hof7
MD5:	B09DEFF61F6F9FE863E15CCEDDC41BD3
SHA1:	A0E6EF8B3C816C2D588E9E77D08B96D3D0CB097D
SHA-256:	2009879148C3ED6E84842B5B6FADE5C90796432F9661AEAB1F984707131A8421
SHA-512:	08009C92E6B4E652CD6516DCE9A4E88329A7A95C8F423C224FB15B983F1F3E8B239C7FDCAF0A567DE409756B1F813099DF1F5EA26B1B1D6B66D852A2716DE79E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	264576
Entropy (8bit):	6.638841934755568
Encrypted:	false
SSDEEP:	6144:Pug872jsLuLnPo2TTHswP2TGz3FUCHySYI:/+2jsLuT3MfTGW5I
MD5:	E62A03187D8ED6B506E1D2B2273F2E0A
SHA1:	4579EAD2B0EF021621D994D6CF7CEB0FB1C4D03B
SHA-256:	B23D2592ECF09B750E142995632EA34F39F835664B728EA5A719C4734403A6FD
SHA-512:	0EF9AF76CA2A09FB8DF0C709881E496D19A35767DBA00817F9190FFCA263591462ABB3CAFF0DDC5AF4578344E0DF10DCF3910CA7CAC8F5E360B556F0CC6EF414
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	108448
Entropy (8bit):	6.041379910770017
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCWweqz1lezmtJwzojsKyyJFGgHZ//rHzb:zr8WDrCSqzXe0wSyyJFD//Hb
MD5:	F8D9ABB1B7F268C598623F479012D0DD
SHA1:	E79F3937B827EAB37E03C3D6083541641491E701
SHA-256:	FD6A12A515BC65DD8D8E133E4FAF4E60A4BF4F0ADC27E7CC200A200206FA7603
SHA-512:	0E7F482B286860CC322E8E9ABB8BFAA6C9A4C335D443F7EF0349EAF8696514CBE06D0743FBC1181FB45E6FB07E23647DD95B7362829E76DE97BF6071DE12EE31
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	662600
Entropy (8bit):	5.99949921629127
Encrypted:	false
SSDEEP:	12288:hpo/FEVciSJJtH4PoR6moWEBfQLxZPhEx7xgtV2hv4tkYUK2tlIqR7lmNK/IKrtK:UFEWi4JtH4PoRfoFIxZPk0NKbB0R
MD5:	972F426D9B56B37005FDABC7D334747B
SHA1:	140458C19EDCD7C4B75586BB4DBA5930D5693DC5
SHA-256:	5052A0F40917AF50A319DD1BC4C39A62289A0723645AEF4A0DC8DBA0DF0391D9
SHA-512:	A4D3E9EC84C8111423CCD978081A2E95C268A177801F6B3E8F81965BE709F1F062C035A774BF9C7A706FAB67F988D3E88FC87E233C449D0179545A569EAC9DA8
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	260560
Entropy (8bit):	5.442716114061443
Encrypted:	false
SSDEEP:	3072:zr8WDrCl4ZAh7ULoQdHBjw8Q2pFj4+W1ISYpksZmRohnonRBfTjzJEthEWV:PulPfQdhMuj4VM8imPjGthEWV
MD5:	1C9E01BBA5F422C56C9F336EB663411A
SHA1:	51AF077DD40C9407BBF10ECF3C8CBF438A0FE69F
SHA-256:	64397891801142AE1DADB7B7E7C9D72624BCE616EA76E21938ABFD415CF2BB54
SHA-512:	F1B54EFC6744DE37E2849B0B9E69551ADFA42E8E10B73FAA0409619BBC03C0D48077C103D055CB78EB8744EC2D621EA216BEA7E8376CC36C123954BB8A00573F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4357672
Entropy (8bit):	3.9560374353507584
Encrypted:	false
SSDEEP:	98304:2YN3nsBQ5ghvEyqf/whWovz9hRJ5RbisrbdsPO9jXs:nN3nsBcghvEyqf/whxz9hRJ5Rbisrbdg
MD5:	62A647E67A2FA62FE3BD23B8C05AD5B6
SHA1:	49B76A71C794AA8CC03265715F58175E37926D05
SHA-256:	BF783C50B010FCD4353FB2F5C1BC9F25A8D1B5BAFF015A22431D64E0106F6387
SHA-512:	A91A3D1E9847D2FC1EE85B58685E33CDA4E3C743F38FEA146E5A714C1C937D3508D185626131553D94B6ACCD00A7FFADC2F7D70B00568969F3815E725C429107
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	124056
Entropy (8bit):	5.717272734704383
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCCwu7mzj9zNtP9zNps8Q:zr8WDrCCLmzj9P95psb
MD5:	69A2BD4BD404C78D413DAD66D32597C3
SHA1:	7663FEFC203E918AA0A6618A4548B273E4AA2893
SHA-256:	5AEAF364B4159E6603DCC5AC220765A83033E62679405C8141A4C209F89BDF6F
SHA-512:	913C45F67F749ECAC269FBCEBDDAB2A274F274DC7FE0376FEB92C8438493FC9B8B528C48962C27B05710C8D1B48E22300002A9D7075D8FD3DEA1680C0772E9B9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	358336
Entropy (8bit):	4.510772603696019
Encrypted:	false
SSDEEP:	6144:PuEyUkKOEEIK128d2VKjw0EYsfZJnPmTuJjac2a51lHpLszc/kzY56Y:Rx/B/kib
MD5:	827D7E2C0648A1E8647744C90DDC13B1
SHA1:	94CF03EBCDEAECECF5A4438471AD452C8FBD1699
SHA-256:	AD4CE68BE5E3737235F7A3D3F6516B6EBF04209AA5BF2A1E929FA7FAB5F78460
SHA-512:	41C3A9FD99483B67E99E53BA7A706B6AD3F95268F09CE15932DB08CD42ECA01AFD6D05B5FBF2947A3BAE2D01EC9D629B9C269A5B67B34853FDB83FA40FC84581
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	763032
Entropy (8bit):	4.114589316949574
Encrypted:	false
SSDEEP:	3072:zr8WDrCcwRnjnzhCiXXXXXX1AzZwAazTwdOLxN1IHO:PucwRnj7XXXXXXSzuz8OZ
MD5:	F898708BB5A98C216A5BDC4D8AB55F31
SHA1:	22F8606DFCC66EAA9348FCBE454AD077C1D6BD48
SHA-256:	9660432E007E774265D438B48100B8D6F0A98DC028D0208720FF7A76C72EA115
SHA-512:	2518C501205897BF611DD43A462AE4F689E1C1587BD2F5F15B33CDB63CFB367A402FB4BB61FFE7A7EC23AC564DA601060011AE6B82CDB8D2E565D14F7C72505F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	895120
Entropy (8bit):	2.964304827256967
Encrypted:	false
SSDEEP:	3072:zr8WDrCgfCEq7tOxIfMFzCEpAm/4rx7z1arf+9:PuJz8w
MD5:	02B9A3A76F77E057424B70187B54E8BE
SHA1:	3A659E76872EE3E20BA10F11D291D0BAC6EE0F66
SHA-256:	7B044969828A96DC142FFEDEB7922A876C4CC5CB4DC073C5CA47B868D7315C4B
SHA-512:	26D9CC3CA41BF1AA592A914DB7BDC82D7761962D7AECA6BDFC38047B39D6E1081484B5A90C009DE01D41F9CA45E54570B15AF6F10BD7E9CFD985F42B3ACF6E6E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.7732979147875136
Encrypted:	false
SSDEEP:	3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
MD5:	9139C2A0B4A37763278B42FA33970AD6
SHA1:	4667B3983C739687FC50DF651F1633E1EC2DBCFF
SHA-256:	EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
SHA-512:	E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	105440
Entropy (8bit):	6.077342901333925
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCqjhzxwKehzgt5t1D:zr8WDrCMhLehEthD
MD5:	3041D08F176DA6C15446B54A11BA7772
SHA1:	474A99A64B75751BBD04B10E7F7F2D9D43F12E6E
SHA-256:	3E6EB6EE327A6054BA3BE5F55F3481FE3436AB3CF0F0D6FE99976472CDD02631
SHA-512:	216E38ACBCAC94F24144566415DFB6EBC94A16E93B44E1F45B79D982523B8F4A6A2FC1AD5843C336998D30F2EBD39ACE559F93EAD1AEE696A81032CB5641202D
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	537536
Entropy (8bit):	4.966282092151679
Encrypted:	false
SSDEEP:	3072:zr8WDrCXPMMRMMMmMMMvMMMwMMMNMMMWMMM3MMsewVOOMzMMvMMOMMMJMM2MMQMe:PuGwVR6V7byjUWAZyVVdz8eEdGo
MD5:	565FEA50A9BDB9B4C1A88FB65316D097
SHA1:	D98406308D5B48AB1AC35E2E866D0F1A30E37442
SHA-256:	93A7BDC3118E56C0F2EA0CDD7718D4A7F7165B6FF6A1A4EC7912946B35DA1DB8
SHA-512:	7C0DBBC3880E747EF11EEF454173A959F98045110BC0A851DDF1405B8DFC18A1B6F1D2321271C67B8815647698AB8754EB9C0DF226ABA598060B78580A1BE299
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1271952
Entropy (8bit):	4.08276153361242
Encrypted:	false
SSDEEP:	3072:zr8WDrCf3ppPpNpDpspp/pCp0pmppdpspppRppMpLp0ppppbpQp2pphpSpXpQppt:PuIKQSNdhnSzv
MD5:	4F7B544E82176A6591B213634C9DCBBC
SHA1:	EAB0382F33BD32FBF05351F750014EB814CDFC07
SHA-256:	3E8E1E8C74AC39D6663C089A3FADE84F9852F70325981F037E9CA111036448CA
SHA-512:	C339CC8DA7001494E3D2855632837408784412412630507E52A165AB42FCE29CF0D0115D3C3475ED231B2E4A14025464FC6DA85F4AD3227822B6855117D7C604
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4099760
Entropy (8bit):	3.71770959793901
Encrypted:	false
SSDEEP:	12288:+BKs7fvZIFpCYVIVN2mGsb8HtVLaHw3j4cLbUBRjLFP29DyZbT9gb/m06aCzE6h9:+BKszX0FjOeblHiled/k
MD5:	44D035172880CB494A431B5151307A85
SHA1:	F754A916F702B3A4AE738978E6CAF9ED103977F7
SHA-256:	60DBDA9BFE2A3A683DE925697F23962303AADA724144B70C50D5D4D915A73EDA
SHA-512:	1916ED72E59480F3585160231E3DCC459DCBFB3BBF126C7456A3135B9A08150A3B5512F5469CE7B60E2CFEAFD52B06157DA821367E83184CB2D54FE1BAF1D52C
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1273488
Entropy (8bit):	4.307336050132688
Encrypted:	false
SSDEEP:	3072:zr8WDrCT6bZt+ATS583ONo4aezJ8ZfqiA:PuT6bZtazB
MD5:	93B6F18794A883468A84104009135CD5
SHA1:	D64AE31C9F807C4990220F3A50017479BE240C5E
SHA-256:	5E898D867103B04903E9F1F2A7E788FF53DBF8201FD53E0C3323C96970FB2086
SHA-512:	95FA46CBBAEBA8882A7062569CCD9A152C440D433D30A42432B126429268576D83F780E6931F1A2C1F02ECD4C73B6E5BCEA2BAF54993981E2338B0A4813BFC1F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	124056
Entropy (8bit):	5.717272734704383
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCCwu7mzj9zNtP9zNps8Q:zr8WDrCCLmzj9P95psb
MD5:	69A2BD4BD404C78D413DAD66D32597C3
SHA1:	7663FEFC203E918AA0A6618A4548B273E4AA2893
SHA-256:	5AEAF364B4159E6603DCC5AC220765A83033E62679405C8141A4C209F89BDF6F
SHA-512:	913C45F67F749ECAC269FBCEBDDAB2A274F274DC7FE0376FEB92C8438493FC9B8B528C48962C27B05710C8D1B48E22300002A9D7075D8FD3DEA1680C0772E9B9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2970664
Entropy (8bit):	3.852513127476973
Encrypted:	false
SSDEEP:	3072:zr8WDrCbKd0qVmvzC1SvXKo3NzbsZ6DdIAZcbEcofUnpfRII8Lp9qgN3WJp0Rf5F:PuO/V/CfDhNG5sMXjjzmEPoL
MD5:	7AF0A120B754A36602AC1A7F2B3C66D1
SHA1:	D7870589638553E4D6DDD2E96F47CE3257CA4386
SHA-256:	548A4FDDCBEEF643B1CEA7FEA80E10EF7A98342223AA0D03E2D3F0E090732FA3
SHA-512:	9673C807E0C42B9C96E7A2EDE5B905E113B1C3A9C082FEB06AF7AA507238F35B4A376DCDB78711AB59A71845AA85C8B6A0ACEC24FF1EA0C08D0DA5AAAE1A5851
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3531712
Entropy (8bit):	3.7796637413670093
Encrypted:	false
SSDEEP:	6144:Pu8sSR7PYKzz38YwZItvsDu7DbDhRAUzHW:5PYmLWSDBy
MD5:	6DC25D566989B3C8B314D0A51CE264BB
SHA1:	91A91837034A68BC5327132381D4A060B96B80AC
SHA-256:	7B0D191A69BA4A30A5F9BA4914F61B4514B30507467858E595353E158E20B62C
SHA-512:	213F26AC7407CDC444968465B5F2153DBF4D0B1113ECFFC7CBD936BCD4D0F1B024C5EB294EB1630D986BC022726F622950B8187304385FB81CA234E0E6D6D9A4
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4319272
Entropy (8bit):	3.812301874725472
Encrypted:	false
SSDEEP:	6144:PuEmRfvlTZY/C3ul0ywb/uXMo+YJ7M41zXLWIB:3+6M+595B
MD5:	FB10E76D72E74609F207999494FFEEC1
SHA1:	9AE189189878E6B4E84FC1EA6BD6CC861E25BD68
SHA-256:	1594E068581C29E6422B82053DC5D2F1E805E190E7B12F9EFE8BE6C2D6E8E4DA
SHA-512:	78F4F601BB7E5B5696B615B66F701DAF6DE2E984C19D502207A786D5E6784E5D3C7474D05EE282227EB19EDA91A5BCEF3698B0F02FB0630003BAF88AE75C2136
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.7732979147875136
Encrypted:	false
SSDEEP:	3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
MD5:	9139C2A0B4A37763278B42FA33970AD6
SHA1:	4667B3983C739687FC50DF651F1633E1EC2DBCFF
SHA-256:	EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
SHA-512:	E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.7732979147875136
Encrypted:	false
SSDEEP:	3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
MD5:	9139C2A0B4A37763278B42FA33970AD6
SHA1:	4667B3983C739687FC50DF651F1633E1EC2DBCFF
SHA-256:	EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
SHA-512:	E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.7732979147875136
Encrypted:	false
SSDEEP:	3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
MD5:	9139C2A0B4A37763278B42FA33970AD6
SHA1:	4667B3983C739687FC50DF651F1633E1EC2DBCFF
SHA-256:	EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
SHA-512:	E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.9078362884831104
Encrypted:	false
SSDEEP:	3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9br8WDrC:Puv243xmQm59UtUSfzou
MD5:	BA891F25EA026EF76390F65F7514AAF1
SHA1:	67221DA58E84C799AC882226D785A695DF31574A
SHA-256:	2C4BB6BEEAFD90260E1E3C3C56E6DFBD8BFEB656BE4CD97501733C6020743D1B
SHA-512:	77D2DDDD9BFDE6A443D813656812E23B0E61E4F4F90A65D0C459086AC2DE961346113F1889148B470E67F4D77B8C6992E96C31D149EF88C93CB496CA5FFE6B53
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	97792
Entropy (8bit):	7.345675805687577
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrC5MXL5uXZnzEPf+hzRsibKplyXTq8OGRnsPFG+RODTbN:zr8WDrCawnYPmROzoTq0+RO7N
MD5:	91F8C5655E265566963C8110F8A9DE7B
SHA1:	B96F17997E415AEB3CDF82A68927AEAE232FEBAC
SHA-256:	CB9E615DCAF44187AD82F13EE4B711C38696C33E0FC25AA44309937BD571811F
SHA-512:	7E9B9612E3B4868AFB70C9DD6A94715FD0511043949A89CACEAD24E2369744525D0A411D92C6CC81F24F7E222E1BE37A0BA790DCB9ED7E8AB289E0D4F504F7D1
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	582184
Entropy (8bit):	6.398834596152969
Encrypted:	false
SSDEEP:	6144:Pu0LWET8DS698nGX2OduCwUJWh/JmmS3DAjqnkrzFoEh+vMKC239YUFgBdQ/:PLxT8DhyiLduCe/lSpn6zOvYUFg4/
MD5:	897450E53986279D2B04BA53B52BDDD8
SHA1:	94C242D856D91F902792EF4B390A65847321632F
SHA-256:	07648CB2CA34B1C0F75971AE97F941AB50AE25F76429AFD4CBF1895B0269D24E
SHA-512:	72A40CC08748BBAEE3E5B06EFA0F123F2C20A793B5862473EB972CA68F39474A89D4BF9DD0250321DC32D80AD8ADE6A0D52CCE978B5DC0AD1421E6213DA42C98
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3837992
Entropy (8bit):	6.444733046079261
Encrypted:	false
SSDEEP:	49152:BB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EK:NHzorVmr2FkRpdJYolA
MD5:	32890A1EABD25D9DAFC948F5146EE430
SHA1:	228A82E420134C823B26445D3124DEA5575E68B4
SHA-256:	3701476504BE77805D33A9E809A5D42C10170D5342C9D6DD2B546EB8D44F9005
SHA-512:	9B1B651AFB2C5DAFA5D3A0D48ADE18F90BC370F183C0884F21C1EC2454F015DEEFF627F091AD1C73341EEDD2F5C7D291DF2CAB0E6B23A8C5F52E2DE2DD3E0C6A
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	161832
Entropy (8bit):	6.14756500825813
Encrypted:	false
SSDEEP:	3072:zr8WDrCJ2VSd2ga8KActASiZAkXS1xU5M3XgcoT0cs4qIm6Y6:PuYVSktVjv3Xg5T0FIY6
MD5:	04EF9F4C747D7E6688BA9F35B8E3D8BA
SHA1:	24E64BAC23BC510711460C2B33130FF4C1CDCE05
SHA-256:	3D1421240FCFD07D5084ED9D4B33A5DFFADE81CE7912EE0BE4A2E4437857B642
SHA-512:	BA8C839D6CA820B5DA5E1864564355EDB1628811B34FDFAAF54C0505D2971892C6CE3783FF4F2DA8BEC0A346BE733570BF50CD86B2726249AAF3DA611470B993
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1827880
Entropy (8bit):	6.540156971587151
Encrypted:	false
SSDEEP:	24576:nhDdVrQwm5ztlU0A7fMAHmpmZ3QXE/0/lVaLpmasGvP0:nhDdVrQ95RW0Y9HyWQXE/09Val0GE
MD5:	879742EC86106257BEA934DBE9B820B4
SHA1:	2D0D374FE06464FE3DEF4C6025BF2C5246572C03
SHA-256:	8AFF66C49C009D187109D8B38F826731B88C832B976767C41F73EA4C7972CF2C
SHA-512:	B7DD56A683CFB81DE96408F4D973EF9EB8201E5A2C574954487E152945D87CBCD5CF81D9567B09378E7737FA47B31AB29DCD03BE846DABAF164E3530639FCE36
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297448
Entropy (8bit):	6.513926743108373
Encrypted:	false
SSDEEP:	12288:3doA0Eh2XptoQZRuefMYR6RrAJU9CsxmMocSipEylqFfouDMA+nkSddSDBDIq:370E0ZCQZMip6Rrt9RoctGfmdd0
MD5:	C46EECCF6FAE76F11358D0E43965681C
SHA1:	9ED2788370B6F5B476C7E6000058BE7D5EBEDA6E
SHA-256:	5804894F3F60DA262589131E6B7A1CEA7D5B1023993ABBAD2253C12526914D8E
SHA-512:	C36F36F16CFE7AA0A39353F45931B3B64D7E1168C8DCF61FB7A116612CB24A54E281D4D616EC21D6117118B03A0F03AEF8EFD91CFD5483EB6B6776C7A50EFED9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4251688
Entropy (8bit):	6.506317829104403
Encrypted:	false
SSDEEP:	49152:bpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:QehFLvTQDpB5oSOmlBl
MD5:	6D080AAFAA8CE83776195B5B124103FF
SHA1:	8C8809935FA73EB7A18FBD8023B0636765DA9C09
SHA-256:	6AF714C0C52FE584E9B4E9EF39D4DE723C509BF9082476BA3C5B97DCB2D3E4F3
SHA-512:	F7C81889032AFFD9BF288A4B34ECD026B9EC6E5BF74D3D4EFF229029D63B33B26CD0B178AD95FD6BE728414882678F8E36C0C1373D21A32367E9508CCCE7EB25
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1319976
Entropy (8bit):	6.503786677710061
Encrypted:	false
SSDEEP:	12288:Uyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:UiD2VmA1YXQHwlklb8boUuWPg2gX
MD5:	9CF33C2C22730E0C3C7F65154ABFD0A7
SHA1:	7ED4EB14D0A8174B75E4C5F0B06B4DB54F53429F
SHA-256:	FA5E80F107D15EA38675A3A544DA56AA245DB5421D64A162ECB4C159A6CBE229
SHA-512:	CD21A5AB79A0DDCE0F88C57D3E8E4B56C093B12E6CD74DF3AA234D1EB2C8C1D7E4412083836D102B5E4BB545177EC58D5E8FC21216DAB8AEC92D0D3F02026FAC
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2327080
Entropy (8bit):	6.530984368082779
Encrypted:	false
SSDEEP:	24576:yfD3zcv9ZhsSGSQoryOzozU63IqRNhB0kDKPHkkkkkkkBoIeAz:yfD3zO9ZhBGlopzM3HRNr00z
MD5:	3332CF2E4E55A3382BC000AD04399C84
SHA1:	88E1C5B851AB8F57E50EE2F9AFEDF3CE828FA19E
SHA-256:	780A8D096F70BC6FDEEEF05A22C1C943E64C2A3CBE33C6F3600504606D4FCBBB
SHA-512:	1CE56E69DB2CA020CCCC036B5F0FC93156F2352420B5F7E3F551230D478AF5470657F81617B45CB32DF98EF9DCBF5254BEB16DC75F43186ECFF2D71740A772B4
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3790800
Entropy (8bit):	6.537629939786787
Encrypted:	false
SSDEEP:	49152:GTaRe7mkn5KLvD5qGVC008Jpb4tgLUgGEsLABD5wTQh07yrLMLl9YPhe:ZI72LvkrCpbxJRoIMx
MD5:	391A248273BFC2C0361AE5DFE61F6D1B
SHA1:	0BD38C25FE4CC60BCB67ABC8E7407F0135E61FD1
SHA-256:	AEF2E2B2AE1722A9D53DF0A40DD3B126AE40DEBB5176C150DA67AA72392AD6DE
SHA-512:	B5F345FE14835806C1273DFC6C9C1E993D9EF469E8D146BB466816748A8F432362734B72D9BB79848C2C50AE103273FF723E865C649A53D6D1130A8DEB2003DA
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1535528
Entropy (8bit):	6.517119310826715
Encrypted:	false
SSDEEP:	12288:+406WoyJHeFOqDRA7uKk+TjnkgiMnQq+UI7MBImQWkv7yfOYIXbwohMA+nkXZnHC:HW9Jml9mmijZiMnF+ZxmQWcbLw8Vi
MD5:	20628DE11335D9E9C180E82B8DA8C6F4
SHA1:	3214ED9228E71E72D86A3F9ECFB0F3B7A8AEAE8B
SHA-256:	1A1CC93F0239D3A342B27EF97020EF7DCC522BE9A8EEC0220C52B69E098EACCD
SHA-512:	138B4E13BFDC8ED20854432609FFC90852DF667507D7C0DA77D4F817A32A55D084CEEA30184D9DE444DA5A949665532F021E01BF30D261803DBF31E18BA6A8FE
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1273384
Entropy (8bit):	6.515185633103735
Encrypted:	false
SSDEEP:	12288:u5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:uwNHwoYhua6MtERO4qbBJTY6mY1uIgp
MD5:	DA3D6D82C0A5DAB32AD539A41B2292C9
SHA1:	69A16AE6620EBC4E3AB589A77C3875332CD9EFDD
SHA-256:	B68881B7F63772E7D7002EF6ADFE43870760808167260F1FE2578808F47F67ED
SHA-512:	E75F6C20E0BE447C014874769E9037946DFBD602602AE6A1D5D197504FF5F13D5C6FABA3A93E0658E8B70A66B37790D500DF03D8FA6CA01A21FB08F461F1E74E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	582184
Entropy (8bit):	6.399012379647856
Encrypted:	false
SSDEEP:	6144:Pu0LWET8DS698nGX2OduCwUJWh/JmmS3DAjqnkrzFoEB+vMKC239YcWegBdQ/:PLxT8DhyiLduCe/lSpn6zO3YcWeg4/
MD5:	B54D7451BB5AB851A676F7FD48B4CAB3
SHA1:	9CFFEF070932BD40423DDE020E21F2E01FD47FFD
SHA-256:	6DF75851FE1343F4D513DDBB29585F0951D6B7313E083079F78177D333CB8CB2
SHA-512:	A0BC03D3C82ADDE64E90D98DA0FD2D1EDFE6E6F8B397C9A10FF886AB58414C22E3F7E0FACD00850FE449393222D9537BCEFF751D04A69E624ABC99DC0EDB6E40
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3837992
Entropy (8bit):	6.44474949897144
Encrypted:	false
SSDEEP:	49152:BB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8nsct:NHzorVmr2FkRpdJYonf
MD5:	46553926E38215BE17AB4D8BE04D1DE4
SHA1:	AB86CCD0698E21EF490B758C1D54DD81CDC26EDE
SHA-256:	460D6E8771469F0223E17C7FA3CE1CECFC00F30DA2499E02F5355131FBDA04D9
SHA-512:	69B048FE5B53CF827D852DDB775677067FDB795B328ED374DF74CAF093A3F969682D287AC81FBF5FB67E742C2DB08CBE7B3F87AE1D6B73C8D0C5324576B9A923
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	161832
Entropy (8bit):	6.147740797919436
Encrypted:	false
SSDEEP:	3072:zr8WDrCJ2VSd2ga8LActASiZAk6BKuBeU5M3XgcoT0cs4qIm6Y6:PuYVSFtVLA3Xg5T0FIY6
MD5:	A1795D1DF8986B7168CB034E8DF9DB0B
SHA1:	8E3E2940D9BF00CB1E0032A21F4C3136C10C0C2B
SHA-256:	409E056EB694D8668D4607A1C535C4F5C1F96EB410DC27D224ACFD5B972A12C7
SHA-512:	0B9BD213D4C4172267DB3C539124CA24A2A31C69847C3246D0B8E6319793E3D39E5161F1AA06893906EDA235250645625B80168AD3677886772B6747603AB541
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1827880
Entropy (8bit):	6.540143572527637
Encrypted:	false
SSDEEP:	24576:nhDdVrQwm5ztlU0A7fMAHmpmZ3QXE/0/lVaLpmaSGv3I:nhDdVrQ95RW0Y9HyWQXE/09ValqGg
MD5:	3BD76F0F217B572E68DE600D81B534B1
SHA1:	14A673A19D2F07474AA28F8B2119C030FFA885C5
SHA-256:	2D125B8DF59B7E80D5CC3C878C73BB7B2A852E46FAFC4F21C872DFD92551FCDF
SHA-512:	825E7F9CAF8C13E9B014738971F964EB3B55AE12BCA25B0934E998069F3BB4D23D1F83C60E5E556FBC720E099619919C8B3A68E2A7D942F44BDA72626D3CBED4
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297448
Entropy (8bit):	6.513969535789532
Encrypted:	false
SSDEEP:	12288:3doA0Eh2XptoQZRuefMYR6RrAJU9CsxmMocSipEylqFfousMA+nkzddSDCDIq:370E0ZCQZMip6Rrt9RoctGf4dd7
MD5:	EA3F1A71E9941AD0A39CA40ED62F5DE5
SHA1:	3F162289C3A9685451AAED62E2CEF224CA8FA3DB
SHA-256:	A2D179A1F64E6AF6D0D061B21D058B2A0632F4DC78643E71FF088E3DC8C1BE41
SHA-512:	CE8DADDE32EAACAFFE9393E004C4698C4C37BCE95E17D07BCC195B3043F659C6B7A783F96FE7C564868B89AAE09E2317033D1A287C3131391D727E585BDA4614
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4251688
Entropy (8bit):	6.506338124649898
Encrypted:	false
SSDEEP:	49152:bpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9k3hO2y/BG:QehFLvTQDpB5oSOmlWs
MD5:	23BA03A6F1D1F21054622CFDCDD20316
SHA1:	9022E542CC3806BF8224F8223BC852D8E51B6E28
SHA-256:	2C66C0D87399D0A4D4A8688CBFD9BE84D3D10DE2AD938257355D666692E96AF6
SHA-512:	FF9F0D1AFF958339642D9E25B7561C32156251E3165D6E1B53DEEA10D0D5342B27FFFAF4D5C71A5B842944F1F98B4669CE70BA2D177C5430C44EC5AC192DE17A
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1319888
Entropy (8bit):	6.50362753330787
Encrypted:	false
SSDEEP:	12288:Uyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVKMA+nkDhF242oz5:UiD2VmA1YXQHwlklb8boUuWPN24Z
MD5:	AADB711BFB3C0AA7EFE560D106A6CE18
SHA1:	C11295445E2BE25A9EB54C0A66BE7F9F5787DCDA
SHA-256:	236F50F91763F6BA22F9DB3A15218E4CE09106C8D348A79B39C9F02CE89933A9
SHA-512:	E3FC508EE56B5793B1900F4AA913545A60CC4B2CD54733C5DE6C9EEDD591488399D4C8FD78C8F7CBA9EA24CE1D5798E780FF6C72929CC25BD90E603D88063607
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2327080
Entropy (8bit):	6.53093327656885
Encrypted:	false
SSDEEP:	24576:yfD3zcv9ZhsSGSQoryOzozU63IqRNhB0kDKPzkkkkkkk+oIeA+:yfD3zO9ZhBGlopzM3HRNr0T+
MD5:	43AD3D04DCBE6731F2101BC06B4ECD6D
SHA1:	E95FD8F0E20644826D021F0D60821B81026C05EC
SHA-256:	D81F6A09AA5F3F049C8E40CD913D2CFA5C9096EF18A6CB2847CF7108FC57D99E
SHA-512:	5351C3B62729105A0ADE01DCE5DF275300D7E2DB9E7A0E0DF1337B665A2FDC1C2BA5FAD4F8569EF9D09793D41B42C9657E85B12981345AE8AED943B65204021C
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3790784
Entropy (8bit):	6.537582177584834
Encrypted:	false
SSDEEP:	49152:GTaRe7mkn5KLvD5qGVC008Jpb4tgLUgGEsLABD5wTQh07yrLMLl952hS:ZI72LvkrCpbxJRoIMP
MD5:	E98C0CEE93F810A5B1404C633DCE1305
SHA1:	1B89B6A4165E0B1EFA4783AB305057DD664EC3D8
SHA-256:	CABD3725BE971BB4A7A92AB7DDD8F77A7098272EC1C3E4478082C89FE2F538E4
SHA-512:	961407A55E602971ECC89113EFBEB16C4D3B4251B79361753DA7A247613810E7B69D11E7D58B7F1647ECF270D142B6FC50B95DA0F317A5968AD21912AB7F3A5F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1535544
Entropy (8bit):	6.5172291414287615
Encrypted:	false
SSDEEP:	12288:+406WoyJHeFOqDRA7uKk+TjnkgiMnQq+UI7MBImQWkv7yfOYIXbwomMA+nkVZnHt:HW9Jml9mmijZiMnF+ZxmQWcbLwlVN
MD5:	D93302E5A04E9D213A2219B10C3F5DED
SHA1:	1DA049D54617386FDF6CAEE47DE99B931D3E8266
SHA-256:	59A705B581C3C884642D0E813AB86BCB087FA34CC4EF8FCD1CD066F00425010D
SHA-512:	913632C31A80CE94BE764AA49D26AC77F9614786BB524CDC17678F2DC9D29E7AD64277A3FEA4DDCF5F622212D6DA1E7281D83C18AD9CA167B96BDDFD2A8A407B
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1273400
Entropy (8bit):	6.515264405879569
Encrypted:	false
SSDEEP:	12288:u5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkIogjkd9:uwNHwoYhua6MtERO4qbBJTY6mY1u9gK
MD5:	2A0BE4859CA9BC6E1C854B731BD35486
SHA1:	8D87150AE665DA830A8BAF2DC241369E3526EFFF
SHA-256:	D51990BAC566F6FE53C2164FD53110A7049BE1AD5C9B0CCD5C6BA0E34E00712B
SHA-512:	B83784A299BAB6AB03E2A929A07186C59474555AD128664349153A5CA1F428E72FDC525BB04E5B635A5C4D9506312BCDE107DCAC38F44FE2E485A134B8672F3E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1319888
Entropy (8bit):	6.50362753330787
Encrypted:	false
SSDEEP:	12288:Uyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVKMA+nkDhF242oz5:UiD2VmA1YXQHwlklb8boUuWPN24Z
MD5:	AADB711BFB3C0AA7EFE560D106A6CE18
SHA1:	C11295445E2BE25A9EB54C0A66BE7F9F5787DCDA
SHA-256:	236F50F91763F6BA22F9DB3A15218E4CE09106C8D348A79B39C9F02CE89933A9
SHA-512:	E3FC508EE56B5793B1900F4AA913545A60CC4B2CD54733C5DE6C9EEDD591488399D4C8FD78C8F7CBA9EA24CE1D5798E780FF6C72929CC25BD90E603D88063607
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1273400
Entropy (8bit):	6.515264405879569
Encrypted:	false
SSDEEP:	12288:u5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkIogjkd9:uwNHwoYhua6MtERO4qbBJTY6mY1u9gK
MD5:	2A0BE4859CA9BC6E1C854B731BD35486
SHA1:	8D87150AE665DA830A8BAF2DC241369E3526EFFF
SHA-256:	D51990BAC566F6FE53C2164FD53110A7049BE1AD5C9B0CCD5C6BA0E34E00712B
SHA-512:	B83784A299BAB6AB03E2A929A07186C59474555AD128664349153A5CA1F428E72FDC525BB04E5B635A5C4D9506312BCDE107DCAC38F44FE2E485A134B8672F3E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	225232
Entropy (8bit):	5.9169842072110015
Encrypted:	false
SSDEEP:	3072:zr8WDrCFcxiNNpCPPQPg2cluc/Xswbz8cz3quKoNX1gd:PuFcwVz4B8c37KoNX1q
MD5:	B50DDBDB05BF0BB57476EA6C5A032B2D
SHA1:	75D97A80167D3AB18ECA1B1A990B894F691584B2
SHA-256:	5074A5357D42806C87926B169CD558E653349DF7E44354EC85460C0A2C95C50B
SHA-512:	FA6DBD13E3E85C5098B6A866E7F399AECDCD4FDD53ED3F60F9EE20F8ABC156F2F272B155B5BCD79F4424E89C8045094560575CBA622327D6661A4947D7D35D46
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	247760
Entropy (8bit):	5.766587112108476
Encrypted:	false
SSDEEP:	3072:zr8WDrCQW4l/DReos0gXf+EvC6C36eCWdMuoB+ISzBqUGxNtvKAbFP3cSEt0phcf:Puml/DRfkTC3dM7B+mCivAT
MD5:	886E05881670C2B29D17DF6823B38A66
SHA1:	4CB79B5F1DA8FE8079518B65FFFDB99EB0A3D76F
SHA-256:	AEEB4BAAD144DB01611C82FA0D8F0029F3EF777101740829E7F6D8D453E31D6D
SHA-512:	9FFF6FA38B694ABC945F515A78CFA793D6AB8E7977A2973A5B69265A965DFC76C6A77D48366D5A98EB4D4460A878BE02C95C828066E42FB3F4F64CCD30D93987
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	142288
Entropy (8bit):	6.418539700023223
Encrypted:	false
SSDEEP:	3072:zr8WDrCs684ePKoTB+IvoAewtxUff8aohGme+YDfYz8FrR7:PuQrTB+AleYIkifYUF
MD5:	3856508A91D399E375B350B0C1423FFD
SHA1:	9747673D2FAF4EC499A05B3DFB80431029C17507
SHA-256:	B7E5B278ECB57EDBF3C121517B5CBE0B37C29D7A1F9BE1E121776C59B39F3E37
SHA-512:	77037E2A7F8A466D85F3A5CD2C19DA8D9795297BACA6477D8B39C29D7CBAE8641D6CE300F59035A674F749002B79199211C2955936AEB4DA0C7C6CDAB8636A1D
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	259024
Entropy (8bit):	6.086004749509324
Encrypted:	false
SSDEEP:	3072:zr8WDrCTXEV0tle+5IbvBCMmNginHy8lZoY46Mu/rLogrlKq9YXI35EvMl:PuTUVwleMITTmNv1ohWsqYI354I
MD5:	C37E3B17146D3DF38E578862AEA8C6AC
SHA1:	4587242D000A11BF98779F074BB15989A9E57AC2
SHA-256:	FE9F873C55826F1C1CA88289966923B9B6FB330C2B46261B682584711B0A35D8
SHA-512:	D28917D093AF944094FF56D5712CC0AC9BBCE3337A524E9B95487510CF5ACD2608EA7914CCA920CA9BE5AA7F6CA808B920AEE6D596ECD74DB3B2551BC77047D2
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305120
Entropy (8bit):	6.411066493542914
Encrypted:	false
SSDEEP:	6144:PumFKucTm3RhMfoSG5dCd7hjAOe9UmXY2Gh++CgBlPMoX:vKucTm3RhMfoSBjA9U2Yxh+Zgb7X
MD5:	A44E4ED52DB101B90FC40FBD77EE5813
SHA1:	E1EA013D66084E842EE75CDF1A20F2C5C7C1D920
SHA-256:	A107A456D15142E351FA622010D0F75EDD8E331C147DF974A5EF1D8889700749
SHA-512:	30EBA6D8ECA2E67D40DA256558E758EE5A457E40E2D4A1CA1FFA175E063B6983F23210E35F7BA857E0F87A550511C8C5AE7F748D90B37F847432DC60B6916C0F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	142288
Entropy (8bit):	6.419211340608754
Encrypted:	false
SSDEEP:	3072:zr8WDrCDaivqozB+IvcZ4wrZU+l/8xoAm2+YDfYz8GrR/:PujzB+Aw4CZNr2fYLl
MD5:	66668951BA49BF63140B9DC5384B12FF
SHA1:	864CF0FC89B1EC2FC0F7F86231001C606D95C626
SHA-256:	316FB2C43692DD48BF49D92F62393E1FEF23A024776398E25B5B08F2CB7601F0
SHA-512:	523138612680231D11AAC37F70C649334D8070D263DFA87A6DE9863C5C0A4E0AD6805F02EA29ABB99645CF55A3312B9101C0B06935F416BA5F33BFD8BC42E930
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640416
Entropy (8bit):	7.91251877420056
Encrypted:	false
SSDEEP:	24576:dwy53G70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzUG:Cy53w24gQu3TPZ2psFkiSqwozX
MD5:	352C6224D8440DF99EC9BCB6D1205994
SHA1:	6E0D04A6F207B83B385F09F43E1C1AA4519399A6
SHA-256:	5F579E51C94992CFD86C111D09F84E328F373073903E51D7C02AC77697D682EF
SHA-512:	9175FB5E4524C95C706C4147B700155BD551842F2890D737C635DF8B684585AAFF2E41EC2B81BA0BA941ADCDB51BFA9DAE09C2440E4B5EAEA9524462F0ADF08A
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144866
Entropy (8bit):	6.2324558335577
Encrypted:	false
SSDEEP:	3072:zr8WDrCkRD5b0qZ7y4jem7y6tkNRCywDw1DiJkuKUY:PuGD5lZ7y4j9KT4DteUY
MD5:	D709786C68534D0465D77BDE302F7065
SHA1:	6E113BCB0876FDDDC39B31D1F364AC1C3B0F9B40
SHA-256:	8F98C63531C25555C4ED421DC87B670C763690A82E9B2D76A59D2233AC500636
SHA-512:	47295791D6181ABB9F777E85ADE7425A34C497A5E4E5B483104DE6105D9CE49D9FD7A342BE5B469528176DB4E63D0A5117F9E6C969B999B7F87FE1076DB14B86
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	280480
Entropy (8bit):	6.382752729567392
Encrypted:	false
SSDEEP:	6144:Pu6Pr2vXzrEbslNp/JNsJKQl0GkRAqVNf0O3:7DQXRVTZu0GP+ZR
MD5:	25156B6B2ACFE0D4284F3842C0F1FD9F
SHA1:	C3C3387E29A3C045104FBA65357B73D36CB72F96
SHA-256:	1F32EEC314E0AEE4B61FAEE41B8D2D882AA49E3D49906E2F91FD842C574D2E17
SHA-512:	77B19A7D771681CC8AF1456013761626620EBCA8B336BD728ACE88B67E7E8D20812918BB588B5D06EF1E722607442ACECAF0BCD2274C912520F3125517157ECC
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366036695000557
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdPyQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdPBGCq2iW7z
MD5:	A9486CBC7696128F7EFFA9E9E3172411
SHA1:	E5FF887C83A9FED46E65B81714ACD70CC9DCBEFA
SHA-256:	8BE87E6E44DBC74ED05763F1BABF9E30F56D8952A07B7C79A21648AB7E868251
SHA-512:	A07B2EA3F5052CFD3BC3375E7D6A5B0DF32589F3877F999A8CF578A85094B8CBC6917923F59F1119171E184AC56707B4A901F18E3385177E8E71A3001BF2BA1C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4473576
Entropy (8bit):	6.5697251244545924
Encrypted:	false
SSDEEP:	98304:9kkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:9kkCqaE68eV+0y8E6L1
MD5:	A0E84CEDA4163F189BE5349FD432B1CB
SHA1:	204335080CD8BA8D46E52DFB29F1461D7BF84CA1
SHA-256:	9A8C97840B4745ABA6BE44CAE7DE9EC0E7960AE31E52DFDE4ACCB1C24B6C4DA7
SHA-512:	BE941C507F9A607087E96CDBA94358F4882BA231CC08E6AAE8480301A5FF82940630134F9DB780B9527F43DD83ABE5D4868759854D2517A6D6A87A26903FCC9F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	501656
Entropy (8bit):	6.316687804131066
Encrypted:	false
SSDEEP:	12288:mLH18t6x1hjaNHBlfBVDZS82JninSFVlDW:mLOwxyNHBVEHRiSFVlDW
MD5:	EE696711CF9AC80FC9EFBB26B76ABCFE
SHA1:	A2E66B1A8970B93B055B783F1FE600A5EA861690
SHA-256:	9DA9F59CB0DF8F42679E524FDF590843F68D1413BB1F36335B361245F5FD7170
SHA-512:	5A6E226B94364E8F0312D8DE64192A5343EB5E370BC5E10F373458C871A25ABE7520E55AD68279FD215820CABEDADDE4ACA9A01071370B980B62A0126AAB2A94
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1637776
Entropy (8bit):	6.316076233282021
Encrypted:	false
SSDEEP:	24576:z7Z1jyzcKSmKsvwMZJ1XBsn/gu2bRC6dulyyn2WdXM6cWlLIJ:/Z1tKTwMZJ1XBsn/UC6dugWA
MD5:	2E0AE929AA0C46D1850BD2064954D911
SHA1:	C27307CF87ABAA9CB17C869583BEC5DBB57A3C41
SHA-256:	BB21F5661BC8569FBAD37E05E000529EA09A93DF9CE906AC798B6FF87C39DB52
SHA-512:	6F79861A391A35B7634EA05FD37B28ECEA234FE91AC44B3F2DD365F49C9338AA43D5EF40B80588343E7C1B05D2B358F9516F2696F6DB1E4D9D8EA87CBFADB1E1
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	224632
Entropy (8bit):	5.620193770987743
Encrypted:	false
SSDEEP:	3072:zr8WDrCvFtCsHjgU7HOg6KTe/+EypudsD22QnSUEhydebz41:Pu9tx0SA+EySaQKeUz41
MD5:	96A64BD0E265640FFAFD214049708702
SHA1:	DA525339352A6F40A51DD61FE17149EC37E69C61
SHA-256:	4E88BCEBE61AFD28AD1EC55523F1656CA98F02806531CEFFCA55F2598674CFFA
SHA-512:	EA63C18E5AB547A7F76C6BD2F721296B400E2D6FE89C45DFD8DFAB86A794D171A44487CAB0C8DC2328F9DC92C239BB1E2BF55D7C903791EF341BD88FEAE28FB0
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	431336
Entropy (8bit):	5.901379876199201
Encrypted:	false
SSDEEP:	6144:PuYzBRUKCBTwZVr2miTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVV+:jzBRnCBOrsBOBf
MD5:	E7C3CF515AE2F8559EB6E76D748D667F
SHA1:	265615DC51ACBDE842A9A012D03732AA4BF9DDE9
SHA-256:	A2CAC1656374C752299952716F9021B3E15497166FA936A1BAD6AB7C39FE7F8A
SHA-512:	9034265306CF0A5D467C652FEAE1AD6FB4798B527A8C58EED576137582EBF6F24DD25D9EC9D977C93A489E749F1F1A20503B508C168CC9C54419AEDA9B044458
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175160
Entropy (8bit):	5.99132731187077
Encrypted:	false
SSDEEP:	3072:zr8WDrC2/VpSIcnsHKTe8LnZCA5OfkQAm95kQOJeqx6u:Pu2tkIpdA5OfzDUeqx6u
MD5:	C41D1423579C9814533D2E30DA685786
SHA1:	B8AE1B9A8EA125CFA003E1404F44F825F3EFA4AE
SHA-256:	BEE3417F4A10BA18D5DDF56EF7D3AF8597164CE62C74D4E979E09BAD6C7D6509
SHA-512:	52DC28327704F55153CB10ADB7686D5469698D07ECF6E03B223F8DE2C32DF5296BA7E0190E37A58ECCA264C1B045CF7CA1F2AE35F15BA4F43B51D92961F7F90E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3162480
Entropy (8bit):	6.468488558909844
Encrypted:	false
SSDEEP:	49152:vnW4jqFRZega3xejvY7GQOx4K1fm15FKqO7t78Ity6fod76lmlW8U:ms3OBj4UmOH
MD5:	3A5E520F6C98AFDEA3D5D2D92483C739
SHA1:	A578D0612B92D4E3D3C913B06BE977EDFA7ACC20
SHA-256:	BE77D2388C60AB0610D2B49BF1883F24B40C33C767160FBF178F2EF3EA3834AE
SHA-512:	A3451E0C8CAF184343F68D29406D95BFBDE38F03C8AD0FFC4EDED0B3F4942ACE98D17189C574364730A7BF0F249808371175063312A00F9D85EABB61A5657673
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1309408
Entropy (8bit):	6.49550103750245
Encrypted:	false
SSDEEP:	24576:9+sGOL9NLM3r4Viwj6KLqGua43loEeUFmwv:94AA4eGua43lgUFrv
MD5:	EAD6386843778A730062C698AA030740
SHA1:	F24C8F0717004F67681BC64DACD4187A98D596B2
SHA-256:	D932B4622D4D9A52924CB1540B483EF7163D67263A0E0EBA11504B73295B8D80
SHA-512:	0E7641E940526213DFD1627CC80852FE8DC6D9ED3582E30FF355DD56978794B850081082FE7B798152D8AE0E437212471C3C615714FF9CE1DC87434235716516
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	922944
Entropy (8bit):	6.460885615415187
Encrypted:	false
SSDEEP:	12288:R9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+poPCcqyt4:n/BrnYuqFcL3pQ+pDX
MD5:	F0BF9ADF513239520A14EB785BDD5886
SHA1:	F1915F5400458CA477B5E90DE9A2C5C4DDC132CB
SHA-256:	AC67389D5DA5FC3A99576D5832BEC09D66B41E751A15B1B53349A3003EF14DFE
SHA-512:	13CC35E7344418CF48E95525F351585652B9A499FF674DE766AED5D7B35F93F60FA9639AF011E0FCEB5F63AD895EDDBE0054EFE98922811BBE6206E52197AF82
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	501544
Entropy (8bit):	6.316070563003216
Encrypted:	false
SSDEEP:	12288:mLH18t6x1hjaNHBlfBVDZS82Jn8YSFVhwDW:mLOwxyNHBVEHR8xFVhwDW
MD5:	E7018A93116CD346F9F8A0CC2243295E
SHA1:	89155DDC39A59182E5CD870C4D16688AEB2E30FC
SHA-256:	A09544750353F4CD7DE1630460B6CD65F42524A51886FFA20857A220C5190211
SHA-512:	61428F7197B96297E15074C88F214D5247ED06BC5787A1403A87AAA479D6DDD860BC2FAFA8FF95DAD863632A898315313D353C9147118A7BE2E11ECFD21AF788
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1637776
Entropy (8bit):	6.316140077808731
Encrypted:	false
SSDEEP:	24576:zzZzKrsdCmasrf9Xr5wzW27+w3E4nZ1jDkCZTunfmrd/Mq8pqiV+yeci+HMJ:HZ5d3f9Xr5wzW2x3E4vDkCZTEJ+3
MD5:	5D2BD0DA80A8E62789209A0EDAB83B1D
SHA1:	757F87BD301AA6F57CE838BE3153B8830921B501
SHA-256:	EAB3120F77B545B22123182F21EC23BEDE944108CC3C684E7BD282F7049B5535
SHA-512:	FE38763D90349CD0A6816E1EF7B49B6FDA6D7ED3102960F2033FD9FB24EA22FE28B49C0638D971B673D6E24C81FC03D7A414530007F68D005454C645E06F1898
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	224632
Entropy (8bit):	5.619874211696376
Encrypted:	false
SSDEEP:	3072:zr8WDrCrNzQsUdR7ROPHKTeA+EyBEBsLj6mCv0MC+8w+l+jDYgb:PupzrUdH7+Ey6yxCyncDYgb
MD5:	C13590C04F1E3D09263F396F200D3452
SHA1:	3DFBDA0E787B01FA3F39AA2852C2EFAA2BBE9DD7
SHA-256:	F1D24A7B92913E56B479B077CA38CF87F4153D9154AF1FFC1B27F2DC03C3408A
SHA-512:	8A32E90E9C1C3C326EB225B63FE0D2FABC7E4E2C7ADF8367E4016180D004F7DAFFF0ED24FC398F04CBF95EF6DB4F8F87F4AD21F76141AD2BF8351F4C11AD04B5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1922888
Entropy (8bit):	6.541750856572876
Encrypted:	false
SSDEEP:	49152:BxzduwxBjJMXDUlxqK/PDLWf+kfilcOk+4AgAQx:9uADax
MD5:	49F38F9FA23BAA8E1B8F5FF1B370B96B
SHA1:	B1B947630361E3C9B0B9CD17A2E95BF193EA427A
SHA-256:	1A36E884AA4A5DD09F648BB3DE9F89206DCFFF49A37B1164E5F5477F1FA24D79
SHA-512:	20DFF8A6AF31281E0F566CE03A60BECB36C99AF79493C0B06FC12C34003B00238990971E8E2D840554D96BD69A23B1BF506AFDA46B71D2908E75B640D574624C
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	431256
Entropy (8bit):	5.900901024115435
Encrypted:	false
SSDEEP:	6144:Pu4DBRMKC2DARcy85smiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVL3:zDBRPC23DWqOhf
MD5:	165B08FB9A429B745E9E168D329EB478
SHA1:	AC79D629D68A6177ADB43161D3731AF138802511
SHA-256:	3CB517BD21BD184AEA460E8925C81B16A8D6DD26D394AD9123F8C2AD943E6E8B
SHA-512:	F740313E067A29A4DFC358AA960B8E73AE350CA3F34FB851209E3505E49349B0A736BA0C5015CE6494DB43021B9A118CBD3BE3E467642F1F7AFD47EC0DF85519
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175056
Entropy (8bit):	5.99353613364511
Encrypted:	false
SSDEEP:	3072:zr8WDrCVBGrjhgGcKTeA4yJjAYykykBdg+FoQOJb/B1a:PuVgfhFAYykySfUb/B1a
MD5:	12C030EA2C1A9660563DEE8B7A25B079
SHA1:	A6FDE7087411C992CDE0D4E87E622C0C3A015527
SHA-256:	1F140237E5B5DAB4789F967B50E6994E1D9307B25ACB2E521CB72692B0EA44C7
SHA-512:	A39A033F4756D8068F60568BCADB9BE8A0AE8593A44AD72BDD069DEA4280C137FFD78D0CE04B359409EA3EA8FF5A6E8B5A56032D7952FBEF35FB95BCE556C5EA
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3158376
Entropy (8bit):	6.463770375021316
Encrypted:	false
SSDEEP:	49152:M7Inw/bT9uzlAndnpufoDbRwU/xv3lNOsWReEQZeEO1QOiPQOo4r+U:I/VmUAYrj
MD5:	F747D7C1167AE52C17B8EE2B2B648F50
SHA1:	7F99741F5EE38CEB68388AD913638C34AD9BDD81
SHA-256:	BDF99F70C03F23725102CB413F9069900350E5911F4566CFB5447284D4B28256
SHA-512:	A983A8C9114BFB32DCB2E42CF907EABC41B7DDF335B661F1BBCFA35C59CB238A2C0B1864F95F76B781BAD0198F82E0E25BC3754D8AA349AAF999FA70501413B3
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1309536
Entropy (8bit):	6.494467247437919
Encrypted:	false
SSDEEP:	24576:/vbIUnHtg+i54V0tqDNbu5kDIPQy+NTD4XnFzr:/zXzdMkDIPQy+Nv4Vr
MD5:	2E10137A170646449F276989631090FB
SHA1:	809AB6D6099509DF331284F36A8B8AD463C3A9D2
SHA-256:	7B9223995309B804C92D3244ACB070FC23B4A6FCAFFAD882CF7EA87C451C2A50
SHA-512:	C6F93A90B753C9FC3CE8655A95C358A2892AE8CFC11E615B9443F1317D3FE5699E98A752B100AF12A253064DC4F0E7DB570B06D86DEE4374422DB8C9C0117A6A
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	922960
Entropy (8bit):	6.460975970387529
Encrypted:	false
SSDEEP:	12288:R9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+pouCcqC7D4:n/BrnYuqFcL3pQ+pYmE
MD5:	8620D3407D835BF915F0FFF81B796100
SHA1:	BECA62BD742B85C5DAE7E40C12E224540FE5D527
SHA-256:	FC8B94FB0206DE6668B6F6711EFAF59F21E5814AAD2D097729AB830929310383
SHA-512:	BC5AD43D7A563BCA425B22A199F49F9C2D1851FEAFACB7C74AECDB11845C0D24BA0B511D63A56E3B7CD3ADF81965FA70340B3DBAF8DAEE66A23DEADDBF218A86
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97C1.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Nov 19 08:06:21 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	152778
Entropy (8bit):	1.8390657020544043
Encrypted:	false
SSDEEP:	384:IVaLiXgnB9md5Nvp8PZPQVULt+Z9tkffqsByGmwEmE6Vv8TM6GrU1:kaLiQnB9c5NvpGSULt+ZfkqsJ/8YV6
MD5:	EB5E1AC1E3A8939B437A683CD26644D9
SHA1:	729BBE0FC1D03806B3EED20A035359AB93F2D94F
SHA-256:	F4E8AA496208101804DD412C3D19357649ADD6BC22DC3A93A25AD512032EE639
SHA-512:	5E29D28432A12390C193452ED92C98D8D7050568307E0DC923B24B222F35353EA6E07E385BBBA00D308B75B1DC3912CD3CF6CEDCC1AC585A8D00AB64C5C1D2AF
Malicious:	false
Preview:	MDMP..a..... ........F<g............t...............\|.......t...jL..........T.......8...........T............7..............T...........@...............................................................................eJ..............GenuineIntel............T............F<g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA03D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8312
Entropy (8bit):	3.7062215607911844
Encrypted:	false
SSDEEP:	192:R6l7wVeJMw06U6YiE6FYAagmf24GpDn89bAasffsAm:R6lXJMb6U6Y56Qgmf247A5fi
MD5:	3E058E8A1AD35B6B542F2C0428578F9D
SHA1:	C87FE96346A69F96DB7E4B5EB7104FF3C347CB25
SHA-256:	8BF44390368776451D143F39015C85267EED5B91FC5B95B7278C8BB21BC49FD3
SHA-512:	75E0488B9DCC956A75C10BDB3FA1276B8C8A301C4BD1620E11D38668690E4C63BFD5C73A699E0CFC406D380FC89D224391092506E4637CC27A8BE955935857B8
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.0.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA0EA.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4565
Entropy (8bit):	4.476932070728966
Encrypted:	false
SSDEEP:	48:cvIwWl8zsnJg77aI9exWpW8VYrYm8M4JEBFKR+q80cWgLKd:uIjfJI7Ig7VrJHROWgLKd
MD5:	06304E077D0BB8C34B813869BD374FEC
SHA1:	0D30699ACDC6336C7D8316B893E45E5FF15DA1DA
SHA-256:	552AF9861A826C876D2A815DCEFA3C96EAE497A32D1EFD22DB40C4B6CC6DA363
SHA-512:	569BEE9352CF1D9EB0B703E471AEA9060EFCCC881C785B778EA47FCB8FA4C37E239D1D76362DD122AB67B069A87C339A5BBC578823AAA96F12DDD53EA18394ED
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594669" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	692064
Entropy (8bit):	7.194014407923939
Encrypted:	false
SSDEEP:	12288:IskY7gjcjhVIEhqgM7bWvcsi6aVUfIy+U40vy3W/ceKSHMsiFyY6XNmnMwJ:IsZgjS1hqgSC/izkfFjymk4HM5yJwMK
MD5:	449FF18CECF6F5F51192A3B2DED55D19
SHA1:	344C9315CC65A9A8B57B7CA713EDDCFC00BD7A93
SHA-256:	0F891BFC3F74490937A0A339092EC8515409EC972B0EE12A7F3A21EA039CD706
SHA-512:	474720A4D8E0E992343DE1A897072C9062A5149E4F235013A28DF8C1DBA19020EA894231C1AAB7F5B3C041FD67CF3B2A26E5B25C7D6901FB4B0BEFCCB57957B4
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\1df8b147-01e0-4547-9bf6-95f67bbb8195.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44890
Entropy (8bit):	6.09583960242581
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kWsEi1zNtFTzANp3Vil7FDyuKJDSgzMMd6qD47u3+CO:+/Ps+wsI7ynrTUjAKtSmd6qE7lFoC
MD5:	9921332E6F526643AF8876EEB256CA1C
SHA1:	C71CF040A76ABAAB0D7E58A50F90E46DE1004377
SHA-256:	E44125C515A52F1B67C95D7B87F5A210561B6628BC4A22FBCCC0CACEE8F8DE1A
SHA-512:	06FFC14B0CED3E8A54335703D5148967F472AB4CD00C2128EF4CB4BF6E46C3CEFC5C0996CCC0C01951A5FDD13992C735CC7420681A6491D9AA7964AEDD00E2A2
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\5f0c0871-63b8-4a3c-a47c-638d6b6b6026.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44352
Entropy (8bit):	6.090804689981352
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4xWEzi1zNtD10R0elG14D9JDSgzMMd6qD47u3+Ciov:+/Ps+wsI7yO+0R0GtSmd6qE7lFov
MD5:	E2D54214DBE4F6CD79E6B39D73B267DD
SHA1:	5B0CC8EEE7014388377B5630DA6B3D08F60AD030
SHA-256:	F3F9F892BC0190E96FB64EC7F5061C7B77713C0C89B036907419DAE95E1510D3
SHA-512:	10ED4552397785EB04FAE6E58559864B73E14B705E4ABE2DA829870AF4E558C1D7A096904E633A9150A8F06C8694A694C3A6E227A479F00D862E3038B80313D4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\6e0b30e4-34b2-4f81-b3d2-3554f0a365a9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	44890
Entropy (8bit):	6.09583960242581
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kWsEi1zNtFTzANp3Vil7FDyuKJDSgzMMd6qD47u3+CO:+/Ps+wsI7ynrTUjAKtSmd6qE7lFoC
MD5:	9921332E6F526643AF8876EEB256CA1C
SHA1:	C71CF040A76ABAAB0D7E58A50F90E46DE1004377
SHA-256:	E44125C515A52F1B67C95D7B87F5A210561B6628BC4A22FBCCC0CACEE8F8DE1A
SHA-512:	06FFC14B0CED3E8A54335703D5148967F472AB4CD00C2128EF4CB4BF6E46C3CEFC5C0996CCC0C01951A5FDD13992C735CC7420681A6491D9AA7964AEDD00E2A2
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\71600148-f95f-473b-9551-23f3f8ef4364.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44950
Entropy (8bit):	6.095693943854019
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4xWnEi1zNtFTzA9i3Vv/19KJDSgzMMd6qD47u3+CioC:+/Ps+wsI7yO6TUSlKtSmd6qE7lFoC
MD5:	BF09A861498ACF5DD381987FB35BA1CD
SHA1:	3EEB1B2EC21A6799B0A147BEC50AA1C7F3B57912
SHA-256:	D30C1B41E061CBEC148A0E76956CD11CED33264638359C89D3D5C25B59EDF296
SHA-512:	2A66DB9A14E8199CD36C65144CB78EF3A146F877680665272B5F490B8B765E2FA0F73FE2E07EB063A1BEF5E10AFB40CEF8F0A27F38C41F4335ADBF2293F6AF92
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\75fd5708-a7db-4043-9b86-543a3d3bbbf0.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089785665972953
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kW3di1zNtPMskzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7ynFTkzItSmd6qE7lFoC
MD5:	ACA5B2C1DF088291395794BE12B49458
SHA1:	38FE1A5C2A8431D7C23E69E0C7585C7D3472D1FF
SHA-256:	C2DC77F5647FED72E622479871F77092D133E297C7AE84C11B3D3CDC6D9FCF5F
SHA-512:	5B6C9E2D87A327C2CEFDAEDE011AC3886B2F94A6F72CF305C1C3F60E8CDBAE63056FA541468AB494CC230F942C03BB6E8334B7BC4CD7C13AF4592444426FA913
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\862b8e0e-de6d-4dde-9a66-4f0f8c8e34dd.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44352
Entropy (8bit):	6.090804894305527
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4xJEzi1zNtD10R0elG14D9JDSgzMMd6qD47u3+Ciov:+/Ps+wsI7yOp0R0GtSmd6qE7lFov
MD5:	FCFD2AC4325AD9D268305BF85A30C508
SHA1:	93B3ED092351EC0323F6960108BE130BE2D9CE58
SHA-256:	4F571B84379D898A1E724CE82CD58C60F1823E43DDE28F2176FD57E440ABA2D2
SHA-512:	85BA27C3CAB1C78FB5CCC06707C495D493A9A188C938FD29B0F8597F41B36253761E81C32908035303AA237EB860CDAADB2E3CE2A9FA6784BE17D7C80CB3B12B
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\91f40146-37c7-4118-a3d7-0ab58d55187e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44352
Entropy (8bit):	6.090791900007794
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4xWEzi1zNtk10R0elG14D9JDSgzMMd6qD47u3+Ciov:+/Ps+wsI7yOF0R0GtSmd6qE7lFov
MD5:	63898A5DA18147CDE1D2657874D086CD
SHA1:	BB10D33BFF64CE25D2D75C8D44A034D322652235
SHA-256:	53EE1A39489D4374AA3561B66A60012047D909A1C36EA0FA92C9FCF72E6E2659
SHA-512:	F230381B7819BA87062EA949E94270CE4171EE2CF570F9754CD595D94EEF691A890089257E8A065260199CDB60FE081AC61AD2D4EF23872F715BF95333A37EB3
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-673C46F2-1D78.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.32377876189479315
Encrypted:	false
SSDEEP:	3072:Xg1A8mkjv7Qs9NBelM9S1o/OwOfHvym0tYrLQ7s09gqpCQzyCxCMQmPbfR+pxaR2:eqkWXfqmlrLDw+pfaHBnd93
MD5:	7AC133A603FFCBFE4F6FAB6E0CD77790
SHA1:	08A4217632A67AB6E04DD7B5258C569690AB3471
SHA-256:	429E0F41804549E9E60C43AAC27227BA5D799E7F901C66B7DB78DABEB3360020
SHA-512:	1F0F880DB5E532B2C9327E87C009D82D089D9BC4BE937338EFB5A75D6006D1196C7EF4F73DCAA9B37E896E64D0DB1D6B9AC0ADB156CC75EBE8A7FEA7CC1BC71B
Malicious:	false
Preview:	...@..@...@.....C.].....@...............x,...,..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30...............117.0.2045.55-64..".en-GB*...Windows NT..10.0.190452....x86_64..?........".fieuxx20,1(.0..8..B....(.....10.0.19041.5462.Google Inc. (Google):bANGLE (Google, Vulkan 1.3.0 (SwiftShader Device (Subzero) (0x0000C0DE)), SwiftShader driver-5.0.0)M..BU..Be...?j...GenuineIntel... .. ..............x86_64...J../T...^o..J...Y...^o..J..w....^o..J..A....^o..J..1H...^o..J....c..^o..J...c=..^o..J....J..^o..J..3.(..^o..J.......^o..J...b.J.^o..J...#...^o..J....k..^o..J..?....^o..J..S..O.^o..J..l.zL.^o..J..@."..^o..J..?U...^o..J..!..h.^o..J..z{...^o..J..n....^o..J..0....^o..J....%.^o..J...I.r.^o..J.......^o..J..ZK...^o..J.....^o..J.......^o..J...'x#.^o..J......^o..J....\.^o..J.......^o.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.0984945491284295
Encrypted:	false
SSDEEP:	3:FiWWltlcUpPmPIijS3XbnbO6YBVP/Sh/JzvbYuDRBOc7cEJHCll:o1cUh4Y3LbO/BVsJDbYuDRBOycd
MD5:	AFAC5E4CC1213807ACB7D1A0F61BCF99
SHA1:	FEDCA0A829A0DBCCD1E9D7048398372FF9604783
SHA-256:	FF48F538CBF3D665C9B115D6F3F6459E0CD7D9DF368E921E5A4BF2CA88E3C55F
SHA-512:	44F1A7E8C8DD1D5CE625AE26ED4074900A979ACD34BAFB3D3B354145690D37D34E07F2D0D9DEE81BE80EAFA9E3973AB11AD6E85EB23A804958584D8DB4902D66
Malicious:	false
Preview:	sdPC.....................cT..\.E.....P."+jDg7C0j+BlQ1Nj+QPG7Safjq+2ZvoQsMhxZL1Gpc+U="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................7aa5fc64-f4df-45d8-92ed-89470ca1c2d2............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\15c8e8b8-88c1-4698-926b-dd837117930b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7690
Entropy (8bit):	5.084947043109842
Encrypted:	false
SSDEEP:	96:stCqKms1hrbDvzwfiwXnMwjTrEm8zWsY5eh6Cb7/x+6MhmuecmAeZXDUM2ML/EJ:stCmsrE6wFvrEmkWsY8bV+FiA0UMPLMJ
MD5:	A92F1C7EBB5FF18FDD41838E6B7AB9A7
SHA1:	61143F0F92A307B1887677DE2E0191B49D0BDA98
SHA-256:	10A4D4F55D9FF0A957F2C17AA53F085D3000A0CF2DB13EBC28C8EE1C30510F88
SHA-512:	3E3CBC1A2494DE3E0F401546FE2A1106A2F33994287FC75E9AB23BBCBB87B8DE8F8F2EF018D5456EE23B5146592687D62DFBB446805BBE91E7E6C53830D8D00E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477173114335","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340961151815957","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477173107040"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\1a3c5039-9b08-453b-873d-0a073ab200c3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7855
Entropy (8bit):	5.084661967865364
Encrypted:	false
SSDEEP:	96:stCqKms1hrbDvzwfiwXnMwjTrEm8zWsY5eh6Cb7/x+6MhmuecmAeZX0p3M2ML/EJ:stCmsrE6wFvrEmkWsY8bV+FiAX3MPLMJ
MD5:	98D06289CA019B6289F059E9655670DC
SHA1:	04617924EAAE531663CD4408C1588DF6BF139987
SHA-256:	083E72D1882A28242DA61103B1DB6B2337714BF6C2D4B2B8CC7C6B5BE20AA15F
SHA-512:	F06C08CADE59462629807FB51AD943448F00079FD889A84485F80234B4288000665D9A194FDF672308277F432D2026FFE6C1C1E7678292836E5A99D57BBDA75A
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477173114335","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340961151815957","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477173107040"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\356cb7f7-c5f7-44b3-88db-7150874fbd0b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7854
Entropy (8bit):	5.084147157694312
Encrypted:	false
SSDEEP:	192:stCmsrE6wFvrEmkWsY8bV+FiAbN3MPLMJ:stCms46MDUbGiyN3/
MD5:	008BCB242900ECDE1CE0B2A87E12026A
SHA1:	90948768C37B673EF1B4154DFD6C03323204A301
SHA-256:	225C0AD18BC30ED997EE6099666ECE10E892B75B41E7619BB41061BDC66395C9
SHA-512:	F6210299EE606D388122FAA67875F4557458F17EC288A62C321F012E511CCFE54C97D2A1ABB3CEF2F8C9653BEADD18530F91A07D2D1BD53D4F03D05CBD58E47C
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477173114335","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340961151815957","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477173107040"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\43b93bd2-5bdd-4dba-9006-bcea913c4036.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7691
Entropy (8bit):	5.085223617646617
Encrypted:	false
SSDEEP:	96:stCqKms1hrbDvzwfiwXnMwjTrEm8zWsY5eh6Cb7/x+6MhmuecmAeZTDUM2ML/EJ:stCmsrE6wFvrEmkWsY8bV+FiASUMPLMJ
MD5:	8BC6DF2A7A75D722F90801623C0714DD
SHA1:	17BB17652C0C7AD3900630F94E7D09B08B542C20
SHA-256:	355DDF611EF611E51EB761FE8BFA94834D84D17600224B47E70B710A48D23946
SHA-512:	D40BCD70040E3DDE8E3CAE6AAD53A56DE3D43DA0D2DA2A86BA9D81837C16B7ABF1586B7A829DC519AB4DE36149918B364652C50B2993BF8E02B5D0F2E6DAF4BA
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477173114335","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340961151815957","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477173107040"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\7cd83bb7-0bff-499c-b8a0-a845f32ae1c1.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\84ebe6fe-62f3-4341-b843-140be61a7e51.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\8a500f52-0412-4098-8aad-ccf0c0213a66.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24719
Entropy (8bit):	5.586658343405253
Encrypted:	false
SSDEEP:	768:7aHmqNFuLWIwoSf3cG8F1+UoAYDCx9Tuqh0VfUC9xbog/OVOLvnz3ThrwmSRpHtH:7ytNULWFoSfsGu1jaDrjS3tH
MD5:	29D5CC3A3CCCF12F37817D1ECBEE4E98
SHA1:	BAE5F1D46F08FE7EC124FE432236CA99C62CDA8E
SHA-256:	7D8993D8AB23A540B160F149E78C4F1326EB530FD28B78846828D72239BF3649
SHA-512:	7ADAAEA1364A87CB401B907357399E1CB9A366276668B576975FA7C43BCA8CD3DC2B76BE1E23C632F97E5E1B72BBC0FF0801BB085FCC589AB4C53DE49805E0C7
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13376477171805143","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13376477171805143","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	340
Entropy (8bit):	5.094428022612079
Encrypted:	false
SSDEEP:	6:HU8V0rIq2PN723oH+Tcwt9Eh1tIFUt8YU8VbZmw+YU8V+UG7kwON723oH+Tcwt9O:grIvVaYeb9Eh16FUt8A/+rf75OaYeb9O
MD5:	6026E29F13B1A3EFE9D4BAD4B11913C4
SHA1:	31E016F5276641B07D579B80DB4244CB79CCDB9B
SHA-256:	317E508FF76C26EBA8735FDFB7CD2B1EC2D6085440B9CAFC00C38B6E36669CA7
SHA-512:	8B19A63B033F88FE046010E25F0DB0463A41E0A94E1C4870FF1AE89B757D9FC6CA6D17F0DFE7E672615693F68EB436695D500402C333339B399BE7B5E57FABF2
Malicious:	false
Preview:	2024/11/19-03:06:20.384 21c0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/MANIFEST-000001.2024/11/19-03:06:20.417 21c0 Recovering log #3.2024/11/19-03:06:20.432 21c0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	340
Entropy (8bit):	5.094428022612079
Encrypted:	false
SSDEEP:	6:HU8V0rIq2PN723oH+Tcwt9Eh1tIFUt8YU8VbZmw+YU8V+UG7kwON723oH+Tcwt9O:grIvVaYeb9Eh16FUt8A/+rf75OaYeb9O
MD5:	6026E29F13B1A3EFE9D4BAD4B11913C4
SHA1:	31E016F5276641B07D579B80DB4244CB79CCDB9B
SHA-256:	317E508FF76C26EBA8735FDFB7CD2B1EC2D6085440B9CAFC00C38B6E36669CA7
SHA-512:	8B19A63B033F88FE046010E25F0DB0463A41E0A94E1C4870FF1AE89B757D9FC6CA6D17F0DFE7E672615693F68EB436695D500402C333339B399BE7B5E57FABF2
Malicious:	false
Preview:	2024/11/19-03:06:20.384 21c0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/MANIFEST-000001.2024/11/19-03:06:20.417 21c0 Recovering log #3.2024/11/19-03:06:20.432 21c0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.180390628964942
Encrypted:	false
SSDEEP:	6:HU8VQq2PN723oH+TcwtnG2tMsIFUt8YU8VxZmw+YU8VRzkwON723oH+TcwtnG2tF:8vVaYebn9GFUt8m/+85OaYebn95J
MD5:	50194C3BF845CFA96A768778CCA07350
SHA1:	A6A0449D6D326850A6F2965F752D35194C18B08C
SHA-256:	05993644B45037F36D95215557F0DCABAC0398BF248C823CE96850367EF6AAD8
SHA-512:	F91287CFAEAA1052A06C5C123D477093B308B4F33B2E994E6BB08D4AE0E8A288ED8F0F1716E6E0DBAD77B4B0EDE5EAF08FF5A969D3FB17D1EB875D932C4B3FCC
Malicious:	false
Preview:	2024/11/19-03:06:11.924 1e54 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/11/19-03:06:11.924 1e54 Recovering log #3.2024/11/19-03:06:11.935 1e54 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.180390628964942
Encrypted:	false
SSDEEP:	6:HU8VQq2PN723oH+TcwtnG2tMsIFUt8YU8VxZmw+YU8VRzkwON723oH+TcwtnG2tF:8vVaYebn9GFUt8m/+85OaYebn95J
MD5:	50194C3BF845CFA96A768778CCA07350
SHA1:	A6A0449D6D326850A6F2965F752D35194C18B08C
SHA-256:	05993644B45037F36D95215557F0DCABAC0398BF248C823CE96850367EF6AAD8
SHA-512:	F91287CFAEAA1052A06C5C123D477093B308B4F33B2E994E6BB08D4AE0E8A288ED8F0F1716E6E0DBAD77B4B0EDE5EAF08FF5A969D3FB17D1EB875D932C4B3FCC
Malicious:	false
Preview:	2024/11/19-03:06:11.924 1e54 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/11/19-03:06:11.924 1e54 Recovering log #3.2024/11/19-03:06:11.935 1e54 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	551
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWWWWWWWWW
MD5:	47755D758FF3B7335CA27F6313D4C2BE
SHA1:	6CC4C834FF24B973F044F6BA0F42833CBE28B92B
SHA-256:	1744842F55053137F5A2505747766DECEBABA068C91AE3D80A9FA37AF60C106E
SHA-512:	70E4E13CA6652D06040121BA4E4CADB2ADE5D577CF7530270F7FE9BEB8E362AF256050FA6CAC162A32DBA3FDA9F136AE8F670A5C86A50046B37E48D7E332861F
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.113467098972485
Encrypted:	false
SSDEEP:	6:HU8VhQL+q2PN723oH+Tcwt8aPrqIFUt8YU8VbGKWZmw+YU8VmQLVkwON723oH+Ts:dQ+vVaYebL3FUt8SGKW/+7QV5OaYebQJ
MD5:	85794D247FAE5262051CD0EF54F680F5
SHA1:	9514096722F73DC28CC928E256B0D99491078F1F
SHA-256:	CAB9262A09BB158B83814B0C80AB3EC356B5593A8815D8AFF820B28B102712CA
SHA-512:	9B81338717B066166F9C0B29FDEBC61FB15B7E96CC6538F636BF6A941375736D27534E6E6DD0B4AEAC719E80A46D4A85146F80770D4A5B74088C4DFD5EACD8CF
Malicious:	false
Preview:	2024/11/19-03:06:11.911 1e5c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/11/19-03:06:11.913 1e5c Recovering log #3.2024/11/19-03:06:11.934 1e5c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.113467098972485
Encrypted:	false
SSDEEP:	6:HU8VhQL+q2PN723oH+Tcwt8aPrqIFUt8YU8VbGKWZmw+YU8VmQLVkwON723oH+Ts:dQ+vVaYebL3FUt8SGKW/+7QV5OaYebQJ
MD5:	85794D247FAE5262051CD0EF54F680F5
SHA1:	9514096722F73DC28CC928E256B0D99491078F1F
SHA-256:	CAB9262A09BB158B83814B0C80AB3EC356B5593A8815D8AFF820B28B102712CA
SHA-512:	9B81338717B066166F9C0B29FDEBC61FB15B7E96CC6538F636BF6A941375736D27534E6E6DD0B4AEAC719E80A46D4A85146F80770D4A5B74088C4DFD5EACD8CF
Malicious:	false
Preview:	2024/11/19-03:06:11.911 1e5c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/11/19-03:06:11.913 1e5c Recovering log #3.2024/11/19-03:06:11.934 1e5c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.12363081088721
Encrypted:	false
SSDEEP:	6:HU8VKSQL+q2PN723oH+Tcwt865IFUt8YU8VKSGKWZmw+YU8VKSQLVkwON723oH+v:xQ+vVaYeb/WFUt8cGKW/+cQV5OaYeb/L
MD5:	22FDD23C0D8C0619043F6E2A6BDB34BA
SHA1:	A0B68E80D60B379D54261C70A3E2217A91741469
SHA-256:	47F8919D2FDE3B8C22E426EBF37E310C16F384131DCF0EE87FFB11523BA4C413
SHA-512:	7803A3AAA4667B39765C34B50FEDC5935C480ED61DFA1A6B7EEA659B479EA75FAC54A83ED942A9406BDA5F62D225D459DE472FDCEBA234E57DD145B4B454AE87
Malicious:	false
Preview:	2024/11/19-03:06:11.960 1e5c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/11/19-03:06:11.960 1e5c Recovering log #3.2024/11/19-03:06:11.960 1e5c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.12363081088721
Encrypted:	false
SSDEEP:	6:HU8VKSQL+q2PN723oH+Tcwt865IFUt8YU8VKSGKWZmw+YU8VKSQLVkwON723oH+v:xQ+vVaYeb/WFUt8cGKW/+cQV5OaYeb/L
MD5:	22FDD23C0D8C0619043F6E2A6BDB34BA
SHA1:	A0B68E80D60B379D54261C70A3E2217A91741469
SHA-256:	47F8919D2FDE3B8C22E426EBF37E310C16F384131DCF0EE87FFB11523BA4C413
SHA-512:	7803A3AAA4667B39765C34B50FEDC5935C480ED61DFA1A6B7EEA659B479EA75FAC54A83ED942A9406BDA5F62D225D459DE472FDCEBA234E57DD145B4B454AE87
Malicious:	false
Preview:	2024/11/19-03:06:11.960 1e5c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/11/19-03:06:11.960 1e5c Recovering log #3.2024/11/19-03:06:11.960 1e5c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW:
MD5:	914FD8DC5F9A741C6947E1AB12A9D113
SHA1:	6529EFE14E7B0BEA47D78B147243096408CDAAE4
SHA-256:	8BE3C96EE64B5D2768057EA1C4D1A70F40A0041585F3173806E2278E9300960B
SHA-512:	2862BF83C061414EFA2AC035FFC25BA9C4ED523B430FDEEED4974F55D4450A62766C2E799D0ACDB8269210078547048ACAABFD78EDE6AB91133E30F6B5EBFFBD
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.156374057012844
Encrypted:	false
SSDEEP:	6:HU8V4Q+q2PN723oH+Tcwt8NIFUt8YU8VSBSgZmw+YU8VSBSQVkwON723oH+Tcwt2:svVaYebpFUt83X/+3F5OaYebqJ
MD5:	2C5E736DCB861527DF28B6D133E8ED01
SHA1:	3825703321957EF326ED5328CE92A2DC4C29CB9E
SHA-256:	30A8B5484015117128A193C3A585A3F70D54590D12B44102E700DF97F81C9D6A
SHA-512:	9B22F58F6C7C9D34DCE9B93081B97491435BC252C1F595B3890DF25D3DC39334FAFCBF2A21D5FFD5F6AC753475E34B4707FD5FFEB5363F8C895285DA8625F0EC
Malicious:	false
Preview:	2024/11/19-03:06:13.283 1df8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/11/19-03:06:13.284 1df8 Recovering log #3.2024/11/19-03:06:13.284 1df8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.156374057012844
Encrypted:	false
SSDEEP:	6:HU8V4Q+q2PN723oH+Tcwt8NIFUt8YU8VSBSgZmw+YU8VSBSQVkwON723oH+Tcwt2:svVaYebpFUt83X/+3F5OaYebqJ
MD5:	2C5E736DCB861527DF28B6D133E8ED01
SHA1:	3825703321957EF326ED5328CE92A2DC4C29CB9E
SHA-256:	30A8B5484015117128A193C3A585A3F70D54590D12B44102E700DF97F81C9D6A
SHA-512:	9B22F58F6C7C9D34DCE9B93081B97491435BC252C1F595B3890DF25D3DC39334FAFCBF2A21D5FFD5F6AC753475E34B4707FD5FFEB5363F8C895285DA8625F0EC
Malicious:	false
Preview:	2024/11/19-03:06:13.283 1df8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/11/19-03:06:13.284 1df8 Recovering log #3.2024/11/19-03:06:13.284 1df8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.21694809838686463
Encrypted:	false
SSDEEP:	3:6ZvtFlljq7A/mhWJFuQ3yy7IOWU94lv4dweytllrE9SFcTp4AGbNCV9RUIA4n:6Zk75fO74lv4d0Xi99pEYLn
MD5:	5AC4FECC95668DD90A1EBBC17BE06249
SHA1:	86837FA727BBA4DFA5F93093FEF6558BCE8D112F
SHA-256:	609CFD5A74BF717D34C103CCC3D2E5272671EE4AAA0C82A8816B84EAFC426FB6
SHA-512:	53AACD86B3883B050C7828EB8A2D7C968189793CB38E752BE61CD61530CBE75923350E088C18A5B9459D1E79CE17A17FB8A298051BDF0C5AE785BBC1B31269AB
Malicious:	false
Preview:	............t9s....&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	412
Entropy (8bit):	5.2904035204091375
Encrypted:	false
SSDEEP:	12:DQvVaYeb8rcHEZrELFUt8hS/+te5OaYeb8rcHEZrEZSJ:mVaYeb8nZrExg8h+OaYeb8nZrEZe
MD5:	0125EFCFE1409DABC6765CD1F0BA841A
SHA1:	A10A98A2AA0851414B865B062F567D45CC3B7DD3
SHA-256:	650C25F3AFEE6FDA2F22C75C7C93BB1393E17C367EE7108A15215A23924D9AC7
SHA-512:	F0297103311E584C6C17FA08151486DD5557D77AAFCFECA3D1E1294C4885384B6764F65854BB3F60A47DBBBAB4C2E772466C69CD807B8582A5B9C5EBC9FF5DBF
Malicious:	false
Preview:	2024/11/19-03:06:14.749 1df8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.2024/11/19-03:06:14.750 1df8 Recovering log #3.2024/11/19-03:06:14.754 1df8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	412
Entropy (8bit):	5.2904035204091375
Encrypted:	false
SSDEEP:	12:DQvVaYeb8rcHEZrELFUt8hS/+te5OaYeb8rcHEZrEZSJ:mVaYeb8nZrExg8h+OaYeb8nZrEZe
MD5:	0125EFCFE1409DABC6765CD1F0BA841A
SHA1:	A10A98A2AA0851414B865B062F567D45CC3B7DD3
SHA-256:	650C25F3AFEE6FDA2F22C75C7C93BB1393E17C367EE7108A15215A23924D9AC7
SHA-512:	F0297103311E584C6C17FA08151486DD5557D77AAFCFECA3D1E1294C4885384B6764F65854BB3F60A47DBBBAB4C2E772466C69CD807B8582A5B9C5EBC9FF5DBF
Malicious:	false
Preview:	2024/11/19-03:06:14.749 1df8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.2024/11/19-03:06:14.750 1df8 Recovering log #3.2024/11/19-03:06:14.754 1df8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	340
Entropy (8bit):	5.110006692563193
Encrypted:	false
SSDEEP:	6:HU8Vqq2PN723oH+Tcwt8a2jMGIFUt8YU8VLEZmw+YU8VsAkwON723oH+Tcwt8a23:WvVaYeb8EFUt8j/+k5OaYeb8bJ
MD5:	E3540A9D9207A46E804DF699541A0924
SHA1:	8D3E7E47F9A068504C52B7C8921ECB7E1D82381C
SHA-256:	C8CBE580B6C4561F1B170295A31BF6CE0584011E88D25618E458F638A0D72661
SHA-512:	7EB292ECAE8E1DF6D2A86F4D13DD8A90D3DB0ABF3CD1710ADF442CDD2CEB5B8FF4835A2472DB0CC519C0B04EC86FDBED95F900C5CFDA93AAA2FADCB19375BE25
Malicious:	false
Preview:	2024/11/19-03:06:13.024 1f10 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/11/19-03:06:13.025 1f10 Recovering log #3.2024/11/19-03:06:13.028 1f10 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	340
Entropy (8bit):	5.110006692563193
Encrypted:	false
SSDEEP:	6:HU8Vqq2PN723oH+Tcwt8a2jMGIFUt8YU8VLEZmw+YU8VsAkwON723oH+Tcwt8a23:WvVaYeb8EFUt8j/+k5OaYeb8bJ
MD5:	E3540A9D9207A46E804DF699541A0924
SHA1:	8D3E7E47F9A068504C52B7C8921ECB7E1D82381C
SHA-256:	C8CBE580B6C4561F1B170295A31BF6CE0584011E88D25618E458F638A0D72661
SHA-512:	7EB292ECAE8E1DF6D2A86F4D13DD8A90D3DB0ABF3CD1710ADF442CDD2CEB5B8FF4835A2472DB0CC519C0B04EC86FDBED95F900C5CFDA93AAA2FADCB19375BE25
Malicious:	false
Preview:	2024/11/19-03:06:13.024 1f10 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/11/19-03:06:13.025 1f10 Recovering log #3.2024/11/19-03:06:13.028 1f10 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\62ccd37a-4d27-4ac5-be4a-b1645c0da315.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF38b1a.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\bf3e9d51-4974-434c-af21-e385955d196f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\c17922c6-3bae-413b-a67d-1de9ef5961c7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7691
Entropy (8bit):	5.085223617646617
Encrypted:	false
SSDEEP:	96:stCqKms1hrbDvzwfiwXnMwjTrEm8zWsY5eh6Cb7/x+6MhmuecmAeZTDUM2ML/EJ:stCmsrE6wFvrEmkWsY8bV+FiASUMPLMJ
MD5:	8BC6DF2A7A75D722F90801623C0714DD
SHA1:	17BB17652C0C7AD3900630F94E7D09B08B542C20
SHA-256:	355DDF611EF611E51EB761FE8BFA94834D84D17600224B47E70B710A48D23946
SHA-512:	D40BCD70040E3DDE8E3CAE6AAD53A56DE3D43DA0D2DA2A86BA9D81837C16B7ABF1586B7A829DC519AB4DE36149918B364652C50B2993BF8E02B5D0F2E6DAF4BA
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477173114335","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340961151815957","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477173107040"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF3ff8f.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7691
Entropy (8bit):	5.085223617646617
Encrypted:	false
SSDEEP:	96:stCqKms1hrbDvzwfiwXnMwjTrEm8zWsY5eh6Cb7/x+6MhmuecmAeZTDUM2ML/EJ:stCmsrE6wFvrEmkWsY8bV+FiASUMPLMJ
MD5:	8BC6DF2A7A75D722F90801623C0714DD
SHA1:	17BB17652C0C7AD3900630F94E7D09B08B542C20
SHA-256:	355DDF611EF611E51EB761FE8BFA94834D84D17600224B47E70B710A48D23946
SHA-512:	D40BCD70040E3DDE8E3CAE6AAD53A56DE3D43DA0D2DA2A86BA9D81837C16B7ABF1586B7A829DC519AB4DE36149918B364652C50B2993BF8E02B5D0F2E6DAF4BA
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477173114335","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340961151815957","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477173107040"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF436eb.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7691
Entropy (8bit):	5.085223617646617
Encrypted:	false
SSDEEP:	96:stCqKms1hrbDvzwfiwXnMwjTrEm8zWsY5eh6Cb7/x+6MhmuecmAeZTDUM2ML/EJ:stCmsrE6wFvrEmkWsY8bV+FiASUMPLMJ
MD5:	8BC6DF2A7A75D722F90801623C0714DD
SHA1:	17BB17652C0C7AD3900630F94E7D09B08B542C20
SHA-256:	355DDF611EF611E51EB761FE8BFA94834D84D17600224B47E70B710A48D23946
SHA-512:	D40BCD70040E3DDE8E3CAE6AAD53A56DE3D43DA0D2DA2A86BA9D81837C16B7ABF1586B7A829DC519AB4DE36149918B364652C50B2993BF8E02B5D0F2E6DAF4BA
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477173114335","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340961151815957","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477173107040"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF474bf.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7691
Entropy (8bit):	5.085223617646617
Encrypted:	false
SSDEEP:	96:stCqKms1hrbDvzwfiwXnMwjTrEm8zWsY5eh6Cb7/x+6MhmuecmAeZTDUM2ML/EJ:stCmsrE6wFvrEmkWsY8bV+FiASUMPLMJ
MD5:	8BC6DF2A7A75D722F90801623C0714DD
SHA1:	17BB17652C0C7AD3900630F94E7D09B08B542C20
SHA-256:	355DDF611EF611E51EB761FE8BFA94834D84D17600224B47E70B710A48D23946
SHA-512:	D40BCD70040E3DDE8E3CAE6AAD53A56DE3D43DA0D2DA2A86BA9D81837C16B7ABF1586B7A829DC519AB4DE36149918B364652C50B2993BF8E02B5D0F2E6DAF4BA
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477173114335","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340961151815957","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477173107040"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24718
Entropy (8bit):	5.586593568377588
Encrypted:	false
SSDEEP:	768:7aHmqNFuLWIwoSf3rG8F1+UoAYDCx9Tuqh0VfUC9xbog/OVOLvnz3ThrwmFpHtuN:7ytNULWFoSfbGu1jaDrjSatm
MD5:	8E73DD752996156C8F7BD06AD6A89F3B
SHA1:	D82F84290B1312EEC75A7AFF96F297F21DD5BFA6
SHA-256:	239E138E81E6C8AB3AA58664E89B6579C84A21EBD3AAC3B7E678359152BA56D5
SHA-512:	261BC9B6601C1901B762FC907B2935932FA64BD361237509550B1A8F9754C0CA177D12022A78DA7CDCE90C55E1F3BEE03A9EED8F0A7FE3D3AFD3DDA31589AEA3
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13376477171805143","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13376477171805143","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RF3ceab.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24718
Entropy (8bit):	5.586593568377588
Encrypted:	false
SSDEEP:	768:7aHmqNFuLWIwoSf3rG8F1+UoAYDCx9Tuqh0VfUC9xbog/OVOLvnz3ThrwmFpHtuN:7ytNULWFoSfbGu1jaDrjSatm
MD5:	8E73DD752996156C8F7BD06AD6A89F3B
SHA1:	D82F84290B1312EEC75A7AFF96F297F21DD5BFA6
SHA-256:	239E138E81E6C8AB3AA58664E89B6579C84A21EBD3AAC3B7E678359152BA56D5
SHA-512:	261BC9B6601C1901B762FC907B2935932FA64BD361237509550B1A8F9754C0CA177D12022A78DA7CDCE90C55E1F3BEE03A9EED8F0A7FE3D3AFD3DDA31589AEA3
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13376477171805143","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13376477171805143","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	194
Entropy (8bit):	2.8096948641228403
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljljljljljljljl:S85aEFljljljljljljljl
MD5:	D7D9437445AA960DCEA52FFE772822DC
SHA1:	C2BBF4AC0732D905D998C4F645FD60F95A675D02
SHA-256:	4FF49903BEC1197017A35995D5C5FC703CAF9D496467345D783F754B723D21C1
SHA-512:	335EB1BA85670550ED1E1E4E14EA4B5D14F8306125BF147A42DE4DEF5E5F75F14C422B014414030CF30378C04F748AC875CF056ADDA196511A0B057B3598FE9A
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f.................&f.................&f.................&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.097666757845468
Encrypted:	false
SSDEEP:	6:HU8VDM5q2PN723oH+TcwtrQMxIFUt8YU8VDphZmw+YU8VDfkwON723oH+TcwtrQq:gvVaYebCFUt8Uh/+u5OaYebtJ
MD5:	8D49D249861ED8DFAABB876270990A27
SHA1:	5FB03FCF024A9F0817A66E3C4C92744688004CFD
SHA-256:	86E628965B60E343ED655848FF5C88D67C429B8E7E2E001FA6CE7D8E3065D205
SHA-512:	06256ADD015EEA484F7E7BECD6F384BECFEEF05E98752B546C7E1607F9CC1582F5CC64A94C4364027B7B0AB036B9772A6FA84B8889F64AEABFC638756370C499
Malicious:	false
Preview:	2024/11/19-03:06:29.182 1f10 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/11/19-03:06:29.184 1f10 Recovering log #3.2024/11/19-03:06:29.186 1f10 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.097666757845468
Encrypted:	false
SSDEEP:	6:HU8VDM5q2PN723oH+TcwtrQMxIFUt8YU8VDphZmw+YU8VDfkwON723oH+TcwtrQq:gvVaYebCFUt8Uh/+u5OaYebtJ
MD5:	8D49D249861ED8DFAABB876270990A27
SHA1:	5FB03FCF024A9F0817A66E3C4C92744688004CFD
SHA-256:	86E628965B60E343ED655848FF5C88D67C429B8E7E2E001FA6CE7D8E3065D205
SHA-512:	06256ADD015EEA484F7E7BECD6F384BECFEEF05E98752B546C7E1607F9CC1582F5CC64A94C4364027B7B0AB036B9772A6FA84B8889F64AEABFC638756370C499
Malicious:	false
Preview:	2024/11/19-03:06:29.182 1f10 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/11/19-03:06:29.184 1f10 Recovering log #3.2024/11/19-03:06:29.186 1f10 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	356
Entropy (8bit):	5.146390385985716
Encrypted:	false
SSDEEP:	6:HU8VIQ+q2PN723oH+Tcwt7Uh2ghZIFUt8YU8VIgZmw+YU8VKBSQVkwON723oH+T8:kvVaYebIhHh2FUt8q/+V/5OaYebIhHLJ
MD5:	DB995806EECA5EF9D7ED9AF6AB08FBEA
SHA1:	A3CA6A5501451CA78285FD9C012487B5BE853554
SHA-256:	8A601DD2168A592F0D3169A59C5085F57C2B3B56725A560EFA72FDEB341761A6
SHA-512:	29E177C663DC229715B967DEAE4425F72DF70E0AFF7CB2F1E6C5D3C74442CBFD77D5EC1BCA6260B7A954A0FED9CD071B1D5272796D57A0CCF93E21FDEA0A283A
Malicious:	false
Preview:	2024/11/19-03:06:12.097 1df8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/11/19-03:06:12.097 1df8 Recovering log #3.2024/11/19-03:06:12.098 1df8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	356
Entropy (8bit):	5.146390385985716
Encrypted:	false
SSDEEP:	6:HU8VIQ+q2PN723oH+Tcwt7Uh2ghZIFUt8YU8VIgZmw+YU8VKBSQVkwON723oH+T8:kvVaYebIhHh2FUt8q/+V/5OaYebIhHLJ
MD5:	DB995806EECA5EF9D7ED9AF6AB08FBEA
SHA1:	A3CA6A5501451CA78285FD9C012487B5BE853554
SHA-256:	8A601DD2168A592F0D3169A59C5085F57C2B3B56725A560EFA72FDEB341761A6
SHA-512:	29E177C663DC229715B967DEAE4425F72DF70E0AFF7CB2F1E6C5D3C74442CBFD77D5EC1BCA6260B7A954A0FED9CD071B1D5272796D57A0CCF93E21FDEA0A283A
Malicious:	false
Preview:	2024/11/19-03:06:12.097 1df8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/11/19-03:06:12.097 1df8 Recovering log #3.2024/11/19-03:06:12.098 1df8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	438
Entropy (8bit):	5.182984701092516
Encrypted:	false
SSDEEP:	12:bmvVaYebvqBQFUt83E/+J75OaYebvqBvJ:bkVaYebvZg83btOaYebvk
MD5:	9EB1290B5CBEF2E12571032027DE58AF
SHA1:	16A7D4808F4EDD1D85981CBD7FA514804D137FDB
SHA-256:	0190768D278C294FC7FBA852A265E2589A0CD1A004155889A9E56D83F02CFB73
SHA-512:	C79C7BD253FA032F3BD580BD1699127FADD23A419A04B82B126E9B8A148CB662281B6F890F664080054756AB138CA9434721F80A018642153543E4578CAA3A79
Malicious:	false
Preview:	2024/11/19-03:06:13.213 1f10 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2024/11/19-03:06:13.222 1f10 Recovering log #3.2024/11/19-03:06:13.227 1f10 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	438
Entropy (8bit):	5.182984701092516
Encrypted:	false
SSDEEP:	12:bmvVaYebvqBQFUt83E/+J75OaYebvqBvJ:bkVaYebvZg83btOaYebvk
MD5:	9EB1290B5CBEF2E12571032027DE58AF
SHA1:	16A7D4808F4EDD1D85981CBD7FA514804D137FDB
SHA-256:	0190768D278C294FC7FBA852A265E2589A0CD1A004155889A9E56D83F02CFB73
SHA-512:	C79C7BD253FA032F3BD580BD1699127FADD23A419A04B82B126E9B8A148CB662281B6F890F664080054756AB138CA9434721F80A018642153543E4578CAA3A79
Malicious:	false
Preview:	2024/11/19-03:06:13.213 1f10 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2024/11/19-03:06:13.222 1f10 Recovering log #3.2024/11/19-03:06:13.227 1f10 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\3c8825d0-fef8-4c9e-8b6e-f37529f1aa08.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x7, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.3886039372934488
Encrypted:	false
SSDEEP:	24:TLqEeWOT/kIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:T2EeWOT/nDtX5nDOvyKDhU1cSB
MD5:	DEA619BA33775B1BAEEC7B32110CB3BD
SHA1:	949B8246021D004B2E772742D34B2FC8863E1AAA
SHA-256:	3669D76771207A121594B439280A67E3A6B1CBAE8CE67A42C8312D33BA18854B
SHA-512:	7B9741E0339B30D73FACD4670A9898147BE62B8F063A59736AFDDC83D3F03B61349828F2AE88F682D42C177AE37E18349FD41654AEBA50DDF10CD6DC70FA5879
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\a7eaf935-2def-4baa-afb9-71fd2a5fb74a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	80
Entropy (8bit):	3.4921535629071894
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljl:S85aEFljl
MD5:	69449520FD9C139C534E2970342C6BD8
SHA1:	230FE369A09DEF748F8CC23AD70FD19ED8D1B885
SHA-256:	3F2E9648DFDB2DDB8E9D607E8802FEF05AFA447E17733DD3FD6D933E7CA49277
SHA-512:	EA34C39AEA13B281A6067DE20AD0CDA84135E70C97DB3CDD59E25E6536B19F7781E5FC0CA4A11C3618D43FC3BD3FBC120DD5C1C47821A248B8AD351F9F4E6367
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	426
Entropy (8bit):	5.192897146766788
Encrypted:	false
SSDEEP:	6:HU8VgOq2PN723oH+TcwtzjqEKj0QMxIFUt8YU8VNfZmw+YU8VBGI7kwON723oH+f:NvVaYebvqBZFUt8+/+0N75OaYebvqBaJ
MD5:	DD4139AE14293909CB1BE963AB18135C
SHA1:	21393BAA67E3A74782E6C1E67251F72720999991
SHA-256:	7D048A2156F86D3158E5F7AEF4B200C5803699028C20D0614B20E537156895AC
SHA-512:	DE8048E72B40894A196BFF288EE7EC57EF1E0B576A69B01A0D22A09C6A692AEF2A6FE4EDF37DB24FDF34D5D5CED02BF913F937F5802CBA6F9A62132DC22E5216
Malicious:	false
Preview:	2024/11/19-03:06:29.295 1f10 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/11/19-03:06:29.296 1f10 Recovering log #3.2024/11/19-03:06:29.300 1f10 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	426
Entropy (8bit):	5.192897146766788
Encrypted:	false
SSDEEP:	6:HU8VgOq2PN723oH+TcwtzjqEKj0QMxIFUt8YU8VNfZmw+YU8VBGI7kwON723oH+f:NvVaYebvqBZFUt8+/+0N75OaYebvqBaJ
MD5:	DD4139AE14293909CB1BE963AB18135C
SHA1:	21393BAA67E3A74782E6C1E67251F72720999991
SHA-256:	7D048A2156F86D3158E5F7AEF4B200C5803699028C20D0614B20E537156895AC
SHA-512:	DE8048E72B40894A196BFF288EE7EC57EF1E0B576A69B01A0D22A09C6A692AEF2A6FE4EDF37DB24FDF34D5D5CED02BF913F937F5802CBA6F9A62132DC22E5216
Malicious:	false
Preview:	2024/11/19-03:06:29.295 1f10 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/11/19-03:06:29.296 1f10 Recovering log #3.2024/11/19-03:06:29.300 1f10 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.181885067989852
Encrypted:	false
SSDEEP:	6:HU8Ve9+q2PN723oH+TcwtpIFUt8YU8V6aJZmw+YU8V6a9VkwON723oH+Tcwta/Wd:M+vVaYebmFUt8xE/+xkV5OaYebaUJ
MD5:	E51A262E4B0385074BCF646A27B3BCFE
SHA1:	1951DE1C4AA27958136950F5B1ADCD2E63EF1B22
SHA-256:	B3BF438711A17CB2F586F567ACF2507345620813366AA73252F9EA38AFE0837E
SHA-512:	3373AA0441495058CB0B230DD4AA3F1B01C9431163B82C7C3F87E2B400A8F55350020A0D0EE9FFFF287074DC557584E843B72499D749A76776C02868C52CBEF6
Malicious:	false
Preview:	2024/11/19-03:06:11.877 1e2c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/11/19-03:06:11.878 1e2c Recovering log #3.2024/11/19-03:06:11.878 1e2c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.181885067989852
Encrypted:	false
SSDEEP:	6:HU8Ve9+q2PN723oH+TcwtpIFUt8YU8V6aJZmw+YU8V6a9VkwON723oH+Tcwta/Wd:M+vVaYebmFUt8xE/+xkV5OaYebaUJ
MD5:	E51A262E4B0385074BCF646A27B3BCFE
SHA1:	1951DE1C4AA27958136950F5B1ADCD2E63EF1B22
SHA-256:	B3BF438711A17CB2F586F567ACF2507345620813366AA73252F9EA38AFE0837E
SHA-512:	3373AA0441495058CB0B230DD4AA3F1B01C9431163B82C7C3F87E2B400A8F55350020A0D0EE9FFFF287074DC557584E843B72499D749A76776C02868C52CBEF6
Malicious:	false
Preview:	2024/11/19-03:06:11.877 1e2c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/11/19-03:06:11.878 1e2c Recovering log #3.2024/11/19-03:06:11.878 1e2c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 9, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 9
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1247935112334502
Encrypted:	false
SSDEEP:	384:KUM2qOB1nxCkhSA1LyKOMq+8iP5GDHP/0j:Kkq+n0C91LyKOMq+8iP5GLP/0
MD5:	D8AE6389F1738AC72769DA09B22B411E
SHA1:	279C65CEDF45B718747E29BF3F1D87EBF70CC8F0
SHA-256:	0F872EB6FA9F541807C1526EF4922D69E1F6D88AA1FDE85E6BE117EBB313BFF3
SHA-512:	0F309690A8BC1D10324BF5EE3F7D9B2E562BFEE5C79F8F33CDCC46D2CE8EDB7C8FBE2C90D821D19C665E5FDA0BCFB5E068DCA6691812EE176EAD84DF6D3FB084
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\d028bfc1-048b-4293-b3a0-95d2fdfee3d0.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24718
Entropy (8bit):	5.586593568377588
Encrypted:	false
SSDEEP:	768:7aHmqNFuLWIwoSf3rG8F1+UoAYDCx9Tuqh0VfUC9xbog/OVOLvnz3ThrwmFpHtuN:7ytNULWFoSfbGu1jaDrjSatm
MD5:	8E73DD752996156C8F7BD06AD6A89F3B
SHA1:	D82F84290B1312EEC75A7AFF96F297F21DD5BFA6
SHA-256:	239E138E81E6C8AB3AA58664E89B6579C84A21EBD3AAC3B7E678359152BA56D5
SHA-512:	261BC9B6601C1901B762FC907B2935932FA64BD361237509550B1A8F9754C0CA177D12022A78DA7CDCE90C55E1F3BEE03A9EED8F0A7FE3D3AFD3DDA31589AEA3
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13376477171805143","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13376477171805143","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.049424530376406366
Encrypted:	false
SSDEEP:	6:Gd0ddi8gd0ddi8CL9XCChslotGLNl0ml/XoQDeX:zddHgiddH6pEjVl/XoQ
MD5:	A364C70716DAB97A286A97ECB635F581
SHA1:	49202B67B6224CF97962C1D475B27F447CC165A2
SHA-256:	385C027302FE4F0D60A58C6908C242124B3BB4F8FF63880F05CCF1443EA911B2
SHA-512:	BAD7427D21D2E8F1A40D7CCA53508B05F07626C5BC37987BE905F01DA5B080692A3F02A758C8496B3C5424B8E0DF5D69A30CD39D393000E571E7CE71EC9B1888
Malicious:	false
Preview:	..-.......................FVN...$J...V..n.c..mv=..-.......................FVN...$J...V..n.c..mv=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1925
Entropy (8bit):	5.3532571266863584
Encrypted:	false
SSDEEP:	48:F3G8vSBS6QDPCHRHUxaIYjIYwzwqkRMYjMYJyHAlkfAlkp3Nf:Za06QyIYjIYwzwbRMYjMY8YcY83R
MD5:	B12A915626A5CF79D85C32352B7148EE
SHA1:	A80660A013F699C16386A5A09F06D9DDCCB0BB86
SHA-256:	210A734EFB48E7DD6120542049EDEE803931812D75C45E91DAADC884CED76FF0
SHA-512:	833B1F95BCFF1CF1B62748EE8474669FD0ED0DB3DBC5DA6EF9776AC8F09CBE7D49E0F11DC3154FE94A3A42CA17FE3FBFB20952CD70B859DFD9DC9D5FCF7AF5D1
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1..$.0................39_config..........6.....n ...1u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=................A.G.................4_IPH_CompanionSidePanel...IPH_CompanionSidePanel....$4_IPH_CompanionSidePanelRegionSearch(."IPH_CompanionSidePanelRegionSearch.....4_IPH_DownloadToolbarButton...IPH_DownloadToolbarButton....&4_IPH_FocusHelpBubbleScreenReaderPromo*.$IPH_FocusHelpBubbleScreenReaderPromo.....4_IPH_GMCCastStartStop...IPH_GMCCastStartStop.....4_IPH_HighEfficiencyMode...IPH_HighEfficiencyMode.....4_IPH_LiveCaption...IPH_LiveCaption.....4_IPH_PasswordsAcco

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.195118746220661
Encrypted:	false
SSDEEP:	6:HU8Vijyq2PN723oH+TcwtfrK+IFUt8YU8VB1Zmw+YU8VXRkwON723oH+TcwtfrUQ:OyvVaYeb23FUt8E/+kR5OaYeb3J
MD5:	135F1545BBD3B8F5CE1F17D0A927A9F8
SHA1:	01F2E4AB5E037294F840C4E12BA7531B138FBB3B
SHA-256:	A3AA2CA40292AA9C20697B6209DDBB297E751D5A592828FA03382DF5CAD61EDD
SHA-512:	700C9BA721AFFFE21E3D28AECF8E58ABCB37A6EFB7DF291FC2C0BEA0878A33E5A804A754B5BDF783AA368A879610F20123F8795EC949AB3B55B725F9F483EB25
Malicious:	false
Preview:	2024/11/19-03:06:13.187 1e34 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/11/19-03:06:13.188 1e34 Recovering log #3.2024/11/19-03:06:13.188 1e34 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.195118746220661
Encrypted:	false
SSDEEP:	6:HU8Vijyq2PN723oH+TcwtfrK+IFUt8YU8VB1Zmw+YU8VXRkwON723oH+TcwtfrUQ:OyvVaYeb23FUt8E/+kR5OaYeb3J
MD5:	135F1545BBD3B8F5CE1F17D0A927A9F8
SHA1:	01F2E4AB5E037294F840C4E12BA7531B138FBB3B
SHA-256:	A3AA2CA40292AA9C20697B6209DDBB297E751D5A592828FA03382DF5CAD61EDD
SHA-512:	700C9BA721AFFFE21E3D28AECF8E58ABCB37A6EFB7DF291FC2C0BEA0878A33E5A804A754B5BDF783AA368A879610F20123F8795EC949AB3B55B725F9F483EB25
Malicious:	false
Preview:	2024/11/19-03:06:13.187 1e34 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/11/19-03:06:13.188 1e34 Recovering log #3.2024/11/19-03:06:13.188 1e34 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	928
Entropy (8bit):	4.0841566368719775
Encrypted:	false
SSDEEP:	24:G0nYUtypD32m3yWlIZMBA5NgKIvB8Sx3O5v:LYUtyp5q55NvIp8Sx3O5v
MD5:	FFD773A32B54CE20C08561046A7359C3
SHA1:	0457B60240313DE71285F57D99A505601FECA7EF
SHA-256:	F0FF72019973430411A49A1B5BB5F2C3FBEAA8EAB418944ACB3295CB00DBBA50
SHA-512:	D8EC47D415459BB850BF7973E9C7583E1A4F16B48216D185EC9CCE7739A641F79E5335B0286E428B51BB761B99C043A5D398D7C51274FC2E4A3BAF742D1EAF98
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....X...................20_.....W.J+.................19_......qY.................18_.....'}2..................37_.......c..................38_......i...................39_.....Owa..................20_.....4.9..................20_.....B.I..................19_..........................18_.....2.1..................37_..........................38_......=.%.................39_.....p.j..................9_.....JJ...................9_.....\|.&R.................__global... ./....................__global... ..T...................__global... ...G..................__global... ......................__global... .TN...................3_.....{-%z.................4_.....Z.\_.................3_.....5}...................4_.....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.185794186115192
Encrypted:	false
SSDEEP:	6:HU8VmClyq2PN723oH+TcwtfrzAdIFUt8YU8V4z1Zmw+YU8V4lRkwON723oH+Tcwc:iClyvVaYeb9FUt8NZ/+NlR5OaYeb2J
MD5:	F1E6151F063C28BCA5BD4E989A8AAC57
SHA1:	3960AD4B481564CD2F6C201B10F38A1525C29B78
SHA-256:	793FCE8BE6B3E3660C241CE73F9ACF2A3D10B4CAE74D75010E79339C262CD2EF
SHA-512:	7142087B56167526AF1BD8110AF503C51A024ADFAEC10F1BFCBDB3537EC764E97FEE662C84499F058DEA9DE80FB62AC691ADF2DE9862CD9CB5102358CC204A46
Malicious:	false
Preview:	2024/11/19-03:06:13.184 1e34 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/11/19-03:06:13.185 1e34 Recovering log #3.2024/11/19-03:06:13.185 1e34 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.185794186115192
Encrypted:	false
SSDEEP:	6:HU8VmClyq2PN723oH+TcwtfrzAdIFUt8YU8V4z1Zmw+YU8V4lRkwON723oH+Tcwc:iClyvVaYeb9FUt8NZ/+NlR5OaYeb2J
MD5:	F1E6151F063C28BCA5BD4E989A8AAC57
SHA1:	3960AD4B481564CD2F6C201B10F38A1525C29B78
SHA-256:	793FCE8BE6B3E3660C241CE73F9ACF2A3D10B4CAE74D75010E79339C262CD2EF
SHA-512:	7142087B56167526AF1BD8110AF503C51A024ADFAEC10F1BFCBDB3537EC764E97FEE662C84499F058DEA9DE80FB62AC691ADF2DE9862CD9CB5102358CC204A46
Malicious:	false
Preview:	2024/11/19-03:06:13.184 1e34 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/11/19-03:06:13.185 1e34 Recovering log #3.2024/11/19-03:06:13.185 1e34 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	3.143272870858976
Encrypted:	false
SSDEEP:	3:XgabNZo/3jBi5nvLCoOlflZAUAl:XM/TSnWZVkBl
MD5:	EB9E4AF4E5478C0DC2F9090411AF2684
SHA1:	79AD059420D1245C5E598F201A66BF3558F30772
SHA-256:	0E13B2A33CBF12C0BCD4FA85AFB4147938201726E65FAE9A2AC346DBD26D6091
SHA-512:	6AC0981F24FE76C2A1A0627C4FB2A680D6E2C8DC37CC271B3D18587BFF7BAE7AFD0AC036C3B6CEA3CA73D64AC3EBD5F7B088266E7EAB3904F747C733DB2D7269
Malicious:	false
Preview:	C.:.\.P.R.O.G.R.A.~.2.\.M.I.C.R.O.S.~.1.\.E.d.g.e.\.A.P.P.L.I.C.~.1.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.6612262562697895
Encrypted:	false
SSDEEP:	3:NYLFRQZ:ap2Z
MD5:	B64BD80D877645C2DD14265B1A856F8A
SHA1:	F7379E1A6F8CE062E891C56736C789C7EA77CD6A
SHA-256:	83476CEEEB7682F41030664B4E17305986878D14E82D0C277FB99EC546B44569
SHA-512:	734A7316A269C76DD052D980CC0D5209C0BFEDFFC55B11C58FA25C433CE8A42536827298C3E58CACD68CC01593C23D39350E956E8DE2268D8D29918E1F0667F2
Malicious:	false
Preview:	117.0.2045.55

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089785665972953
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kW3di1zNtPMskzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7ynFTkzItSmd6qE7lFoC
MD5:	ACA5B2C1DF088291395794BE12B49458
SHA1:	38FE1A5C2A8431D7C23E69E0C7585C7D3472D1FF
SHA-256:	C2DC77F5647FED72E622479871F77092D133E297C7AE84C11B3D3CDC6D9FCF5F
SHA-512:	5B6C9E2D87A327C2CEFDAEDE011AC3886B2F94A6F72CF305C1C3F60E8CDBAE63056FA541468AB494CC230F942C03BB6E8334B7BC4CD7C13AF4592444426FA913
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF35d73.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089785665972953
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kW3di1zNtPMskzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7ynFTkzItSmd6qE7lFoC
MD5:	ACA5B2C1DF088291395794BE12B49458
SHA1:	38FE1A5C2A8431D7C23E69E0C7585C7D3472D1FF
SHA-256:	C2DC77F5647FED72E622479871F77092D133E297C7AE84C11B3D3CDC6D9FCF5F
SHA-512:	5B6C9E2D87A327C2CEFDAEDE011AC3886B2F94A6F72CF305C1C3F60E8CDBAE63056FA541468AB494CC230F942C03BB6E8334B7BC4CD7C13AF4592444426FA913
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF35d82.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089785665972953
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kW3di1zNtPMskzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7ynFTkzItSmd6qE7lFoC
MD5:	ACA5B2C1DF088291395794BE12B49458
SHA1:	38FE1A5C2A8431D7C23E69E0C7585C7D3472D1FF
SHA-256:	C2DC77F5647FED72E622479871F77092D133E297C7AE84C11B3D3CDC6D9FCF5F
SHA-512:	5B6C9E2D87A327C2CEFDAEDE011AC3886B2F94A6F72CF305C1C3F60E8CDBAE63056FA541468AB494CC230F942C03BB6E8334B7BC4CD7C13AF4592444426FA913
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF363eb.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089785665972953
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kW3di1zNtPMskzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7ynFTkzItSmd6qE7lFoC
MD5:	ACA5B2C1DF088291395794BE12B49458
SHA1:	38FE1A5C2A8431D7C23E69E0C7585C7D3472D1FF
SHA-256:	C2DC77F5647FED72E622479871F77092D133E297C7AE84C11B3D3CDC6D9FCF5F
SHA-512:	5B6C9E2D87A327C2CEFDAEDE011AC3886B2F94A6F72CF305C1C3F60E8CDBAE63056FA541468AB494CC230F942C03BB6E8334B7BC4CD7C13AF4592444426FA913
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF38afb.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089785665972953
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kW3di1zNtPMskzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7ynFTkzItSmd6qE7lFoC
MD5:	ACA5B2C1DF088291395794BE12B49458
SHA1:	38FE1A5C2A8431D7C23E69E0C7585C7D3472D1FF
SHA-256:	C2DC77F5647FED72E622479871F77092D133E297C7AE84C11B3D3CDC6D9FCF5F
SHA-512:	5B6C9E2D87A327C2CEFDAEDE011AC3886B2F94A6F72CF305C1C3F60E8CDBAE63056FA541468AB494CC230F942C03BB6E8334B7BC4CD7C13AF4592444426FA913
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF44d80.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089785665972953
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kW3di1zNtPMskzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7ynFTkzItSmd6qE7lFoC
MD5:	ACA5B2C1DF088291395794BE12B49458
SHA1:	38FE1A5C2A8431D7C23E69E0C7585C7D3472D1FF
SHA-256:	C2DC77F5647FED72E622479871F77092D133E297C7AE84C11B3D3CDC6D9FCF5F
SHA-512:	5B6C9E2D87A327C2CEFDAEDE011AC3886B2F94A6F72CF305C1C3F60E8CDBAE63056FA541468AB494CC230F942C03BB6E8334B7BC4CD7C13AF4592444426FA913
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF47490.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089785665972953
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kW3di1zNtPMskzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7ynFTkzItSmd6qE7lFoC
MD5:	ACA5B2C1DF088291395794BE12B49458
SHA1:	38FE1A5C2A8431D7C23E69E0C7585C7D3472D1FF
SHA-256:	C2DC77F5647FED72E622479871F77092D133E297C7AE84C11B3D3CDC6D9FCF5F
SHA-512:	5B6C9E2D87A327C2CEFDAEDE011AC3886B2F94A6F72CF305C1C3F60E8CDBAE63056FA541468AB494CC230F942C03BB6E8334B7BC4CD7C13AF4592444426FA913
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF4ddc9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089785665972953
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kW3di1zNtPMskzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7ynFTkzItSmd6qE7lFoC
MD5:	ACA5B2C1DF088291395794BE12B49458
SHA1:	38FE1A5C2A8431D7C23E69E0C7585C7D3472D1FF
SHA-256:	C2DC77F5647FED72E622479871F77092D133E297C7AE84C11B3D3CDC6D9FCF5F
SHA-512:	5B6C9E2D87A327C2CEFDAEDE011AC3886B2F94A6F72CF305C1C3F60E8CDBAE63056FA541468AB494CC230F942C03BB6E8334B7BC4CD7C13AF4592444426FA913
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQp:YQ3Kq9X0dMgAEwjj
MD5:	F732DBED9289177D15E236D0F8F2DDD3
SHA1:	53F822AF51B014BC3D4B575865D9C3EF0E4DEBDE
SHA-256:	2741DF9EE9E9D9883397078F94480E9BC1D9C76996EEC5CFE4E77929337CBE93
SHA-512:	B64E5021F32E26C752FCBA15A139815894309B25644E74CECA46A9AA97070BCA3B77DED569A9BFD694193D035BA75B61A8D6262C8E6D5C4D76B452B38F5150A4
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\f3483cd5-4f73-4d81-bb56-8fa87716c36e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44951
Entropy (8bit):	6.095679265726712
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4xWEEi1zNtFTzA9i3Vv/19KJDSgzMMd6qD47u3+Ciov:+/Ps+wsI7yOJTUSlKtSmd6qE7lFov
MD5:	CDB12F43BCA8BADDCD37AC6CDC3AA32F
SHA1:	FE7D2F18130FCB50A273E2195F33D48074E0ADFE
SHA-256:	82C39B7A83DC4371D8608B77D9090E306926C27EE226EC94D5F1829A46CB6262
SHA-512:	10774AB950119E21B5EA9DF44FF05B2BC797CD3A17DAEF5D471C1E76FBD600677FABAC186A0B97A0B30B7B0435A9A52E9A80163C817D43269AE360EF6F3691D7
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1F15EB43-A64D-11EF-8C2D-ECF4BB2D2496}.dat

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	2.0472608312489653
Encrypted:	false
SSDEEP:	24:rF6Go/QflEGW/rlPwl84wl69lW8UNT+H9lW8UNT:rF6Go4uGWFT4C8UgW8U
MD5:	5F642742B951DEFDEA74CB30A2D7B8AF
SHA1:	9C8F5587275A6936642B11CC2DA72E13F67D539E
SHA-256:	632B820C948849C210734995E63B49C281A9A381E0229A8C124864BB0060E4F1
SHA-512:	E45D8C683E3F8FBC3D56BB7CF8A2F32C41EBAE491A36DFCAEABB1284EC4695E53EFC1E06C31DB8D540C6F6F79F138562AEF474BBF3CEC6B3495E8AD2FA8475AC
Malicious:	false
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y......................................................................................... ...Y:................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t.......................................................................................................0.......O._.T.S.R.O.s.V.H.0.2.m.7.x.G.M.L.e.z.0.u.y.0.k.l.g.=.=.........:.......................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1F15EB45-A64D-11EF-8C2D-ECF4BB2D2496}.dat

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	1.7018932521506893
Encrypted:	false
SSDEEP:	12:rlxAFbkyQrEgm8Goz7KFfxrEgm8GE7qw9l4+rg0tnRYCDAvPukm6o:rZxG8VMxG8F9l28nOBXr2
MD5:	CCEAED8BD8A773C9619C2C7B0EF87A0A
SHA1:	108726457215C3283FBF203C019CC9F52ABFB2F6
SHA-256:	B3781BC41CB4AB1347C00DB3D6FF3AC4841032D221BFAA73A72C2B678125E2AC
SHA-512:	08C57CB5734751A1F0DB05160283DD3C10E5FCF9A395CEE8F48D21FD0CAD4F5437503753637452AD49A987706EAC21B578956A5EA9BE1A553982F4344EF56EB1
Malicious:	false
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................p..Y:......@.........K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.8625979563606183
Encrypted:	false
SSDEEP:	48:uiTrlKxrgxdxl9Il8u+6sbOfmHUTTg0Lmd1rc:mYYtqO/TTNd
MD5:	35B118F73097DD88A3AE2D10CDC4AA73
SHA1:	24FE164B779ABE570D46459483D0545A77824B76
SHA-256:	99EFE15484FF96EA510596267D17E1534B0FF97D4645BA06CAE38565FE446E2C
SHA-512:	EB12404686331CED1D98E27C81CA082245ED64DD7A54A01084DF59A22B5D746616BB47792D61F4706E3B66FFBD2307BF2974470AB8A8310FB2452FC8F1DBF57D
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.H.f.F.S.2.I.6.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.f.U.r.0.y.D.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	4.007395440942401
Encrypted:	false
SSDEEP:	96:pYM0k3wMIG+7hPqm8AEIj20lBwUvC3b69ZMxWVUyK3ekiVeuWW25X1z:pgk3wMIGqPqm3jVlBwUvCO9ZAW3KukIW
MD5:	7F1B8D05E9E718A27CB6C40AF3DAAEE7
SHA1:	7C513342154EC3B6CE190B36475441305A4426BB
SHA-256:	B4FE63746B4AD017365AC636B8DEEE0FE78F0B9D6EF795CB600B7ED95838A34E
SHA-512:	F7F2D6BC5DF92A94AFF18DCDD1EFEF2F3E9AEB4EC1511DE0A4F7D8237F5C5D65E2F2F49FC3E6ABC5E51BA6D69AF4D1649A4F70CEE4C89AEC1BD9A65653D866A9
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".9.i.T.e.M.V.o.6.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.f.U.r.0.y.D.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2684
Entropy (8bit):	3.8968039183971093
Encrypted:	false
SSDEEP:	48:uiTrlKx68Wa7xAxl9Il8uBUyzb3tAwzgYEthYuPpyEGIZd/vc:aCYn1zLi9t/PoEjY
MD5:	F52DC0C982AF461449FAAA0E575B8093
SHA1:	DC3D99977A9621994359C5AA4F6A47F7639F33AF
SHA-256:	B9AEF7305C9C79EF33E2545EE2796D81C5C56437CF40E3BFB0F4A35D2EE258A3
SHA-512:	65723A9EEF6AB50102321396C292FF6E07EB8FA6A7956B7820D77E6FBAF8F9FB03FF018D56A1AA9EA38B0728D8C2E028FA2210EA10168A0D7D0DA3F5B09CEA9F
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".6.N.3.U.y.9.n.A.U.E.q.s.5.u.9.6.E./.o.g.0.E./.V.J.A.g.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:."./.M.f.Z.X.y.t.Z.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.f.U.r.0.y.D.

C:\Users\user\AppData\Local\Temp\34059551-c39e-4668-9dc3-5cee2d15acd3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 276634
Category:	dropped
Size (bytes):	242356
Entropy (8bit):	7.991210403664034
Encrypted:	true
SSDEEP:	6144:nvRDe2ei//LiBCNBs4vIVeMRhzb6d0X7ayNC:nde2edcbveZRFW0X2yk
MD5:	B73A9C52EF76DD9F575BDCF919B05902
SHA1:	A7ED2E7B5F85D6E502B538FDEBD91343D811E55A
SHA-256:	EF05EE3FA07D46FDDD88DA7760509F7BA658D3A9A5696004404F5A128349B323
SHA-512:	01EB2E462F3EDE544A66C0EEABA9172B668B6EA20D2FEF5A3DD2217E60ED42F70523F194B8901A48CDA3E55E1F65A14BAB2FBE3B34D2CB410B1939B9BB7B4CBC
Malicious:	false
Preview:	...........}.w..._..W.2...W.N&....I..k..'@..Y...c...~K..3vB....#.K.........R.Q.%.4......+.r.M?.\....l....q......Xo\..6.u..q.i.[V_...u..M0...LK......)KcyM.<#....q.$..n<..f5.'..V3oY.v.....k....f.kul...F..4.^..^.(r}.k..[...?.....Y..K.9.VZ..r.c.m..wL.n....L+7.fnY..j.r..v..;P..Xz....~..;....yO3.P.`.]H2u...]...zV....[..m...v;...6.....8.._.l...;NK..W.4...G.....4...>..F.xl.Z..B?.zAcZO.....VI.(}f..j.k..)._...z.72-h.Fj....o.WB..~.gO..5-da+PW....H..n......q......W..5.C.+m..u.~.<.....E.uf?.?...3.......$@+......Z..6..4...&..Mz..W..~...V-}@'.w....t..nx..,.....0b.:QR'..W\|#2b.....3}....wP.5.n..j.&...8q-H#O4.{/..G.....%.@(.&...M.5X,3(.d.L3~[.Yp.^.m../4...OB..u .=.7...:.N.k.m......... T..6!8......._. ..?..<...v...X.F.....<,....01.+...H.'....<...E......O..%P..-HH[M.......1[.7@H....eBJw.\|....x.....i.....i.&.B.A.L.l..T...6..z....4).Y.F.%.>.o.a6{vw.=..F....e..e\|.i.4.n.O-.1.FK.Z+..x@..$...?..C.....t....>...O...n.mN{.R .@.uNG...p.TT......9#=.z.j.....Oa..S.a;.

C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.46107324709439
Encrypted:	false
SSDEEP:	24576:1+NjTaxN/1+N7zOQr3mYCFY7Mk2xT+2n/S225E2Y22222Gxqz8uRHYbJ2d2hgZgg:1Fx2N7qM3mvn
MD5:	05D4C9A45A77E6862739FC5F29AAB804
SHA1:	957CE7ECBE85F7F97BFE5666A54DA16B65FDB195
SHA-256:	85EAED0BADD9C8CE2DDE8EF3427C942F01B9FBD014E86E911BDCDFE62EA09370
SHA-512:	AEE6213E95BBE62536E615153602BB4025235CD82E3C386392D2A094682AA15C32705A9EA1B142C20C665F6A7BB2FAB47499E0DDDD24A60F6275B7E6C6D8E77F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R9..<j..<j..<j.0j..<j..2j..<j./j..<j./j..<j..=j.<j..6j].<j..7j.<jy.7j.<jy.6j..<j..<j..<jV.:j..<jRich..<j................PE..L....}.Y..................... ....................@..........................P...........................................................\...........................................................................................................text...Jr.......................... ....rdata..Tp..........................@....data...h........@..................@....rsrc....`.......`...P............9.@....rmnet.............................. ....I.}.u...P.......P.................. ...................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	97792
Entropy (8bit):	7.345675805687577
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrC5MXL5uXZnzEPf+hzRsibKplyXTq8OGRnsPFG+RODTbN:zr8WDrCawnYPmROzoTq0+RO7N
MD5:	91F8C5655E265566963C8110F8A9DE7B
SHA1:	B96F17997E415AEB3CDF82A68927AEAE232FEBAC
SHA-256:	CB9E615DCAF44187AD82F13EE4B711C38696C33E0FC25AA44309937BD571811F
SHA-512:	7E9B9612E3B4868AFB70C9DD6A94715FD0511043949A89CACEAD24E2369744525D0A411D92C6CC81F24F7E222E1BE37A0BA790DCB9ED7E8AB289E0D4F504F7D1
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031113762428177
Encrypted:	false
SSDEEP:	384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
MD5:	56B2C3810DBA2E939A8BB9FA36D3CF96
SHA1:	99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
SHA-256:	4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
SHA-512:	27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\chrome.exe

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	182272
Entropy (8bit):	6.778841629892176
Encrypted:	false
SSDEEP:	3072:zr8WDrCe7WLuzeHpl18fCtnRPF9EVnb43jaI5gr/uHqZLWfp2KkvL5kdnQB:PueqmCtnRPF9cCGr/uH0gkSdQB
MD5:	D307A8D049BC1C09C5C3B972F3609FD3
SHA1:	D84D853F3BD3E3DADFE2CB5E4A294B83780A3F3D
SHA-256:	C8FB712D11C1F2AE2BC71F58C2D859B0F2F45AA9ED88F6C9F42E89217D03DF48
SHA-512:	7D3DE68A9DC7AD364B0E8A37F8A56E556FF774537FDF93AF869BEA4CD14DDD3C0205BD74FBDD66FCDAB5F1FA6E9D5F10F3C8C66D99BF5235109DE51975A2BF7F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	1765
Entropy (8bit):	5.437254304485909
Encrypted:	false
SSDEEP:	48:Y4MfJVe5wMd5wMe07cIF5Io0MY5kU2A0OpJ5xnL0MotJ5VovUx05Oz3O5qOe0J5V:JIVuwEw5MUFZLBQLtTLeTFLTNoT1M
MD5:	58CF72ECC28B0331488A85D06CBC37AA
SHA1:	53296B02F40D8F382C30C9EEDD08DFB0F0853540
SHA-256:	469EE2AAA603D0FA4D86F431EE5329D9926163E12E6DD7F0CB63E23A21E37F0B
SHA-512:	0AC8072A4A65F2A190FCA6B975EFD1D45BFF1B276C5176390ED1ABA94283BBD1DA5CB2017369BAB0FC00B18A0205AF9DC4AFA33ACB54310F6A98AE525B9CD948
Malicious:	false
Preview:	{"logTime": "1005/061810", "correlationVector":"0kV+/vRB8ay0a3Cue7mk6o","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/061810", "correlationVector":"AFo3IfjRT+3l4ojiXpMdNH","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/061810", "correlationVector":"838E3BF9A44F456CB4AD62AC737EDD15","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/063233", "correlationVector":"2N8fwTcZh6EtTfQ8o4+6aX","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/063233", "correlationVector":"5ADEBA42608E4CC9A1FACA719F284CF9","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/063346", "correlationVector":"xp/hBMCdVPtUIxZHIviv/x","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/063347", "correlationVector":"BF0B9E58C0CC45ED9AB5D0371131E69A","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/064305", "correlationVector":"ONVjsWDap1LyjIRdxsqPGs","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/064305", "correlationVector":"82E52491

C:\Users\user\AppData\Local\Temp\tmp5023.tmp

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	data
Category:	modified
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:CYZn:CO
MD5:	5E67912D1965EF074671E9A6A6CBA3EC
SHA1:	949A06A1F76F986708011E2FA70FD3F39B1EF261
SHA-256:	1A6CBDD3CE4D60DCACB41A69BB47DB0330C5C6524FFC25EBCB77290C28A69DCF
SHA-512:	6E7F1F41DFCC21B8F1AE83B952662EE726DA2BE682230F098AF8E9F279772A5C55983FB41390F792AC9A1E2F0E37175D411DA02FA014BBC56434D76D7981113D
Malicious:	false
Preview:	...B..&A

C:\Users\user\AppData\Local\Temp\~DF1B6BE69A7A4B04D1.TMP

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08170058570036304
Encrypted:	false
SSDEEP:	3:YPVXRlKVEeUftglclllv/nt+lybltll1lRsltFll2/lsllve2Bkw6VXrtl:YNBlOSgUFAl3+tsHe0kNb
MD5:	76253A1D22AA2EC3EE11B949E4D6A63C
SHA1:	14BF6AD74394CF865813B29FE9D050FC1E61E3AF
SHA-256:	540143154BF69D77EAA07FC83FE63BC3333C82BCAD048AB48FD17791765E7C69
SHA-512:	7BD487AA4387A89AA2E55963154824DECE84E2A0F0A852E8ED23892E08CA5C05C083D551497529FE9CBC47373A28D2A4C601BF80CB71A2E1E684CAA8682299A1
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE67D3F249EE807B2.TMP

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.09659834011091292
Encrypted:	false
SSDEEP:	6:a/vll4f2rgl3+tsMGVEBf5YCDAvPukm6:i9l4+rg0tnRYCDAvPukm6
MD5:	1CB981107922345046CCDA68C6FB8E7D
SHA1:	3F448CBBDA15BB028302F5672398AD1DC925F0A7
SHA-256:	8F545760715E0CE6D87DE0D413692F4D6DBBF9A14B008675F002643FA7545874
SHA-512:	64B51E14B6EA8A88155C0C2595438529F207317C7617CFCB784D9AFF64B6935C0D62BD3EB5AE1D3FFDEE12DE2CAE1173AF966D2B77F2FE0213E8E0F600EFC038
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468628294779858
Encrypted:	false
SSDEEP:	6144:zzZfpi6ceLPx9skLmb0f8ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNPjDH5S:PZHt8ZWOKnMM6bFpNj4
MD5:	A750115B7693668DD1AFC9A99692201B
SHA1:	13FA0C68CF2D5785AA60E35C901A3234CB25BFB6
SHA-256:	CF00E4223584EECB301FFE42A3F97A7337659F0BF39E6B2067FB85F197E700A5
SHA-512:	D637A77FEAC06C600FBD5BFA3FD121FF8B0B6D1201CDAC9181279FF52198E054AB401FCFE37061A3A05A36A4AE905007F58BE4A70FEB93F22D1CBB4B5015CC90
Malicious:	false
Preview:	regfH...G....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..;.Y:..............................................................................................................................................................................................................................................................................................................................................>Z-.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1769472
Entropy (8bit):	4.575983219742559
Encrypted:	false
SSDEEP:	6144:mzZfpi6ceLPx9skLmb0f8ZWSPDaJG8nAgeiJRMMhA2zX4WABluuNPjDH5S:oZHt8ZWSKnMM6bFpNj4
MD5:	D1332162582D8FCD630A84C05B574B90
SHA1:	F1D6CE949051D48B6395CF1539243B15117CEDCA
SHA-256:	4BE43C9E2A5C0094661B1DC21482A4F334AEFCBA91627C5F1819EBB79A72682E
SHA-512:	916510865D9B915A7B7D0336CAD716120F6AD6891C082F668B43306AFBDFC79D3E3ED4FE8D184E5E06EF8330E1FB3948F8A39B43BC5FDE860CC699F4B9ADAF45
Malicious:	false
Preview:	regfG...G....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..;.Y:..............................................................................................................................................................................................................................................................................................................................................7Z-.HvLE........G.............sU......M.oy......0...@......hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........]...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t.......vk..<...............

C:\Windows\directx.sys

Download File

Process:	C:\Windows\svchost.com
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	162
Entropy (8bit):	4.995584616531937
Encrypted:	false
SSDEEP:	3:otkLt+56hsaOVA6RW5zQr4N81ZkQExmXiWdCutACovk1ZkLt+56hsoBCay:otkLtv6XA6WOr4N8fkQE4CuvovkfkLt2
MD5:	D6C073C4DCFFB921BA98667D7AD62788
SHA1:	8CACD4D10CEFEA743284321A2CEAE98E2A1809C0
SHA-256:	CA7D80DC2B9DB587522A048C9C331629FD4564A9E45CC6C818DBD5CB1291F06A
SHA-512:	1561FB253D002261A91E32F247175D5D89B0058B0EE50FD133E8E8BA6E9F0B15858A8F3D184F88C8770898C5A8BFAC307105A5E6F3522F59DC01ABBDC7B67C5D
Malicious:	true
Preview:	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.55\BHO\ie_to_edge_stub.exe..C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe..C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe..

C:\Windows\svchost.com

Download File

Process:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	6.262786282729797
Encrypted:	false
SSDEEP:	768:nyxqjQl/EMQt4Oei7RwsHxKANM0nDhlzOQdJE/rOFY:yxqjQ+P04wsZLnDrC31
MD5:	811C79A695A4715D805A61F5EF41264D
SHA1:	4B4FC6BFFD02C6ED72E136C10886D1A96BDFFBD1
SHA-256:	3995ABD6BA376CA9E8AC227C62E3689D03B9D062D39E604E1CE5B330A3A15BAC
SHA-512:	7CDCFF48B5DCB64D10E49BFE679429898787BAB4E49069AA15D9EB19B608FD219D5CC306E92D1667B2E14D5027BB0E1BFEEC6C2531654184F6145E5D81B3DF97
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.46828455103523
TrID:	Win32 Executable (generic) a (10002005/4) 97.12% Win32 Executable Borland Delphi 6 (262906/60) 2.55% Win32 Executable Delphi generic (14689/80) 0.14% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	#U8865#U4e01#U6253#U5305.exe
File size:	889'344 bytes
MD5:	3f64df9616321b718366e70eab655e0c
SHA1:	9cb754e4471a26957f5aad0e37a3c705358fbde2
SHA256:	c1ebd4c1595fa80d6521320a9500d22b55693bd7ce20af58492a1018b8ccf18e
SHA512:	cf092a45b0182df00781bed1912215c5555ac8c877abf24a5277126cb6838c0b8c9325af45993ff9471c73c589f141f9a7e447fa07badb925e26510837d2c678
SSDEEP:	24576:MNjTaxN/1+N7zOQr3mYCFY7Mk2xT+2n/S225E2Y22222Gxqz8uRHYbJ2d2hgZgFU:Hx2N7qM3mvnZe
TLSH:	AC15BF42F5D280F5C675193014BA67379A7ABA465B18CFCB93A4DD3D2C32180AA3737E
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	037183ab0a09090d

Static PE Info

General

Entrypoint:	0x408178
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9f4693fc0c511135129493f2161d1e86

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFE0h
xor eax, eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-1Ch], eax
mov dword ptr [ebp-14h], eax
mov eax, 004080E8h
call 00007F6DB8821373h
xor eax, eax
push ebp
push 004082B4h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov eax, 004091A8h
mov ecx, 0000000Bh
mov edx, 0000000Bh
call 00007F6DB882450Dh
mov eax, 004091B4h
mov ecx, 00000009h
mov edx, 00000009h
call 00007F6DB88244F9h
mov eax, 004091C0h
mov ecx, 00000003h
mov edx, 00000003h
call 00007F6DB88244E5h
mov eax, 004091DCh
mov ecx, 00000003h
mov edx, 00000003h
call 00007F6DB88244D1h
mov eax, dword ptr [00409210h]
mov ecx, 0000000Bh
mov edx, 0000000Bh
call 00007F6DB88244BDh
call 00007F6DB8824514h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F6DB8821DAEh
mov eax, dword ptr [ebp-14h]
call 00007F6DB8822342h
cmp eax, 0000A200h
jle 00007F6DB88255F7h
call 00007F6DB8824A92h
call 00007F6DB88252E9h
mov eax, 004091C4h
mov ecx, 00000003h
mov edx, 00000003h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15000	0x864	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x1400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18000	0x5cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x17000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x72c0	0x7400	57df3a5615ac3f00c33b7f1f6f46d36a	False	0.6197804418103449	data	6.521149320889011	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x9000	0x218	0x400	7ffc3168a7f3103634abdf3a768ed128	False	0.3623046875	data	3.1516983405583385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xa000	0xa899	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x15000	0x864	0xa00	6e7a45521bfca94f1e506361f70e7261	False	0.37421875	data	4.173859768945439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x16000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x17000	0x18	0x200	7e6c0f4f4435abc870eb550d5072bad6	False	0.05078125	data	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x18000	0x5cc	0x600	2f4536f51417a33d5e7cc1d66b1ca51e	False	0.8333333333333334	data	6.433117350337874	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x19000	0x1400	0x1400	3752ee895deade67279786564a299097	False	0.4125	data	4.307670739015947	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x19150	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4264	Russian	Russia	0.40736397748592873
RT_RCDATA	0x1a1f8	0x10	data			1.5
RT_RCDATA	0x1a208	0xac	data			1.063953488372093
RT_GROUP_ICON	0x1a2b4	0x14	data	Russian	Russia	1.1

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, MessageBoxA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	WriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
gdi32.dll	StretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
user32.dll	ReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
shell32.dll	ShellExecuteA, ExtractIconA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-19T09:06:04.066477+0100	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	1	192.168.2.6	51213	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 09:06:04.376950026 CET	49703	799	192.168.2.6	44.221.84.105
Nov 19, 2024 09:06:05.386835098 CET	49703	799	192.168.2.6	44.221.84.105
Nov 19, 2024 09:06:07.558757067 CET	49703	799	192.168.2.6	44.221.84.105
Nov 19, 2024 09:06:11.574381113 CET	49703	799	192.168.2.6	44.221.84.105
Nov 19, 2024 09:06:19.673377037 CET	49703	799	192.168.2.6	44.221.84.105
Nov 19, 2024 09:06:19.861901045 CET	49719	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:19.861953974 CET	443	49719	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:19.862140894 CET	49719	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:19.973337889 CET	49720	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:19.973396063 CET	443	49720	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:19.973468065 CET	49720	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:20.055443048 CET	49720	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:20.055478096 CET	443	49720	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:20.055638075 CET	49719	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:20.055669069 CET	443	49719	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:20.056204081 CET	49721	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:20.056262016 CET	443	49721	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:20.056338072 CET	49721	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:20.056510925 CET	49721	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:20.056525946 CET	443	49721	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:20.156774044 CET	49722	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:20.156821966 CET	443	49722	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:20.156892061 CET	49722	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:20.157680988 CET	49722	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:20.157694101 CET	443	49722	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:20.696958065 CET	49724	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:20.697046041 CET	443	49724	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:20.697134972 CET	49724	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:20.697590113 CET	49725	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:20.697634935 CET	443	49725	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:20.697691917 CET	49725	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:20.697890997 CET	49726	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:20.697933912 CET	443	49726	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:20.698021889 CET	49726	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:20.698208094 CET	49724	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:20.698241949 CET	443	49724	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:20.698482037 CET	49725	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:20.698501110 CET	443	49725	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:20.698687077 CET	49726	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:20.698704004 CET	443	49726	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:21.917819023 CET	49729	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:21.917860985 CET	443	49729	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:21.917992115 CET	49729	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:21.918231010 CET	49729	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:21.918247938 CET	443	49729	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:21.965153933 CET	49730	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:21.965207100 CET	443	49730	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:21.965303898 CET	49730	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:21.965481043 CET	49730	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:21.965496063 CET	443	49730	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:22.046580076 CET	49731	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.046628952 CET	443	49731	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.046705961 CET	49731	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.046945095 CET	49731	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.046958923 CET	443	49731	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.308650017 CET	49719	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.308794975 CET	49720	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.309158087 CET	49725	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.309236050 CET	49731	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.351337910 CET	443	49719	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.351340055 CET	443	49731	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.351380110 CET	443	49725	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.351380110 CET	443	49720	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.364967108 CET	49732	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.365021944 CET	443	49732	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.365170956 CET	49732	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.365633011 CET	49733	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.365690947 CET	443	49733	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.365758896 CET	49733	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.366019964 CET	49734	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.366033077 CET	443	49734	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.366101980 CET	49734	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.369590998 CET	49721	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:22.369729042 CET	49726	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:22.369805098 CET	49730	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:22.371095896 CET	49738	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:22.371115923 CET	443	49738	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:22.371222973 CET	49738	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:22.371303082 CET	49739	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:22.371387005 CET	443	49739	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:22.371467113 CET	49739	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:22.371669054 CET	49740	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:22.371680021 CET	443	49740	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:22.371824980 CET	49740	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:22.372442961 CET	49722	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.372595072 CET	49724	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.372917891 CET	49729	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.373152971 CET	49743	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.373195887 CET	443	49743	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.373450994 CET	49743	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.373723030 CET	49744	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.373734951 CET	443	49744	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.373851061 CET	49744	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.374010086 CET	49745	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.374021053 CET	443	49745	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.374141932 CET	49745	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.375346899 CET	49744	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.375360012 CET	443	49744	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.379034996 CET	49743	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.379051924 CET	443	49743	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.379369020 CET	49740	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:22.379379988 CET	443	49740	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:22.384777069 CET	49739	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:22.384815931 CET	443	49739	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:22.385035038 CET	49738	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:22.385051966 CET	443	49738	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:22.411346912 CET	443	49730	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:22.411350965 CET	443	49721	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:22.415333033 CET	443	49726	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:22.415334940 CET	443	49729	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.415339947 CET	443	49724	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.415344954 CET	443	49722	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.416352034 CET	49734	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.416368961 CET	443	49734	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.420156002 CET	49733	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.420181036 CET	443	49733	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.420329094 CET	49732	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.420353889 CET	443	49732	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:22.424206972 CET	49745	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:22.424236059 CET	443	49745	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:24.043175936 CET	49746	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:24.043231964 CET	443	49746	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:24.043311119 CET	49746	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:24.043554068 CET	49746	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:24.043566942 CET	443	49746	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:24.058301926 CET	49747	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:24.058357954 CET	443	49747	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:24.058451891 CET	49747	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:24.058671951 CET	49747	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:24.058686972 CET	443	49747	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:24.135485888 CET	49748	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:24.135540962 CET	443	49748	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:24.135627031 CET	49748	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:24.135979891 CET	49748	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:24.136009932 CET	443	49748	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:26.995863914 CET	49749	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:26.995968103 CET	443	49749	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:26.996243000 CET	49749	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:26.996510029 CET	49749	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:26.996545076 CET	443	49749	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:27.041672945 CET	49750	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:27.041740894 CET	443	49750	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:27.041867018 CET	49750	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:27.042342901 CET	49750	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:27.042367935 CET	443	49750	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:27.385960102 CET	49751	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:27.386012077 CET	443	49751	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:27.386097908 CET	49751	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:27.386333942 CET	49751	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:27.386348009 CET	443	49751	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:31.118874073 CET	49752	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:31.118905067 CET	443	49752	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:31.118998051 CET	49752	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:31.119251966 CET	49752	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:31.119265079 CET	443	49752	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:31.372761011 CET	49753	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:31.372805119 CET	443	49753	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:31.372895956 CET	49753	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:31.373706102 CET	49753	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:31.373723984 CET	443	49753	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:32.356946945 CET	49759	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:32.356977940 CET	443	49759	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:32.357098103 CET	49759	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:32.357573986 CET	49759	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:32.357590914 CET	443	49759	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:52.410557032 CET	49744	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.411145926 CET	49767	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.411232948 CET	443	49767	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:52.411418915 CET	49767	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.411485910 CET	49743	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.411751986 CET	49768	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.411788940 CET	443	49768	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:52.411915064 CET	49768	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.412208080 CET	49740	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:52.412427902 CET	49769	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:52.412478924 CET	443	49769	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:52.412513971 CET	49739	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:52.412533998 CET	49769	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:52.412892103 CET	49770	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:52.412924051 CET	443	49770	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:52.412998915 CET	49770	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:52.413095951 CET	49738	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:52.413444042 CET	49767	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.413476944 CET	443	49767	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:52.413872957 CET	49768	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.413885117 CET	443	49768	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:52.414820910 CET	49769	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:52.414843082 CET	443	49769	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:52.415082932 CET	49770	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:52.415112019 CET	443	49770	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:52.417711973 CET	49734	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.418261051 CET	49771	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.418292999 CET	443	49771	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:52.418318987 CET	49733	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.418354034 CET	49771	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.418695927 CET	49772	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.418710947 CET	443	49772	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:52.418849945 CET	49772	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.420111895 CET	49771	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.420128107 CET	443	49771	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:52.420635939 CET	49772	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.420650005 CET	443	49772	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:52.421133995 CET	49732	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.426243067 CET	49745	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:52.451369047 CET	443	49744	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:52.455377102 CET	443	49739	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:52.459331036 CET	443	49738	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:52.459341049 CET	443	49743	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:52.459352970 CET	443	49733	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:52.459353924 CET	443	49740	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:52.459366083 CET	443	49734	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:52.467323065 CET	443	49732	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:52.467341900 CET	443	49745	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:54.062114954 CET	49746	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:54.062254906 CET	49747	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:54.103348970 CET	443	49747	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:54.103362083 CET	443	49746	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:54.162528038 CET	49748	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:54.203351021 CET	443	49748	172.64.41.3	192.168.2.6
Nov 19, 2024 09:06:57.000725985 CET	49749	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:57.043375969 CET	443	49749	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:57.064157009 CET	49750	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:06:57.111345053 CET	443	49750	162.159.61.3	192.168.2.6
Nov 19, 2024 09:06:57.397526026 CET	49751	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:06:57.443336964 CET	443	49751	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:01.125078917 CET	49752	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:01.167352915 CET	443	49752	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:01.374437094 CET	49753	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:01.415376902 CET	443	49753	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:02.197838068 CET	49774	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:02.197879076 CET	443	49774	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:02.197936058 CET	49774	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:02.198457003 CET	49774	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:02.198465109 CET	443	49774	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:02.372806072 CET	49759	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:02.415352106 CET	443	49759	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:04.051639080 CET	49775	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:04.051677942 CET	443	49775	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:04.051788092 CET	49775	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:04.052026033 CET	49775	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:04.052045107 CET	443	49775	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:04.525580883 CET	49776	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:04.525619984 CET	443	49776	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:04.525691032 CET	49776	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:04.525888920 CET	49776	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:04.525902033 CET	443	49776	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:07.356832027 CET	49719	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:07.356848001 CET	443	49719	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:07.356858969 CET	49720	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:07.356859922 CET	49731	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:07.356874943 CET	443	49720	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:07.356884003 CET	443	49731	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:07.356895924 CET	49725	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:07.356909037 CET	443	49725	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:07.418664932 CET	49722	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:07.418674946 CET	443	49722	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:07.418697119 CET	49729	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:07.418704033 CET	443	49729	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:07.449949980 CET	49721	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:07.449950933 CET	49730	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:07.449954987 CET	443	49721	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:07.449959040 CET	443	49730	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:07.449985981 CET	49724	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:07.449990988 CET	443	49724	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:07.450007915 CET	49726	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:07.450026989 CET	443	49726	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:22.417061090 CET	49767	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:22.417252064 CET	49768	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:22.417375088 CET	49769	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:22.417469978 CET	49770	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:22.432467937 CET	49771	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:22.432635069 CET	49772	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:22.459362030 CET	443	49770	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:22.459362030 CET	443	49767	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:22.463325977 CET	443	49769	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:22.463335991 CET	443	49768	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:22.475333929 CET	443	49772	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:22.475344896 CET	443	49771	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:24.964425087 CET	49781	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:24.964474916 CET	443	49781	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:24.964632988 CET	49781	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:24.964756966 CET	49781	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:24.964770079 CET	443	49781	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:26.496027946 CET	49783	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:26.496120930 CET	443	49783	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:26.496360064 CET	49783	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:26.496532917 CET	49783	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:26.496553898 CET	443	49783	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:26.995564938 CET	49784	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:26.995609999 CET	443	49784	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:26.995809078 CET	49784	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:26.995919943 CET	49784	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:26.995930910 CET	443	49784	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:32.199358940 CET	49774	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:32.243343115 CET	443	49774	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:34.057380915 CET	49775	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:34.103333950 CET	443	49775	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:34.537223101 CET	49776	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:34.579335928 CET	443	49776	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:37.461530924 CET	49744	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:37.461539984 CET	49739	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:37.461561918 CET	443	49744	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:37.461571932 CET	443	49739	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:37.461575031 CET	49743	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:37.461575031 CET	49734	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:37.461575031 CET	49738	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:37.461575985 CET	49740	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:37.461585999 CET	49733	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:37.461589098 CET	443	49734	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:37.461600065 CET	443	49740	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:37.461607933 CET	443	49733	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:37.461608887 CET	443	49743	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:37.461608887 CET	443	49738	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:37.477364063 CET	49732	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:37.477375031 CET	443	49732	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:37.477408886 CET	49745	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:37.477420092 CET	443	49745	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:39.107326984 CET	49747	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:39.107340097 CET	49746	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:39.107366085 CET	443	49747	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:39.107408047 CET	443	49746	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:39.216715097 CET	49748	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:39.216759920 CET	443	49748	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:42.058397055 CET	49749	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:42.058465004 CET	443	49749	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:42.121004105 CET	49750	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:42.121026039 CET	443	49750	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:42.448976040 CET	49751	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:42.449007988 CET	443	49751	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:46.172959089 CET	49752	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:46.172986031 CET	443	49752	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:46.417045116 CET	49753	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:46.417061090 CET	443	49753	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:47.421417952 CET	49759	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:47.421451092 CET	443	49759	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:52.369786978 CET	49720	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:52.369785070 CET	49719	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:52.369802952 CET	443	49720	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:52.369812965 CET	443	49719	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:52.369852066 CET	49731	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:52.369856119 CET	49725	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:52.369870901 CET	443	49731	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:52.369884014 CET	443	49725	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:52.425215960 CET	49729	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:52.425223112 CET	443	49729	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:52.425353050 CET	49722	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:52.425369024 CET	443	49722	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:52.452733040 CET	49730	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:52.452744961 CET	443	49730	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:52.452752113 CET	49726	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:52.452758074 CET	49721	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:52.452764034 CET	443	49721	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:52.452785015 CET	443	49726	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:52.452811003 CET	49724	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:52.452816963 CET	443	49724	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:54.968460083 CET	49781	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:55.015353918 CET	443	49781	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:56.516977072 CET	49783	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:07:56.563348055 CET	443	49783	172.64.41.3	192.168.2.6
Nov 19, 2024 09:07:56.996042967 CET	49784	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:57.039344072 CET	443	49784	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:57.786695004 CET	49788	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:57.786745071 CET	443	49788	162.159.61.3	192.168.2.6
Nov 19, 2024 09:07:57.786809921 CET	49788	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:57.787066936 CET	49788	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:07:57.787086010 CET	443	49788	162.159.61.3	192.168.2.6
Nov 19, 2024 09:08:01.518105030 CET	49789	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:08:01.518186092 CET	443	49789	162.159.61.3	192.168.2.6
Nov 19, 2024 09:08:01.518265963 CET	49789	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:08:01.518529892 CET	49789	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:08:01.518551111 CET	443	49789	162.159.61.3	192.168.2.6
Nov 19, 2024 09:08:02.335887909 CET	49790	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:08:02.335915089 CET	443	49790	172.64.41.3	192.168.2.6
Nov 19, 2024 09:08:02.335978031 CET	49790	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:08:02.336179018 CET	49790	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:08:02.336191893 CET	443	49790	172.64.41.3	192.168.2.6
Nov 19, 2024 09:08:07.464019060 CET	49767	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:08:07.464027882 CET	49768	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:08:07.464046001 CET	443	49768	162.159.61.3	192.168.2.6
Nov 19, 2024 09:08:07.464056969 CET	443	49767	162.159.61.3	192.168.2.6
Nov 19, 2024 09:08:07.464121103 CET	49769	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:08:07.464137077 CET	443	49769	172.64.41.3	192.168.2.6
Nov 19, 2024 09:08:07.464147091 CET	49770	443	192.168.2.6	172.64.41.3
Nov 19, 2024 09:08:07.464169979 CET	443	49770	172.64.41.3	192.168.2.6
Nov 19, 2024 09:08:07.479670048 CET	49771	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:08:07.479675055 CET	49772	443	192.168.2.6	162.159.61.3
Nov 19, 2024 09:08:07.479684114 CET	443	49772	162.159.61.3	192.168.2.6
Nov 19, 2024 09:08:07.479688883 CET	443	49771	162.159.61.3	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 09:06:04.066477060 CET	51213	53	192.168.2.6	1.1.1.1
Nov 19, 2024 09:06:04.260368109 CET	53	51213	1.1.1.1	192.168.2.6
Nov 19, 2024 09:06:19.697053909 CET	61588	53	192.168.2.6	1.1.1.1
Nov 19, 2024 09:06:19.704520941 CET	53	61588	1.1.1.1	192.168.2.6
Nov 19, 2024 09:06:19.706964016 CET	50161	53	192.168.2.6	1.1.1.1
Nov 19, 2024 09:06:19.709995985 CET	52070	53	192.168.2.6	1.1.1.1
Nov 19, 2024 09:06:19.710376978 CET	56767	53	192.168.2.6	1.1.1.1
Nov 19, 2024 09:06:19.715856075 CET	53	50161	1.1.1.1	192.168.2.6
Nov 19, 2024 09:06:19.718168020 CET	53	52070	1.1.1.1	192.168.2.6
Nov 19, 2024 09:06:19.718240023 CET	53	56767	1.1.1.1	192.168.2.6
Nov 19, 2024 09:06:20.130911112 CET	55175	53	192.168.2.6	1.1.1.1
Nov 19, 2024 09:06:20.131071091 CET	58399	53	192.168.2.6	1.1.1.1
Nov 19, 2024 09:06:20.138240099 CET	53	55175	1.1.1.1	192.168.2.6
Nov 19, 2024 09:06:20.138262987 CET	53	58399	1.1.1.1	192.168.2.6
Nov 19, 2024 09:07:57.777898073 CET	49704	53	192.168.2.6	1.1.1.1
Nov 19, 2024 09:07:57.778050900 CET	64695	53	192.168.2.6	1.1.1.1
Nov 19, 2024 09:07:57.786089897 CET	53	49704	1.1.1.1	192.168.2.6
Nov 19, 2024 09:07:57.786109924 CET	53	64695	1.1.1.1	192.168.2.6
Nov 19, 2024 09:08:02.323848009 CET	51758	53	192.168.2.6	1.1.1.1
Nov 19, 2024 09:08:02.324006081 CET	49440	53	192.168.2.6	1.1.1.1
Nov 19, 2024 09:08:02.334989071 CET	53	51758	1.1.1.1	192.168.2.6
Nov 19, 2024 09:08:02.335148096 CET	53	49440	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2024 09:06:04.066477060 CET	192.168.2.6	1.1.1.1	0xecf	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:06:19.697053909 CET	192.168.2.6	1.1.1.1	0xd2f5	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:06:19.706964016 CET	192.168.2.6	1.1.1.1	0x576c	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 19, 2024 09:06:19.709995985 CET	192.168.2.6	1.1.1.1	0xf24a	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:06:19.710376978 CET	192.168.2.6	1.1.1.1	0x8e26	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 19, 2024 09:06:20.130911112 CET	192.168.2.6	1.1.1.1	0x3a4b	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:06:20.131071091 CET	192.168.2.6	1.1.1.1	0x8a1	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 19, 2024 09:07:57.777898073 CET	192.168.2.6	1.1.1.1	0x2a0d	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:07:57.778050900 CET	192.168.2.6	1.1.1.1	0xbbd	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 19, 2024 09:08:02.323848009 CET	192.168.2.6	1.1.1.1	0x45be	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:08:02.324006081 CET	192.168.2.6	1.1.1.1	0x876c	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 09:06:04.260368109 CET	1.1.1.1	192.168.2.6	0xecf	No error (0)	ddos.dnsnb8.net	44.221.84.105	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:06:19.704520941 CET	1.1.1.1	192.168.2.6	0xd2f5	No error (0)	chrome.cloudflare-dns.com	162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:06:19.704520941 CET	1.1.1.1	192.168.2.6	0xd2f5	No error (0)	chrome.cloudflare-dns.com	172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:06:19.715856075 CET	1.1.1.1	192.168.2.6	0x576c	No error (0)	chrome.cloudflare-dns.com		65	IN (0x0001)	false
Nov 19, 2024 09:06:19.718168020 CET	1.1.1.1	192.168.2.6	0xf24a	No error (0)	chrome.cloudflare-dns.com	172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:06:19.718168020 CET	1.1.1.1	192.168.2.6	0xf24a	No error (0)	chrome.cloudflare-dns.com	162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:06:19.718240023 CET	1.1.1.1	192.168.2.6	0x8e26	No error (0)	chrome.cloudflare-dns.com		65	IN (0x0001)	false
Nov 19, 2024 09:06:20.138240099 CET	1.1.1.1	192.168.2.6	0x3a4b	No error (0)	chrome.cloudflare-dns.com	162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:06:20.138240099 CET	1.1.1.1	192.168.2.6	0x3a4b	No error (0)	chrome.cloudflare-dns.com	172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:06:20.138262987 CET	1.1.1.1	192.168.2.6	0x8a1	No error (0)	chrome.cloudflare-dns.com		65	IN (0x0001)	false
Nov 19, 2024 09:07:57.786089897 CET	1.1.1.1	192.168.2.6	0x2a0d	No error (0)	chrome.cloudflare-dns.com	162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:07:57.786089897 CET	1.1.1.1	192.168.2.6	0x2a0d	No error (0)	chrome.cloudflare-dns.com	172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:07:57.786109924 CET	1.1.1.1	192.168.2.6	0xbbd	No error (0)	chrome.cloudflare-dns.com		65	IN (0x0001)	false
Nov 19, 2024 09:08:02.334989071 CET	1.1.1.1	192.168.2.6	0x45be	No error (0)	chrome.cloudflare-dns.com	172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:08:02.334989071 CET	1.1.1.1	192.168.2.6	0x45be	No error (0)	chrome.cloudflare-dns.com	162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:08:02.335148096 CET	1.1.1.1	192.168.2.6	0x876c	No error (0)	chrome.cloudflare-dns.com		65	IN (0x0001)	false

Target ID:	0
Start time:	03:06:01
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U8865#U4e01#U6253#U5305.exe"
Imagebase:	0x400000
File size:	889'344 bytes
MD5 hash:	3F64DF9616321B718366E70EAB655E0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.2904723688.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:06:02
Start date:	19/11/2024
Path:	C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305.exe"
Imagebase:	0x400000
File size:	847'872 bytes
MD5 hash:	05D4C9A45A77E6862739FC5F29AAB804
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	03:06:02
Start date:	19/11/2024
Path:	C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe
Imagebase:	0xdc0000
File size:	15'872 bytes
MD5 hash:	56B2C3810DBA2E939A8BB9FA36D3CF96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:06:03
Start date:	19/11/2024
Path:	C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe
Imagebase:	0x400000
File size:	56'320 bytes
MD5 hash:	FF5E1F27193CE51EEC318714EF038BEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ramnit, Description: Yara detected Ramnit, Source: 00000005.00000002.2146063623.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:06:04
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
Imagebase:	0x400000
File size:	56'320 bytes
MD5 hash:	FF5E1F27193CE51EEC318714EF038BEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ramnit, Description: Yara detected Ramnit, Source: 00000006.00000002.2150847642.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:06:04
Start date:	19/11/2024
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Internet Explorer\iexplore.exe"
Imagebase:	0x7ff629d30000
File size:	834'512 bytes
MD5 hash:	CFE2E6942AC1B72981B3105E22D3224E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:06:05
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:17410 /prefetch:2
Imagebase:	0x2d0000
File size:	828'368 bytes
MD5 hash:	6F0F06D6AB125A99E43335427066A4A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:06:05
Start date:	19/11/2024
Path:	C:\Windows\svchost.com
Wow64 process (32bit):	true
Commandline:	"C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.55\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a
Imagebase:	0x400000
File size:	41'472 bytes
MD5 hash:	811C79A695A4715D805A61F5EF41264D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:06:05
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe
Wow64 process (32bit):	false
Commandline:	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.55\BHO\ie_to_edge_stub.exe --from-ie-to-edge=3 --ie-frame-hwnd=1045a
Imagebase:	0x7ff6759c0000
File size:	540'712 bytes
MD5 hash:	473F645F28F5CF7E02FA17D3EB361298
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:06:05
Start date:	19/11/2024
Path:	C:\Windows\svchost.com
Wow64 process (32bit):	true
Commandline:	"C:\Windows\svchost.com" "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Imagebase:	0x400000
File size:	41'472 bytes
MD5 hash:	811C79A695A4715D805A61F5EF41264D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:06:06
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe
Wow64 process (32bit):	true
Commandline:	C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe -new
Imagebase:	0x7d0000
File size:	85'632 bytes
MD5 hash:	F9A898A606E7F5A1CD7CFFA8079253A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:06:06
Start date:	19/11/2024
Path:	C:\Windows\svchost.com
Wow64 process (32bit):	true
Commandline:	"C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a
Imagebase:	0x400000
File size:	41'472 bytes
MD5 hash:	811C79A695A4715D805A61F5EF41264D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:06:07
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1045a
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:06:08
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=2120,i,3596338841407944912,4963749005619563787,262144 /prefetch:3
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:06:09
Start date:	19/11/2024
Path:	C:\Windows\svchost.com
Wow64 process (32bit):	true
Commandline:	"C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1045a --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x400000
File size:	41'472 bytes
MD5 hash:	811C79A695A4715D805A61F5EF41264D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:06:10
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1045a --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	03:06:12
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2436,i,4521782591517298122,15665570468173289233,262144 /prefetch:3
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	03:06:16
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5884 --field-trial-handle=2436,i,4521782591517298122,15665570468173289233,262144 /prefetch:8
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:06:18
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1524
Imagebase:	0x570000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.7%
Total number of Nodes:	701
Total number of Limit Nodes:	39

Executed Functions

Function 004D1006 Relevance: 59.7, APIs: 22, Strings: 12, Instructions: 195
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 004D1074
GetProcAddress.KERNEL32(76210000,FreeLibrary), ref: 004D1096
GetProcAddress.KERNEL32(76210000,CreateMutexA), ref: 004D10B8
GetProcAddress.KERNEL32(76210000,ReleaseMutex), ref: 004D10DA
GetProcAddress.KERNEL32(76210000,CloseHandle), ref: 004D10FC
GetProcAddress.KERNEL32(76210000,GetLastError), ref: 004D111E
GetProcAddress.KERNEL32(76210000,CreateFileA), ref: 004D1140
GetProcAddress.KERNEL32(76210000,WriteFile), ref: 004D1162
GetProcAddress.KERNEL32(76210000,GetModuleFileNameA), ref: 004D1184
GetProcAddress.KERNEL32(76210000,CreateProcessA), ref: 004D11A6
CreateMutexA.KERNELBASE(00000000,00000001,KyUffThOkYwRRtgPP), ref: 004D11C6
GetLastError.KERNEL32(00000000), ref: 004D11CD
ReleaseMutex.KERNEL32(?,?,00000000), ref: 004D11D7
CloseHandle.KERNEL32(?,?,00000000), ref: 004D11DD
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe,000000FF,?,00000000), ref: 004D1229
CreateFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe,40000000,00000002,00000000,00000002,00000080,00000000,?,00000000), ref: 004D1268
WriteFile.KERNELBASE(00000000,004D1573,0000DC00,004D131C,00000000,00000000,?,00000000), ref: 004D1292
CloseHandle.KERNEL32(?,00000000), ref: 004D1298
CreateProcessA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe,00000000,00000000,00000000,00000000,00000000,00000000,004D1466,004D14AA,?,00000000), ref: 004D12E0
CloseHandle.KERNEL32(00000214,004D14AA,?,00000000), ref: 004D12F1
CloseHandle.KERNEL32(?,00000000), ref: 004D12F7
FreeLibrary.KERNEL32(76210000), ref: 004D1303

Strings

WriteFile, xrefs: 004D115B
GetLastError, xrefs: 004D1117
C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe, xrefs: 004D1226, 004D1267, 004D12DD
FreeLibrary, xrefs: 004D108F
kernel32.dll, xrefs: 004D1073
CloseHandle, xrefs: 004D10F5
CreateFileA, xrefs: 004D1139
KyUffThOkYwRRtgPP, xrefs: 004D11C1
CreateProcessA, xrefs: 004D119F
ReleaseMutex, xrefs: 004D10D3
GetModuleFileNameA, xrefs: 004D117D
CreateMutexA, xrefs: 004D10B1

Memory Dump Source

Source File: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: AddressProc$CloseHandle$CreateFile$LibraryMutex$ErrorFreeLastLoadModuleNameProcessReleaseWrite
String ID: C:\Users\user\AppData\Local\Temp\3582-490\#U8865#U4e01#U6253#U5305Srv.exe$CloseHandle$CreateFileA$CreateMutexA$CreateProcessA$FreeLibrary$GetLastError$GetModuleFileNameA$KyUffThOkYwRRtgPP$ReleaseMutex$WriteFile$kernel32.dll
API String ID: 1180511664-3222855663
Opcode ID: 433a6612d00084cc81ed907b06d343000b3e8516625006df615d785e1d0a022e
Instruction ID: 3590fa5158c5ed86bd76d55e5a766b8d94cf0f3965c1c02798dd50d2ee377d49
Opcode Fuzzy Hash: 433a6612d00084cc81ed907b06d343000b3e8516625006df615d785e1d0a022e
Instruction Fuzzy Hash: 4881E871504189EFFB319E54CC58BDEBB79EF04308F520122EDA9E2252DB387A45EB15

Function 004E0044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 004E0223
WriteFile.KERNELBASE(00000000,FFFF0D8F,00003E00,?,00000000), ref: 004E0252
CloseHandle.KERNELBASE(00000000), ref: 004E0256
WinExec.KERNEL32(?,00000005), ref: 004E0262

Strings

Crea, xrefs: 004E0169
WinE, xrefs: 004E0110
GetM, xrefs: 004E00B6
Kern, xrefs: 004E00F4
dleA, xrefs: 004E00D0
catA, xrefs: 004E01AF
GetT, xrefs: 004E0188
Writ, xrefs: 004E0148
Clos, xrefs: 004E0129
OMmJKXpD.exe, xrefs: 004E01FD, 004E0200
lstr, xrefs: 004E01A7
.dll, xrefs: 004E0102
odul, xrefs: 004E022D
el32, xrefs: 004E00FB
athA, xrefs: 004E0199

Memory Dump Source

Source File: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: File$CloseCreateExecHandleWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$OMmJKXpD.exe$WinE$Writ$athA$catA$dleA$el32$lstr$odul
API String ID: 3741012433-3131299
Opcode ID: cc749d05006a5d5b39894afb29d14799fc7c4da586b49dd5fef519378ddc4fe7
Instruction ID: d3d656e4b9409d391722ff8d50716e9c24530c4d8be3435040c6f7f591c0a05c
Opcode Fuzzy Hash: cc749d05006a5d5b39894afb29d14799fc7c4da586b49dd5fef519378ddc4fe7
Instruction Fuzzy Hash: F4610874D01255DBCF24CF95C884AAEF7B0BB44316F2482ABD515AB301C7B99EC1CB99

Function 00438940 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370
commemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00438969
OleInitialize.OLE32(00000000), ref: 004389A5
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004389C3
SetCurrentDirectoryA.KERNELBASE(02375B08,?), ref: 00438A1D
LoadCursorA.USER32(00000000,00007F00), ref: 00438A78
GetStockObject.GDI32(00000005), ref: 00438A99
GetCurrentThreadId.KERNEL32 ref: 00438AC1

Strings

_EL_HideOwner, xrefs: 00438AA3

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Current$CursorDirectoryFileHeapInitializeLoadModuleNameObjectProcessStockThread
String ID: _EL_HideOwner
API String ID: 3783217854-1487855678
Opcode ID: 14d3ffc3fe6af92c5dfe604d0bfbe467e7dffd878d05eff9126963675d5b24e9
Instruction ID: 7231bf832cd300a7c3feeefacd4ce5e303602eff2c989c14457616922ce71244
Opcode Fuzzy Hash: 14d3ffc3fe6af92c5dfe604d0bfbe467e7dffd878d05eff9126963675d5b24e9
Instruction Fuzzy Hash: 67E19170A002059BCB14DF65DC81BEEB7B4BF58704F14456EF905BB292EB386D45CB58

Function 00483B95 Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,?,?,00483B90), ref: 00483C0C
GetProcessVersion.KERNELBASE(00000000,?,?,?,00483B90), ref: 00483C49
LoadCursorA.USER32(00000000,00007F02), ref: 00483C77
LoadCursorA.USER32(00000000,00007F00), ref: 00483C82

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 5ac256b081e06c6504f59e0c90525ce6e57dab430ac43d0e1855e97deffa7666
Instruction ID: ce5fdd4bee94d7205936a5af673cef32b76ea3b28375fde19e490f6ba94471d1
Opcode Fuzzy Hash: 5ac256b081e06c6504f59e0c90525ce6e57dab430ac43d0e1855e97deffa7666
Instruction Fuzzy Hash: B8118CB1A00B508FD728AF3E898462ABBE5FB587057404D3FE18BC6B90D778E801CB54

Function 0047B260 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 170
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0048307F: TlsGetValue.KERNEL32(004C92A4,00000000,?,00479B6F,00482405,?,00403600), ref: 004830BE

CallNextHookEx.USER32(?,00000003,?,?), ref: 0047B28A
GetClassLongA.USER32(?,000000E6), ref: 0047B2D1
GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,00482405), ref: 0047B2FD
lstrcmpiA.KERNEL32(?,ime), ref: 0047B30C
GetWindowLongA.USER32(?,000000FC), ref: 0047B37F
SetWindowLongA.USER32(?,000000FC,00000000), ref: 0047B3A0

Strings

AfxOldWndProc423, xrefs: 0047B3E1, 0047B3E6, 0047B3F1, 0047B3F9, 0047B402
ime, xrefs: 0047B306
ho_, xrefs: 0047B34D

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ho_$ime
API String ID: 3731301195-3282847955
Opcode ID: d6ec03e7cc8de0d693d8976d2d822f2cd5bc43e3871ea36ce1aee66abcb4d8af
Instruction ID: 26c374fb9a066476b309f87b6bbc329fede4a84eebfeb404ff447611592e9a9c
Opcode Fuzzy Hash: d6ec03e7cc8de0d693d8976d2d822f2cd5bc43e3871ea36ce1aee66abcb4d8af
Instruction Fuzzy Hash: 96516C71500615BFCB219F64DC48BEF7BA9FF08351F148A2AF819A62A1D7389D44CBD8

Function 00417E50 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 375
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004800B5: __EH_prolog.LIBCMT ref: 004800BA
Part of subcall function 004800B5: BeginPaint.USER32(?,?,?,?,004072F9), ref: 004800E3

Part of subcall function 0047FC66: GetClipBox.GDI32(?,?), ref: 0047FC6D

IsRectEmpty.USER32(?), ref: 00417E9F
CreateRectRgn.GDI32 ref: 00417F01
GetClientRect.USER32(?,?), ref: 00417F9D

Part of subcall function 00480127: __EH_prolog.LIBCMT ref: 0048012C
Part of subcall function 00480127: EndPaint.USER32(?,?,?,?,00407373), ref: 00480149

Strings

"%H, xrefs: 00417EDD, 00417FED, 00418035, 004181ED, 00418231

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$H_prologPaint$BeginClientClipCreateEmpty
String ID: "%H
API String ID: 2708814891-1417433817
Opcode ID: 3efd09a26ed9b217e28a721618c399cd5e306b42a3ca118f6cf0b0e0c844087e
Instruction ID: fffdd29a3a1f158ad2d7534312c2b0dbc6bf237e023aa62483c260497c1511cc
Opcode Fuzzy Hash: 3efd09a26ed9b217e28a721618c399cd5e306b42a3ca118f6cf0b0e0c844087e
Instruction Fuzzy Hash: 13E16D715083419FC314DF65C884AAFB7E8BBC9704F148E1EF59993281DB78E909CBA6

Function 00419360 Relevance: 19.7, APIs: 13, Instructions: 187
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetParent.USER32(?), ref: 004193AA

Part of subcall function 0047D97F: IsWindowEnabled.USER32(?), ref: 0047D989

IsWindow.USER32(?), ref: 0041944B
GetParent.USER32(?), ref: 00419466
IsWindowVisible.USER32(?), ref: 0041947A
SetActiveWindow.USER32(?), ref: 0041949B
IsWindow.USER32(?), ref: 004194B8
KiUserCallbackDispatcher.NTDLL(?), ref: 004194C6
IsWindow.USER32(?), ref: 004194CD
IsWindow.USER32(?), ref: 00419528
IsWindow.USER32(?), ref: 00419582
GetFocus.USER32 ref: 00419596
IsWindow.USER32(00000000), ref: 004195A3
IsChild.USER32(?,00000000), ref: 004195B2

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$Parent$ActiveCallbackChildDispatcherEnabledFocusUserVisible
String ID:
API String ID: 416498738-0
Opcode ID: 161718d76d6becae68dd536061eca1fa667e66fa4ba7c7bce85b59ca26bb7f07
Instruction ID: 19046c5e0e51c5d8330a6e28e1c74e953eebe2204ff8ab0c0d05eaa0c333c83d
Opcode Fuzzy Hash: 161718d76d6becae68dd536061eca1fa667e66fa4ba7c7bce85b59ca26bb7f07
Instruction Fuzzy Hash: 5B5164B16047059BD7249F61DC94AAFB7E8FB44380F14492FE95AD2240D738EC85CBAA

Function 0047B085 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0047B08A
GetPropA.USER32(?,AfxOldWndProc423), ref: 0047B0A2
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 0047B100

Part of subcall function 0047AC6C: GetWindowRect.USER32(?,?), ref: 0047AC91
Part of subcall function 0047AC6C: GetWindow.USER32(?,00000004), ref: 0047ACAE

SetWindowLongA.USER32(?,000000FC,?), ref: 0047B130
RemovePropA.USER32(?,AfxOldWndProc423), ref: 0047B138
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 0047B13F
GlobalDeleteAtom.KERNEL32(00000000), ref: 0047B146

Part of subcall function 0047AC49: GetWindowRect.USER32(?,?), ref: 0047AC55

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 0047B19A

Strings

AfxOldWndProc423, xrefs: 0047B098, 0047B0A0, 0047B136, 0047B13E

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: 4581df1e3166c6436e0f662e65f0245038993c6b4b9f653d636e6c015f2a7cdd
Instruction ID: 8598c5ab65c4880a6d17606eaa879d39947eaec776f509dbd8229db751c46aec
Opcode Fuzzy Hash: 4581df1e3166c6436e0f662e65f0245038993c6b4b9f653d636e6c015f2a7cdd
Instruction Fuzzy Hash: 10317C72800119BBCB02AFA5DD49EFF7B78FF45350F04852AF505A1151C7398921DBAA

Function 00482D18 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(004C92C0,004C9294,?,?,004C92A4,004C92A4,004830B3,00000000,?,00479B6F,00482405,?,00403600), ref: 00482D27
GlobalAlloc.KERNELBASE(00002002,00000000,?,?,004C92A4,004C92A4,004830B3,00000000,?,00479B6F,00482405,?,00403600), ref: 00482D7C
GlobalHandle.KERNEL32(005F2680), ref: 00482D85
GlobalUnlock.KERNEL32(00000000), ref: 00482D8E
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00482DA0
GlobalHandle.KERNEL32(005F2680), ref: 00482DB7
GlobalLock.KERNEL32(00000000), ref: 00482DBE
LeaveCriticalSection.KERNEL32(?,?,?,004C92A4,004C92A4,004830B3,00000000,?,00479B6F,00482405,?,00403600), ref: 00482DC4
GlobalLock.KERNEL32(00403600), ref: 00482DD3
LeaveCriticalSection.KERNEL32(?), ref: 00482E1C

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 44d878c2bc85e2025610b10cdf31b84eeec31cc0144e99ce2d35f2294e67d2bd
Instruction ID: 57f1c183f029c8e7598adecc3978bd8870be2697c1f7b4063cdd7959f3eedbd9
Opcode Fuzzy Hash: 44d878c2bc85e2025610b10cdf31b84eeec31cc0144e99ce2d35f2294e67d2bd
Instruction Fuzzy Hash: C1318571204706AFD724AF28DD8996EBBE9FB44304B040D2EF852C3661E7B5EC44CB58

Function 00404F30 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 267
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateSolidBrush.GDI32(00000000), ref: 00405078
SendMessageA.USER32(?,000000C5,?,00000000), ref: 00405109
SendMessageA.USER32(?,000000CC,?,00000000), ref: 00405121
SendMessageA.USER32(?,00000465,00000000,?), ref: 004051EB
SendMessageA.USER32(?,000000B1,?,?), ref: 00405228
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00405237

Strings

EDIT, xrefs: 004050B7
msctls_updown32, xrefs: 0040517F

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend$BrushCreateSolid
String ID: EDIT$msctls_updown32
API String ID: 943060551-1401569126
Opcode ID: 40c2bd2cce4d0ebdd6fb3262a8f0b517211b48be06f1a4e7bffb85e95dd0e3dd
Instruction ID: f70a777f1a59ec7b4847c59518d5a4f31085783f7218e0097d56c7168910f0eb
Opcode Fuzzy Hash: 40c2bd2cce4d0ebdd6fb3262a8f0b517211b48be06f1a4e7bffb85e95dd0e3dd
Instruction Fuzzy Hash: EF919FB1604B019BE724DB64DC45F6BB3E5EB84704F10492EF696A73C0EA78EC058B99

Function 00416010 Relevance: 13.8, APIs: 9, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd56dc2e90f1a62f023c66e8cce83c7b815955cf1a6b413ea1d17ffc16968315
Instruction ID: 1561c6ca0077999cda359a898a5c06871f43598d63fafb280a7f527f931ec85d
Opcode Fuzzy Hash: dd56dc2e90f1a62f023c66e8cce83c7b815955cf1a6b413ea1d17ffc16968315
Instruction Fuzzy Hash: FAB1CC70604700AFD724DF65C884BAFBBE6BB84744F11892EF59687390D778E881CB5A

Function 00405260 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTextExtentPoint32A.GDI32(?,004A4C5C,?,?), ref: 00405301
GetSystemMetrics.USER32(0000002E), ref: 00405315
GetWindowRect.USER32(?,?), ref: 00405335
GetStockObject.GDI32(00000011), ref: 00405382
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 00405391

Strings

\LJ, xrefs: 004052E2

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ExtentMessageMetricsObjectPoint32RectSendStockSystemTextWindow
String ID: \LJ
API String ID: 3316701254-1344448065
Opcode ID: 05bd8f2a569737267f5e00aa538d1f1ca2ee7e7b3fae41d2676f1ac44a0c76cb
Instruction ID: 19420100aa4387e3b259ba2756d602480c576fed0b0046e2757a18d7b359371a
Opcode Fuzzy Hash: 05bd8f2a569737267f5e00aa538d1f1ca2ee7e7b3fae41d2676f1ac44a0c76cb
Instruction Fuzzy Hash: 42418071204B01AFD324DFA5C885F6F77A9EB98704F04492EFA56962C0DAB8EC05CF56

Function 00408C50 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColor.USER32(0000000F), ref: 00408D5C
DestroyCursor.USER32(?), ref: 00408DBA
SendMessageA.USER32(?,000000F7,00000001,?), ref: 00408E5C
SendMessageA.USER32(?,000000F7,00000000,?), ref: 00408E8E

Strings

BUTTON, xrefs: 00408E1B

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend$ColorCursorDestroy
String ID: BUTTON
API String ID: 3592366650-3405671355
Opcode ID: d0a6b8050bae6bf063de55eaebe657440329377e1d8ac680ea53fa623f58f889
Instruction ID: d7a02af74e02584fa27290fac58d677fa7a23530e573b469d46de13e954bbf36
Opcode Fuzzy Hash: d0a6b8050bae6bf063de55eaebe657440329377e1d8ac680ea53fa623f58f889
Instruction Fuzzy Hash: 9E61ACB16047049BD224DF25D980B6BB7A4FB94700F548A2EF5C6A33C0CF39E844CB5A

Function 00415EF0 Relevance: 6.1, APIs: 4, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(?,00000080,00000001,?), ref: 00415F98
SendMessageA.USER32(?,00000080,00000000,?), ref: 00415FAA
DestroyCursor.USER32(?), ref: 00415FBD
DestroyCursor.USER32(?), ref: 00415FCA

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CursorDestroyMessageSend
String ID:
API String ID: 3501257726-0
Opcode ID: a641636a98e784eb21e109c68c90276c98e2068f1dfdf63b074bd9614d0c6dba
Instruction ID: e5255215b575bd38fce196eecc020eafcbda9110c65b978661624d3635b3a476
Opcode Fuzzy Hash: a641636a98e784eb21e109c68c90276c98e2068f1dfdf63b074bd9614d0c6dba
Instruction Fuzzy Hash: 26312B75704701AFE720DF65C880BEBB3E8AFC4714F04882EF99597340D678E84A8B66

Function 0047F530 Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0047F53D
GetSystemMetrics.USER32(0000000C), ref: 0047F544
GetDC.USER32(00000000), ref: 0047F55D
ReleaseDC.USER32(00000000,00000000), ref: 0047F57E

Part of subcall function 00483BB5: GetSystemMetrics.USER32(00000002), ref: 00483BC7
Part of subcall function 00483BB5: GetSystemMetrics.USER32(00000003), ref: 00483BD1

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MetricsSystem$CallbackDispatcherReleaseUser
String ID:
API String ID: 3701264790-0
Opcode ID: df122d9f7b610373b6d7f546a2808a9f6f1eadca7d821a2fe67bdaae47f68ae5
Instruction ID: bb6268a8e7ebc5d94373ab13ab2130a2bf32f0c10222eb40363739eb895cef6f
Opcode Fuzzy Hash: df122d9f7b610373b6d7f546a2808a9f6f1eadca7d821a2fe67bdaae47f68ae5
Instruction Fuzzy Hash: 3CF09070540B00AAE3206F769C89F2B77A4EB80B52F04483EE201972D1DAB4AC05CBA9

Function 0047E304 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0047E317
SetWindowsHookExA.USER32(000000FF,0047E65C,00000000,00000000), ref: 0047E327

Part of subcall function 00483114: __EH_prolog.LIBCMT ref: 00483119

Strings

ho_, xrefs: 0047E332

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID: ho_
API String ID: 2183259885-2687793287
Opcode ID: 6401f97e664bf8b625b416186421c91590ca7da42d3fbaf36debecf37aab54de
Instruction ID: 89bcf08a4b509318c6c947f63908dcf52d71ca7c290bdf2a2715416521fd772d
Opcode Fuzzy Hash: 6401f97e664bf8b625b416186421c91590ca7da42d3fbaf36debecf37aab54de
Instruction Fuzzy Hash: E6F0A731500640BBDB743B719D0DB9D36606F08B15F084F9FB916571E2CBAC4D44876D

Function 00412120 Relevance: 4.6, APIs: 3, Instructions: 110windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00412149
IsWindow.USER32 ref: 00412177
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00412246

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessagePeek$Window
String ID:
API String ID: 1210580970-0
Opcode ID: 74b8fa2ddffea9fe053e626a0f0511f546f1c9265fd704bd053bf850f74782c8
Instruction ID: deb072bedaa287d71aad4d58ba049752dd47b848d1fe704c788629cc4c0fb533
Opcode Fuzzy Hash: 74b8fa2ddffea9fe053e626a0f0511f546f1c9265fd704bd053bf850f74782c8
Instruction Fuzzy Hash: D4319270600606AFD714DF24DE84AEBB3A8FF85349F00452EEA15D3240D7B4EDA9CBA5

Function 0047E864 Relevance: 4.5, APIs: 3, Instructions: 29windowCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0047E871
TranslateMessage.USER32(?), ref: 0047E891
DispatchMessageA.USER32(?), ref: 0047E898

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Message$CallbackDispatchDispatcherTranslateUser
String ID:
API String ID: 2960505505-0
Opcode ID: fdd5a8b732217afe076ce938d0024b779c719b6dbe1c7ef00ed814b021d23492
Instruction ID: 90a9220be95678c67ce46b4e080e785a0b97492609e0d0cb027cf07ce4b024e9
Opcode Fuzzy Hash: fdd5a8b732217afe076ce938d0024b779c719b6dbe1c7ef00ed814b021d23492
Instruction Fuzzy Hash: 44E092322085006BE7216B66AC48EBF3BECFF85F01709486FF502C2210C764AC428B6A

Function 004838E7 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000,00000000,0047F5B2,00000000,00000000,00000000,00000000,?,00000000,?,00476FA3,00000000,00000000,00000000,00000000,00469123), ref: 004838F0
SetErrorMode.KERNELBASE(00000000,?,00000000,?,00476FA3,00000000,00000000,00000000,00000000,00469123,00000000), ref: 004838F7

Part of subcall function 0048394A: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0048397B
Part of subcall function 0048394A: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00483A1C
Part of subcall function 0048394A: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00483A49

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: 10e37d00d17a1eeb94b7156328656230e9555c39bba28d7818bd71cbc1be6d64
Instruction ID: 3dc7cf609167cc342f3866fa2f3dac477f30616dc8d960134a7073c3011f378e
Opcode Fuzzy Hash: 10e37d00d17a1eeb94b7156328656230e9555c39bba28d7818bd71cbc1be6d64
Instruction Fuzzy Hash: 0BF049B09142509FD714FF25D545B5D7BE4AF48B24F05888FF8488B3A2CBB8D840CB9A

Function 0046DDC5 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,004690A1,00000001), ref: 0046DDD6

Part of subcall function 0046DC7D: GetVersionExA.KERNEL32 ref: 0046DC9C

HeapDestroy.KERNEL32 ref: 0046DE15

Part of subcall function 00471765: HeapAlloc.KERNEL32(00000000,00000140,0046DDFE,000003F8), ref: 00471772

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 69962195a63d15f5a1ff6eab4609b7da4b19e92c7fe01a7e70ba1927d784cf35
Instruction ID: cc80d51ddb987b12e8722cb6d382d0c5842ef7b475709dce0cd65b72beb11dfa
Opcode Fuzzy Hash: 69962195a63d15f5a1ff6eab4609b7da4b19e92c7fe01a7e70ba1927d784cf35
Instruction Fuzzy Hash: 41F0E570F14602EAEF206B31ED4DB6A36949B54B45F10083BF801CC9A0FBAA8990D64F

Function 0041C780 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

LoadImageA.USER32(?,?,00000001,00000020,00000020,00000000), ref: 0041C79B
LoadImageA.USER32(?,?,00000001,00000010,00000010,00000000), ref: 0041C7AD

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ImageLoad
String ID:
API String ID: 306446377-0
Opcode ID: bdd00ff9a5944d2e78b2e2b55e6016fa624a6686c3e4cf78376b31065be9f544
Instruction ID: 10bc112b488d892d73787234707a43d9de47c3f26357c543e74f096688fa7308
Opcode Fuzzy Hash: bdd00ff9a5944d2e78b2e2b55e6016fa624a6686c3e4cf78376b31065be9f544
Instruction Fuzzy Hash: D1E0ED323453117BD620CE5A8C85F9BF7E9FB8EB10F540819B344AB1D1C2F1A4458769

Function 0047B820 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 0047B847
CallWindowProcA.USER32(?,?,?,?,?), ref: 0047B85C

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: d1ac7a0c1611ee347e76f3b657d4f0af9329bdb70fb6f3129dad75a64a825f3c
Instruction ID: 841ae92109e1d95e1165b816d5c856226094581ba65775df875958d08e221aba
Opcode Fuzzy Hash: d1ac7a0c1611ee347e76f3b657d4f0af9329bdb70fb6f3129dad75a64a825f3c
Instruction Fuzzy Hash: D0F09836104608EFCF129F95DC04EDA7BB9FF08750B058969F94986520D736D821AB95

Function 0047B456 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0048307F: TlsGetValue.KERNEL32(004C92A4,00000000,?,00479B6F,00482405,?,00403600), ref: 004830BE

GetCurrentThreadId.KERNEL32 ref: 0047B478
SetWindowsHookExA.USER32(00000005,0047B260,00000000,00000000), ref: 0047B488

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CurrentHookThreadValueWindows
String ID:
API String ID: 933525246-0
Opcode ID: 08affca9ceb82663ad7464b35ab4fba78fa991e797bc7213d0f7484baf34ca05
Instruction ID: 4bed33682252d59f3d1c4075c3ffce43a94cca9dc1af709e1347b09cfb0af90b
Opcode Fuzzy Hash: 08affca9ceb82663ad7464b35ab4fba78fa991e797bc7213d0f7484baf34ca05
Instruction Fuzzy Hash: 13E09236600B00AFD370AF26A809B9F77E4EB84B15F15896FE24D81642D7789C418FBD

Function 0046A935 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00000000,?,?), ref: 0046AA1C

Part of subcall function 00470484: InitializeCriticalSection.KERNEL32(00000000,?,?,?,0046A88D,00000009,?,?,00000000), ref: 004704C1
Part of subcall function 00470484: EnterCriticalSection.KERNEL32(?,?,?,0046A88D,00000009,?,?,00000000), ref: 004704DC

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 3e1b4240fb9f7a7e36a22603426ee624f852004e498a99609d33829c241e125f
Instruction ID: e6f07b3de0c4e2b680fe2c7365fdf4cedd03586964f253e573e58d2bbeb46aee
Opcode Fuzzy Hash: 3e1b4240fb9f7a7e36a22603426ee624f852004e498a99609d33829c241e125f
Instruction Fuzzy Hash: D021F372A00644ABDB10DFA99D42B9A77A4EB00724F244A1BF410FB2C0E77CAC55CA5F

Function 0047ADBC Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0047ADC1

Part of subcall function 0048307F: TlsGetValue.KERNEL32(004C92A4,00000000,?,00479B6F,00482405,?,00403600), ref: 004830BE

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: H_prologValue
String ID:
API String ID: 3700342317-0
Opcode ID: cd6cfc0c08124a3dfd2e1962326d4733087d8c34c269e2aa8582583e7a867c63
Instruction ID: 6e2a334fe0eca311efe9705214acaae5bc49f5a52d534188ecf32a230bb9e639
Opcode Fuzzy Hash: cd6cfc0c08124a3dfd2e1962326d4733087d8c34c269e2aa8582583e7a867c63
Instruction Fuzzy Hash: 10215A72900209EFCF05DF54C981AEE7BB9FF44314F00806AF919AB241D379AE51CB95

Function 0047B4E4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,00000080,00438AC1,?,?,?,?,?,?,?,?,?), ref: 0047B582

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e5c5605ed9f7e9aca220bb6540d4267883ddc0e01340286a0a0bc8a372838b22
Instruction ID: ee7a60b76dec0fafda677569903c679770ac6a5629d7c2bdee125e2008ed0bca
Opcode Fuzzy Hash: e5c5605ed9f7e9aca220bb6540d4267883ddc0e01340286a0a0bc8a372838b22
Instruction Fuzzy Hash: E9318B75A00219AFCF01DFA8C944ADEBBF1BF4C314B11846AF919E7210E7399A519F94

Function 0047B034 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73717af160eaaa41be401ad709ad1e2afb8b72d6117630c64331f2732c490b62
Instruction ID: aadaba53fe804d5b9ea48a1ab756871ad17414f1f64853481cd1d28056acc56c
Opcode Fuzzy Hash: 73717af160eaaa41be401ad709ad1e2afb8b72d6117630c64331f2732c490b62
Instruction Fuzzy Hash: D8F01C32000659FBCF225E919C00BEF3B29FF09365F00C416FA2965121C37AD971ABEA

Function 0047EDB7 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

LoadStringA.USER32(?,?,?,?), ref: 0047EDCE

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 3e7a5fff06e3a3f613cde162527c09ff24a9a7c4bca18b81d3ede060bdbceff2
Instruction ID: 972b8a76623750b1ac14edbbdec8306a7a90dfeab0b4fc2d41d88a88cd622a20
Opcode Fuzzy Hash: 3e7a5fff06e3a3f613cde162527c09ff24a9a7c4bca18b81d3ede060bdbceff2
Instruction Fuzzy Hash: 75D05E72108362ABC722DF519808C9FBBA8BF54320F044C4EF48442211C324C8048765

Function 0047D958 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?,0047E51C,?,?,?,00000363,00000001,00000000,?,?,?,0047DD7D,?), ref: 0047D966

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6d41cb087be44e6ee3f3e374f292e094ffd46897b5f8bdb398220d06100ec8c5
Instruction ID: 7b676763a20b73a7244adbcd9333e5010bc451669da2c9f3772852c7d50f79b1
Opcode Fuzzy Hash: 6d41cb087be44e6ee3f3e374f292e094ffd46897b5f8bdb398220d06100ec8c5
Instruction Fuzzy Hash: F8D09EB0604201EFCB058F60D944A5A77B2BF94715B248569E14987121D736CC52EB05

Non-executed Functions

Function 0042A0C0 Relevance: 85.5, APIs: 47, Strings: 1, Instructions: 1494windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004800B5: __EH_prolog.LIBCMT ref: 004800BA
Part of subcall function 004800B5: BeginPaint.USER32(?,?,?,?,004072F9), ref: 004800E3

Part of subcall function 0047FC66: GetClipBox.GDI32(?,?), ref: 0047FC6D

DPtoLP.GDI32 ref: 0042A1DB
GetClientRect.USER32(?,?), ref: 0042A1E9
DPtoLP.GDI32(?,?,00000002), ref: 0042A201
IntersectRect.USER32(?,?,?), ref: 0042A2A0
LPtoDP.GDI32(?,?,00000002), ref: 0042A2E1
IntersectRect.USER32(?,?,?), ref: 0042A33E
LPtoDP.GDI32(?,?,00000002), ref: 0042A37F
CreateRectRgnIndirect.GDI32(?), ref: 0042A3AA
IntersectRect.USER32(?,?,?), ref: 0042A3DE
LPtoDP.GDI32(?,?,00000002), ref: 0042A41F
CreateRectRgnIndirect.GDI32(?), ref: 0042A445
CreateRectRgnIndirect.GDI32(?), ref: 0042A474
GetCurrentObject.GDI32(?,00000006), ref: 0042A490
GetCurrentObject.GDI32(?,00000001), ref: 0042A4A9
GetCurrentObject.GDI32(?,00000002), ref: 0042A4C2

Part of subcall function 0047F925: SetBkMode.GDI32(?,?), ref: 0047F93E
Part of subcall function 0047F925: SetBkMode.GDI32(?,?), ref: 0047F94C

Part of subcall function 0047C717: GetScrollPos.USER32(00000000,0040DCC3), ref: 0047C735

Part of subcall function 00429CF0: CreateFontIndirectA.GDI32(00000000), ref: 00429D42

FillRgn.GDI32(?,?,?), ref: 0042A6A2
IntersectRect.USER32(?,?,?), ref: 0042A787
IsRectEmpty.USER32(?), ref: 0042A792
LPtoDP.GDI32(?,?,00000002), ref: 0042A7AF
CreateRectRgnIndirect.GDI32(?), ref: 0042A7BA
CombineRgn.GDI32(?,?,?,00000004), ref: 0042A7EB
DPtoLP.GDI32(?,?,00000002), ref: 0042A809

Part of subcall function 0047FA0C: SetMapMode.GDI32(?,?), ref: 0047FA25
Part of subcall function 0047FA0C: SetMapMode.GDI32(?,?), ref: 0047FA33

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0042A848
IntersectRect.USER32(?,?,?), ref: 0042A8DB
IsRectEmpty.USER32(?), ref: 0042A921
SelectObject.GDI32(?,?), ref: 0042A95C
DPtoLP.GDI32(?,?,00000001), ref: 0042A9E8
LPtoDP.GDI32(?,?,00000001), ref: 0042AB07
DPtoLP.GDI32(?,?,00000001), ref: 0042AB25

Part of subcall function 0047FD3A: MoveToEx.GDI32(?,?,?,?), ref: 0047FD5C
Part of subcall function 0047FD3A: MoveToEx.GDI32(?,?,?,?), ref: 0047FD70

Part of subcall function 0047FD86: MoveToEx.GDI32(?,?,?,00000000), ref: 0047FDA0
Part of subcall function 0047FD86: LineTo.GDI32(?,?,?), ref: 0047FDB1

Part of subcall function 0047F849: SelectObject.GDI32(004050D5,00000000), ref: 0047F86B
Part of subcall function 0047F849: SelectObject.GDI32(004050D5,?), ref: 0047F881

Part of subcall function 0042D3B0: GetCurrentObject.GDI32(?), ref: 0042D47B
Part of subcall function 0042D3B0: LPtoDP.GDI32(?,00000000,00000001), ref: 0042D4C8

IntersectRect.USER32(?,00000000,?), ref: 0042AC72
IsRectEmpty.USER32(00000000), ref: 0042AC7D
PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 0042ACC4
LPtoDP.GDI32(?,00000000,00000002), ref: 0042ACD9
CreateRectRgnIndirect.GDI32(00000000), ref: 0042ACE4
CombineRgn.GDI32(?,?,?,00000004), ref: 0042AD15
LPtoDP.GDI32(?,?,00000001), ref: 0042AD44
DPtoLP.GDI32(?,?,00000001), ref: 0042AD62
wsprintfA.USER32 ref: 0042AE00
SelectObject.GDI32(?,?), ref: 0042AE28
IntersectRect.USER32(?,?,?), ref: 0042B398
IsRectEmpty.USER32(?), ref: 0042B3A3
LPtoDP.GDI32(?,?,00000002), ref: 0042B3C0
CreateRectRgnIndirect.GDI32(?), ref: 0042B3CB
CombineRgn.GDI32(?,?,?,00000004), ref: 0042B3FC

Part of subcall function 0042CA70: SetRectEmpty.USER32(?), ref: 0042CAEA

Part of subcall function 0042CA70: GetSysColor.USER32(0000000F), ref: 0042CC1B
Part of subcall function 0042CA70: IntersectRect.USER32(?,?,?), ref: 0042CC73

GetSysColor.USER32(0000000F), ref: 0042A586

Part of subcall function 004802B2: __EH_prolog.LIBCMT ref: 004802B7
Part of subcall function 004802B2: CreateSolidBrush.GDI32(?), ref: 004802D4

Part of subcall function 00480262: __EH_prolog.LIBCMT ref: 00480267
Part of subcall function 00480262: CreatePen.GDI32(?,?,?), ref: 0048028A

CreateRectRgnIndirect.GDI32(?), ref: 0042A306

Part of subcall function 0042B8C0: CopyRect.USER32(?,00000000), ref: 0042B937
Part of subcall function 0042B8C0: IsRectEmpty.USER32(?), ref: 0042B942
Part of subcall function 0042B8C0: GetClientRect.USER32(00000000,?), ref: 0042B981
Part of subcall function 0042B8C0: DPtoLP.GDI32(?,?,00000002), ref: 0042B993
Part of subcall function 0042B8C0: LPtoDP.GDI32(?,?,00000002), ref: 0042B9D0

FillRect.USER32(?,?,?), ref: 0042B6F9

Strings

"%H, xrefs: 0042A2EE, 0042A38C, 0042A42C, 0042B33C

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$Create$IndirectIntersectObject$Empty$CurrentModeSelect$CombineH_prologMove$ClientColorFill$BeginBrushClipCopyFontLinePaintScrollSolidwsprintf
String ID: "%H
API String ID: 3726329589-1417433817
Opcode ID: 372a6a6246870cbc616428e101dcaa765117237d3fd1af9bf196e593e7e639e1
Instruction ID: fc47fa840a5817319e1c2d40b4d56957fa80528bd475d1e17472eb11fe9bbaec
Opcode Fuzzy Hash: 372a6a6246870cbc616428e101dcaa765117237d3fd1af9bf196e593e7e639e1
Instruction Fuzzy Hash: 5BD236712083819FD324DF65D894FAFB7E9AFC8704F40891EF58A83251DB74A909CB66

Function 004111B0 Relevance: 55.2, APIs: 29, Strings: 2, Instructions: 979windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00411222
IsIconic.USER32(?), ref: 0041125A
SetActiveWindow.USER32(?,?,?), ref: 00411283
IsWindow.USER32(?), ref: 004112AD
IsWindow.USER32(?), ref: 0041157E
DestroyAcceleratorTable.USER32(?), ref: 004116CE
DestroyMenu.USER32(?), ref: 004116D9
DestroyAcceleratorTable.USER32(?), ref: 004116F3
DestroyMenu.USER32(?), ref: 00411702
DestroyAcceleratorTable.USER32(?), ref: 00411762
DestroyMenu.USER32(?,000003EA,00000000,00000000,?,?,00000000,000007D9,00000000,00000000), ref: 00411771
SetParent.USER32(?,?), ref: 004117F3
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?), ref: 0041190B
IsWindow.USER32(?), ref: 00411A3C
SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 00411A51
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 00411A6E
DestroyAcceleratorTable.USER32(?), ref: 00411ABC
IsWindow.USER32(?), ref: 00411B31
IsWindow.USER32(?), ref: 00411B81
IsWindow.USER32(?), ref: 00411BD1
IsWindow.USER32(?), ref: 00411C0E
IsWindow.USER32(?), ref: 00411C91
GetParent.USER32(?), ref: 00411C9F
GetFocus.USER32 ref: 00411CE0

Part of subcall function 004110A0: IsWindow.USER32(?), ref: 0041111B
Part of subcall function 004110A0: GetFocus.USER32 ref: 00411125
Part of subcall function 004110A0: IsChild.USER32(?,00000000), ref: 00411137

IsWindow.USER32(?), ref: 00411D3F
SendMessageA.USER32(?,00008076,00000000,00000000), ref: 00411D54
IsWindow.USER32(00000000), ref: 00411D67
GetFocus.USER32 ref: 00411D71
SetFocus.USER32(00000000), ref: 00411D7C

Strings

`qA, xrefs: 00411711, 00411D90
d, xrefs: 004111C3

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$Destroy$AcceleratorFocusTable$MenuMessageSend$Parent$ActiveChildIconic
String ID: `qA$d
API String ID: 3681805233-1190978745
Opcode ID: df90d238e505a7289fa82ac691b61631b3cb11d27e3e46467e33a69b346fe21f
Instruction ID: cbc48eb413077bbe7f64255da317e48c2a1a5db35e0186981533e347f9e4e9f5
Opcode Fuzzy Hash: df90d238e505a7289fa82ac691b61631b3cb11d27e3e46467e33a69b346fe21f
Instruction Fuzzy Hash: 2E72B2716043059BC320DF65D880BAFB7E9AF84744F04492EFA4997391DB38ED45CBAA

Function 004196C0 Relevance: 50.0, APIs: 23, Strings: 5, Instructions: 986windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 004196F9
TranslateAcceleratorA.USER32(?,?,?,?), ref: 00419753
IsChild.USER32(?,?), ref: 00419784
GetFocus.USER32 ref: 004198DF
PostMessageA.USER32(?,000000A1,00000002,00000000), ref: 00419969
PostMessageA.USER32(?,000000A1,00000002,00000000), ref: 004199D8
IsChild.USER32(?,00000000), ref: 00419A81
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00419A52

Part of subcall function 0040F0E0: IsChild.USER32(?,?), ref: 0040F15D
Part of subcall function 0040F0E0: GetParent.USER32(?), ref: 0040F177

IsWindow.USER32(?), ref: 0041A359

Strings

Z, xrefs: 00419C5C
hlp, xrefs: 00419FFD
9, xrefs: 00419C4E
0, xrefs: 00419C49
A, xrefs: 00419C53

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ChildMessage$PostWindow$AcceleratorEnabledFocusParentSendTranslate
String ID: 0$9$A$Z$hlp
API String ID: 3372979518-114186910
Opcode ID: 1e601cc55028907de06c428e52046dae9f2ca108bcf3cc0be3a2c9774af69572
Instruction ID: d0a87fb90bc6004cbc9c15d056e5824d80c1ca0124406b88bb404fc18805e25f
Opcode Fuzzy Hash: 1e601cc55028907de06c428e52046dae9f2ca108bcf3cc0be3a2c9774af69572
Instruction Fuzzy Hash: EC72AF706043419BDB24DE25C890BAFB3A9AF84704F14492EF95A973C1DB7CEC85CB5A

Function 0043C4E0 Relevance: 32.8, Strings: 26, Instructions: 305COMMON

Download Yara Rule

Strings

PCS illuminant is not D50, xrefs: 0043C634
lcmn, xrefs: 0043C700
unexpected DeviceLink ICC profile class, xrefs: 0043C724
unexpected ICC PCS encoding, xrefs: 0043C7BE
psca, xrefs: 0043C608
baL, xrefs: 0043C7B0
intent outside defined range, xrefs: 0043C5CF
rtnm, xrefs: 0043C717
invalid rendering intent, xrefs: 0043C5AD
RGB color space not permitted on grayscale PNG, xrefs: 0043C6A0
YARG, xrefs: 0043C66E
unrecognized ICC profile class, xrefs: 0043C77B
tag count too large, xrefs: 0043C7E4
unexpected NamedColor ICC profile class, xrefs: 0043C75A
invalid embedded Abstract ICC profile, xrefs: 0043C741
invalid signature, xrefs: 0043C60F
rncs, xrefs: 0043C76D
ZYX, xrefs: 0043C7B7
length does not match profile, xrefs: 0043C519
Gray color space not permitted on RGB PNG, xrefs: 0043C6C4
caps, xrefs: 0043C774
rtrp, xrefs: 0043C766
BGR, xrefs: 0043C675
invalid ICC profile color space, xrefs: 0043C680
knil, xrefs: 0043C710
tsba, xrefs: 0043C709

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: BGR$ ZYX$ baL$Gray color space not permitted on RGB PNG$PCS illuminant is not D50$RGB color space not permitted on grayscale PNG$YARG$caps$intent outside defined range$invalid ICC profile color space$invalid embedded Abstract ICC profile$invalid rendering intent$invalid signature$knil$lcmn$length does not match profile$psca$rncs$rtnm$rtrp$tag count too large$tsba$unexpected DeviceLink ICC profile class$unexpected ICC PCS encoding$unexpected NamedColor ICC profile class$unrecognized ICC profile class
API String ID: 0-319498373
Opcode ID: 667dcf1964e06826092e005a6dcdc61eb2df9058054336d947cb35705f2c5b77
Instruction ID: 127ec87e3b6a4bb787ccfba3dc8a5da9b938634f89c1488ca5dd6f264e6bad50
Opcode Fuzzy Hash: 667dcf1964e06826092e005a6dcdc61eb2df9058054336d947cb35705f2c5b77
Instruction Fuzzy Hash: 99919BE3A0415017DB08DE2C9CD2A777B96DBDE305F1D94ABF884EA303E619C90187B9

Function 0041A8B0 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 93libraryloaderwindowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0041A8BC
IsZoomed.USER32(?), ref: 0041A8CA
LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 0041A8F4
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0041A907
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0041A915
FreeLibrary.KERNEL32(00000000), ref: 0041A94B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0041A961
IsWindow.USER32(?), ref: 0041A98E
ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 0041A99B

Strings

GetMonitorInfoA, xrefs: 0041A90D
User32.dll, xrefs: 0041A8E9
H, xrefs: 0041A938
MonitorFromWindow, xrefs: 0041A901

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
API String ID: 447426925-661446951
Opcode ID: ae16f45243f7fb2a46066ea7407c886f538114ad6a8a9672f099eeafa7a7da52
Instruction ID: 7d858306b84b0cbb7f1bcda8ab568571887f4f4dc14b47c364cd88c6d95efa91
Opcode Fuzzy Hash: ae16f45243f7fb2a46066ea7407c886f538114ad6a8a9672f099eeafa7a7da52
Instruction Fuzzy Hash: A6319FB1700702AFD7109F61DC49BAF77A8AF84B10F04882DFA06A7280DB78DC45876A

Function 00413350 Relevance: 18.3, APIs: 12, Instructions: 273threadwindownetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00413375
IsWindow.USER32(0001043C), ref: 00413391
SendMessageA.USER32(0001043C,000083E7,?,00000000), ref: 004133AA
ExitProcess.KERNEL32 ref: 004133BF
FreeLibrary.KERNEL32(?), ref: 004134A3
FreeLibrary.KERNEL32 ref: 004134F7
DestroyCursor.USER32(00010451), ref: 00413547
DestroyCursor.USER32(00010453), ref: 0041355E
IsWindow.USER32(0001043C), ref: 00413575
DestroyCursor.USER32(?), ref: 00413624
WSACleanup.WS2_32 ref: 0041366F

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CursorDestroy$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
String ID:
API String ID: 2560087610-0
Opcode ID: 6a7d33646495cc5006ab33b7ad4f8c9f18db4acbfa49ba1023a4547e3ac918da
Instruction ID: d1794423c06774c7de3ed78acc17cbd780c61d6566fa5880390cb44cb26db38c
Opcode Fuzzy Hash: 6a7d33646495cc5006ab33b7ad4f8c9f18db4acbfa49ba1023a4547e3ac918da
Instruction Fuzzy Hash: 10B17F70600701ABC724DF69C8C5BEBB7E5BF48705F44492EE99A87381CB34BA81CB58

Function 00414830 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 859COMMON

Download Yara Rule

Strings

`qA, xrefs: 004154A6

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: `qA
API String ID: 0-2154376067
Opcode ID: e378a88187f4699aed3c5277e75898d586aa949dbc0b6dfeaccaeb526a0f0341
Instruction ID: 1ef2acdb205743c0efd41a9cc5ac1af3cd8b5bdcd8ece990d62dc29d795d9c64
Opcode Fuzzy Hash: e378a88187f4699aed3c5277e75898d586aa949dbc0b6dfeaccaeb526a0f0341
Instruction Fuzzy Hash: 9D62E1716047018FC724CF25D881BABB7E5AFC5314F14492EF98A97381DB38EC858B9A

Function 004164E0 Relevance: 15.4, APIs: 10, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ed7feddd1aa93295e93553a1e45c5ba2b7d7115428532703045f360efc9ebf
Instruction ID: a8d4e6e536ddd663fab6e5e8e5412c81117567e8d31365f8c07f47fe9a175e25
Opcode Fuzzy Hash: 54ed7feddd1aa93295e93553a1e45c5ba2b7d7115428532703045f360efc9ebf
Instruction Fuzzy Hash: CEC101767046049FD310EF29EC81AABB3A5FB84318F508D2FE446C7382D736E9558799

Function 0047A662 Relevance: 13.6, APIs: 9, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0047A667
FindResourceA.KERNEL32(?,00000000,00000005), ref: 0047A69F
LoadResource.KERNEL32(?,00000000,?,?,?,00000000), ref: 0047A6A7

Part of subcall function 0047B4A2: UnhookWindowsHookEx.USER32(?), ref: 0047B4C7

LockResource.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 0047A6B4
IsWindowEnabled.USER32(?), ref: 0047A6E7
EnableWindow.USER32(?,00000000), ref: 0047A6F5
EnableWindow.USER32(?,00000001), ref: 0047A783
GetActiveWindow.USER32 ref: 0047A78E
SetActiveWindow.USER32(?,?,?,00000000,?,?,?,00000000), ref: 0047A79C

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: 61dc94e2894b0e4cb3b75dc5e18a6e3b82d244b76b92597699d615f94f0fd033
Instruction ID: 5e6114102845e43a3694f3c000101fc777de9051f38215384ef6afd48c6e8a15
Opcode Fuzzy Hash: 61dc94e2894b0e4cb3b75dc5e18a6e3b82d244b76b92597699d615f94f0fd033
Instruction Fuzzy Hash: 9541C130900A04EFCB25AB65CC85AFFB7B5EF84711F14891FE506B22A1D7798D50CB9A

Function 00460890 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 212fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004612B0: lstrlenA.KERNEL32(?,?,?,00460E96,?), ref: 004612BE
Part of subcall function 004612B0: GlobalAlloc.KERNEL32(00000040,00000001), ref: 004612CD
Part of subcall function 004612B0: lstrcpyA.KERNEL32(00000000,?), ref: 004612DB

Part of subcall function 00461330: lstrlenA.KERNEL32(?,?,?,00000000,00460ED2,*.*,004AE560,00000000,00000001,00000001,?), ref: 0046133D

FindFirstFileA.KERNEL32(00000000,?,?,?,?,\*.*,?), ref: 00460952
FindNextFileA.KERNEL32(00000000,?), ref: 00460ACC
FindClose.KERNEL32(00000000,?,?,?,?,004C7294,?,00000000), ref: 00460ADC
FindClose.KERNEL32(00000000), ref: 00460B3E

Strings

hJ, xrefs: 00460963
\*.*, xrefs: 00460918
dJ, xrefs: 004609A0

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Find$CloseFilelstrlen$AllocFirstGlobalNextlstrcpy
String ID: \*.*$dJ$hJ
API String ID: 3929334685-1448168866
Opcode ID: 52271b071512a737904fc7763fd760a5e48ba3de4186738a5bf15372ca40ace7
Instruction ID: 7e5c65baf51056860a89a8a515520270ca18ffa2217654b1f19371693cdf3ce9
Opcode Fuzzy Hash: 52271b071512a737904fc7763fd760a5e48ba3de4186738a5bf15372ca40ace7
Instruction Fuzzy Hash: E98197711083859FD320EB61C4A1BEBB7D8AF65348F08095EF4C593292FB789548C76B

Function 00460E30 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 200fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004612B0: lstrlenA.KERNEL32(?,?,?,00460E96,?), ref: 004612BE
Part of subcall function 004612B0: GlobalAlloc.KERNEL32(00000040,00000001), ref: 004612CD
Part of subcall function 004612B0: lstrcpyA.KERNEL32(00000000,?), ref: 004612DB

FindFirstFileA.KERNEL32(00000000,?,?,?,?,*.*,004AE560,00000000,00000001,00000001,?), ref: 00460F0B

Part of subcall function 00461330: lstrlenA.KERNEL32(?,?,?,00000000,00460ED2,*.*,004AE560,00000000,00000001,00000001,?), ref: 0046133D

Part of subcall function 00460E30: FindNextFileA.KERNEL32(00000000,?), ref: 0046104B
Part of subcall function 00460E30: FindClose.KERNEL32(00000000,00000000,?,?,?,004AE560,?), ref: 0046105B

FindClose.KERNEL32(00000000), ref: 0046109B

Strings

hJ, xrefs: 00460F1C
*.*, xrefs: 00460EC4
dJ, xrefs: 00460F56

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Find$CloseFilelstrlen$AllocFirstGlobalNextlstrcpy
String ID: *.*$dJ$hJ
API String ID: 3929334685-37887676
Opcode ID: e5592183448851d82124c4a536bff374af0aeba224444b8e3a0c2919bf7731b4
Instruction ID: d6c834dd1924936896de789e421c80246b55ae8f4314bb092815a95fd8bb9d36
Opcode Fuzzy Hash: e5592183448851d82124c4a536bff374af0aeba224444b8e3a0c2919bf7731b4
Instruction Fuzzy Hash: EA71A8311083819BC724EB21C8A1AFF77E8AF55358F08095EF495932A1FB7D9948C75B

Function 0042F460 Relevance: 12.1, APIs: 8, Instructions: 88clipboardmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000042,?), ref: 0042F4D7
GlobalLock.KERNEL32(00000000), ref: 0042F4F3
GlobalUnlock.KERNEL32(00000000), ref: 0042F515
OpenClipboard.USER32(00000000), ref: 0042F51D
GlobalFree.KERNEL32(00000000), ref: 0042F529
EmptyClipboard.USER32 ref: 0042F531
SetClipboardData.USER32(?,00000000), ref: 0042F543
CloseClipboard.USER32 ref: 0042F549

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: c47e48df6d76d34568b3832f6282ec5adef880b6a0193e109d7486118a69ee88
Instruction ID: 16869c1168994d88b40402560a39d123c4a6bf6786911d47337aaa4141892639
Opcode Fuzzy Hash: c47e48df6d76d34568b3832f6282ec5adef880b6a0193e109d7486118a69ee88
Instruction Fuzzy Hash: 42317C71304611ABC714EF69DC49A2FB7E8AB88B14F844A3DF95693291DB38DC04CB65

Function 00479FDA Relevance: 12.1, APIs: 8, Instructions: 72stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00479FDF
GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?), ref: 00479FFD
lstrcpynA.KERNEL32(?,?,00000104), ref: 0047A00C
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0047A040
CharUpperA.USER32(?), ref: 0047A051
FindFirstFileA.KERNEL32(?,?), ref: 0047A067
FindClose.KERNEL32(00000000), ref: 0047A073
lstrcpyA.KERNEL32(?,?), ref: 0047A083

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 304730633-0
Opcode ID: 675fc4c2181ac2e417a96c5766df013ad0cf1a80569140ea62d693d8405e24ef
Instruction ID: a83500a5e615f5ac76855813f20c18bd967e15967c781367e6680be0863dc6c8
Opcode Fuzzy Hash: 675fc4c2181ac2e417a96c5766df013ad0cf1a80569140ea62d693d8405e24ef
Instruction Fuzzy Hash: 56218C31400158BBCB219F65DC48EEF7FBCEF45764F04892AF919E21A0D7348A55CBA9

Function 00460BC0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 173fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,*.*), ref: 00460C7A
FindNextFileA.KERNEL32(?,?), ref: 00460DB2
FindClose.KERNEL32(00000000), ref: 00460DC5

Part of subcall function 004612B0: lstrlenA.KERNEL32(?,?,?,00460E96,?), ref: 004612BE
Part of subcall function 004612B0: GlobalAlloc.KERNEL32(00000040,00000001), ref: 004612CD
Part of subcall function 004612B0: lstrcpyA.KERNEL32(00000000,?), ref: 004612DB

Part of subcall function 00461330: lstrlenA.KERNEL32(?,?,?,00000000,00460ED2,*.*,004AE560,00000000,00000001,00000001,?), ref: 0046133D

Part of subcall function 0046B99C: GetFileAttributesA.KERNEL32(?,0046019C,?,00000000), ref: 0046B9A0
Part of subcall function 0046B99C: GetLastError.KERNEL32 ref: 0046B9AB

Strings

hJ, xrefs: 00460C8D
*.*, xrefs: 00460C61
dJ, xrefs: 00460CC7

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: FileFind$lstrlen$AllocAttributesCloseErrorFirstGlobalLastNextlstrcpy
String ID: *.*$dJ$hJ
API String ID: 4094057808-37887676
Opcode ID: 80abf198616c127e90eaeb69491a387f4bf27b94e8c6999431129a3f7c43a193
Instruction ID: 9d00d858cc4897ca401a5b2545ea6fc8690a2170cbb726d93463aa433519dec9
Opcode Fuzzy Hash: 80abf198616c127e90eaeb69491a387f4bf27b94e8c6999431129a3f7c43a193
Instruction Fuzzy Hash: 3751A4714183819BC324DF61C851BABB7E8AFA5748F044A1DF895C3291FB39E908CB5B

Function 00409FA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00479323: InterlockedIncrement.KERNEL32(-000000F4), ref: 00479338

FindFirstFileA.KERNEL32(?,?,*.*), ref: 0040A03A

Part of subcall function 004771FD: __EH_prolog.LIBCMT ref: 00477202

Part of subcall function 004795AE: InterlockedDecrement.KERNEL32(-000000F4), ref: 004795C2

SendMessageA.USER32 ref: 0040A0E0
FindNextFileA.KERNEL32(?,00000010), ref: 0040A0EC
FindClose.KERNEL32(?), ref: 0040A0FF
SendMessageA.USER32(?,00001102,00000002,?), ref: 0040A111

Strings

*.*, xrefs: 0040A022

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Find$FileInterlockedMessageSend$CloseDecrementFirstH_prologIncrementNext
String ID: *.*
API String ID: 2486832813-438819550
Opcode ID: 66e8e32dcc744e10c881d32d7faf5a53a61ecb6cd11160042f590ca081a761c7
Instruction ID: 51784dba3094fd67f3ef283365237c96af9eb2926a674296c80fb26d51676e11
Opcode Fuzzy Hash: 66e8e32dcc744e10c881d32d7faf5a53a61ecb6cd11160042f590ca081a761c7
Instruction Fuzzy Hash: 3E41A071508345ABD720DF64C841BEFB7E8BB88714F04892EF599832D0EBB9D909CB56

Function 0042F5C0 Relevance: 10.6, APIs: 7, Instructions: 89clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0042F5ED
GetClipboardData.USER32(?), ref: 0042F606
CloseClipboard.USER32 ref: 0042F612
GlobalSize.KERNEL32(00000000), ref: 0042F648
GlobalLock.KERNEL32(00000000), ref: 0042F650
GlobalUnlock.KERNEL32(00000000), ref: 0042F668
CloseClipboard.USER32 ref: 0042F66E

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Clipboard$Global$Close$DataLockOpenSizeUnlock
String ID:
API String ID: 2237123812-0
Opcode ID: 0087beb52b2ff2e4f12ecf48c97015fc112a840b57389c5dba70dd64426f9adc
Instruction ID: 9a7acf6f1fd22ecfb472500222ba71e88c8d810d56fc864518f9a117feccbbaa
Opcode Fuzzy Hash: 0087beb52b2ff2e4f12ecf48c97015fc112a840b57389c5dba70dd64426f9adc
Instruction Fuzzy Hash: CD214D313006119FDA14AB65EC88A7F77E9EF88355F48093EF905C3250EB29DD15CB6A

Function 0043EF3D Relevance: 10.5, Strings: 8, Instructions: 498COMMON

Download Yara Rule

Strings

rgb-alpha color-map: too few entries, xrefs: 0043F242
bad data option (internal error), xrefs: 0043F6D8
bad background index (internal error), xrefs: 0043F7CF
rgb[gray] color-map: too few entries, xrefs: 0043EFBF
rgb color-map: too few entries, xrefs: 0043F14C
rgb[ga] color-map: too few entries, xrefs: 0043EF84
color map overflow (BAD internal error), xrefs: 0043F729
rgb+alpha color-map: too few entries, xrefs: 0043F187

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: bad background index (internal error)$bad data option (internal error)$color map overflow (BAD internal error)$rgb color-map: too few entries$rgb+alpha color-map: too few entries$rgb-alpha color-map: too few entries$rgb[ga] color-map: too few entries$rgb[gray] color-map: too few entries
API String ID: 0-1509944728
Opcode ID: 6aa8db2f4cb7ea653a854f807459aab497f03e4e68805e5f8db89572ff3a9a6e
Instruction ID: 33278443c15c80f93b5937f8b2434015b78ef929f21b5e0fb5825aea3fde593b
Opcode Fuzzy Hash: 6aa8db2f4cb7ea653a854f807459aab497f03e4e68805e5f8db89572ff3a9a6e
Instruction Fuzzy Hash: 63022571A043019BE714DF14C882B6BB7D5EB98308F14153EF8889B392E7BCD849C79A

Function 00440E10 Relevance: 8.0, Strings: 6, Instructions: 536COMMON

Download Yara Rule

Strings

unknown interlace type, xrefs: 00440EA7
unexpected bit depth, xrefs: 00440EE3
unexpected compose, xrefs: 00440E54
lost rgb to gray, xrefs: 00440E40
lost/gained channels, xrefs: 00440E70
unexpected 8-bit transformation, xrefs: 00440E89

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: lost rgb to gray$lost/gained channels$unexpected 8-bit transformation$unexpected bit depth$unexpected compose$unknown interlace type
API String ID: 0-3614292578
Opcode ID: b2419220b797628e5fa5677aec4e7414d149872b47778db5f86e0fd686a5f427
Instruction ID: 7e15b961ceb1fc186352043d39b9e59dc490cab0fc8f09aea8455284b06ba459
Opcode Fuzzy Hash: b2419220b797628e5fa5677aec4e7414d149872b47778db5f86e0fd686a5f427
Instruction Fuzzy Hash: BC1205317083418FD714CF28C88066EB7E2BBC9304F54493EF99987791D679E986CB8A

Function 00412D40 Relevance: 6.1, APIs: 4, Instructions: 94fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 00412D92
FindClose.KERNEL32 ref: 00412DA1
FindFirstFileA.KERNEL32(?,?), ref: 00412DAD
FindClose.KERNEL32(00000000), ref: 00412E0B

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 40d86da247237916451ceab422759565ba303d6ed709358752b780e0326b7d57
Instruction ID: 3664b25684d1ab0ef82a0b021139edef14ac5ea7df89259b852c8fa1c4cc420a
Opcode Fuzzy Hash: 40d86da247237916451ceab422759565ba303d6ed709358752b780e0326b7d57
Instruction Fuzzy Hash: 21210F325047115BD3319A24EE447FB7394EB85714F19062AED25D73C0E7BDDCA6438A

Function 0047CB8D Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047D7F0: GetWindowLongA.USER32(?,000000F0), ref: 0047D7FC

GetKeyState.USER32(00000010), ref: 0047CBB1
GetKeyState.USER32(00000011), ref: 0047CBBA
GetKeyState.USER32(00000012), ref: 0047CBC3
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0047CBD9

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 5fab96de220e08426ace50a467439b6988780ac01f4ed5fe86994204a9dd77b0
Instruction ID: ebbdc5dfcf7c9bc3d34fc7f9663d7525ce1ddd41f9d57449619012d3c3b243f5
Opcode Fuzzy Hash: 5fab96de220e08426ace50a467439b6988780ac01f4ed5fe86994204a9dd77b0
Instruction Fuzzy Hash: 69F0A776744746A6EA2436F62CC3FEA51144F40FD8F04853FBB05EE1D18AD9A8035A79

Function 00449360 Relevance: 5.5, Strings: 4, Instructions: 485COMMON

Download Yara Rule

Strings

invalid user transform pixel depth, xrefs: 004495D9
internal row width error, xrefs: 004493ED
internal row logic error, xrefs: 004493A5
internal row size calculation error, xrefs: 004493DB

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: internal row logic error$internal row size calculation error$internal row width error$invalid user transform pixel depth
API String ID: 0-64619857
Opcode ID: 8bbd2ca25a4a384a0c298b57712634bf325e32013aea71f5813004f1fba4a7af
Instruction ID: 90c452cff6a6efcc309442feaa2c09f51b139a84c6adb3fee25201927b161412
Opcode Fuzzy Hash: 8bbd2ca25a4a384a0c298b57712634bf325e32013aea71f5813004f1fba4a7af
Instruction Fuzzy Hash: EAF167326083558FEB24DE38D9902BFBBD1EFC6310F58456ED88587302E6399C0AD796

Function 00426400 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,4004667F,?), ref: 00426432
recvfrom.WS2_32(00000000,00000000,?,00000000,00000000,00000000), ref: 00426480

Strings

`qA, xrefs: 004264B8

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ioctlsocketrecvfrom
String ID: `qA
API String ID: 217199969-2154376067
Opcode ID: 6ce3034b2b95a4ca8bc16496cdda2215ba1ef7fd9ab56f795cf0177249edd04b
Instruction ID: ec0fa5df2da48060fba717d6e31deebfc0d959721d538c214587555a884a5726
Opcode Fuzzy Hash: 6ce3034b2b95a4ca8bc16496cdda2215ba1ef7fd9ab56f795cf0177249edd04b
Instruction Fuzzy Hash: 6C218471204601ABC314EF24C845B6FB7E4AF84724F108B1EF09A932D0D738DD04CB59

Function 0043F4A2 Relevance: 5.2, Strings: 4, Instructions: 245COMMON

Download Yara Rule

Strings

bad data option (internal error), xrefs: 0043F6D8
bad background index (internal error), xrefs: 0043F7CF
color map overflow (BAD internal error), xrefs: 0043F729
palette color-map: too few entries, xrefs: 0043F520

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: bad background index (internal error)$bad data option (internal error)$color map overflow (BAD internal error)$palette color-map: too few entries
API String ID: 0-3263629853
Opcode ID: 0613092f0ace483c6f2ed0e236a07a982d77b1e79b3b2ee0e4c6ab28acca6d6a
Instruction ID: 5acf86d5069418d368041a9b73b7f60ad6141dbf7baa855a957a983799af05fe
Opcode Fuzzy Hash: 0613092f0ace483c6f2ed0e236a07a982d77b1e79b3b2ee0e4c6ab28acca6d6a
Instruction Fuzzy Hash: 1281E371A08201AFD718CF18C891A6FB7E5EBDC304F54552EF08687361D379DC46879A

Function 0042DCC0 Relevance: 4.8, APIs: 3, Instructions: 308keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 0042DCE0
GetKeyState.USER32(00000011), ref: 0042DCF0
CopyRect.USER32(00000000,00000000), ref: 0042DDC5

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: State$CopyRect
String ID:
API String ID: 4142901696-0
Opcode ID: 00de61e93bdbae748e69bee501dcdb9e875f5cee1d3c52b91e110e2c06b0cce5
Instruction ID: dce291baf3650cafddf14e5f7c6f3bde628c088646f9328e83234652d37ad8e0
Opcode Fuzzy Hash: 00de61e93bdbae748e69bee501dcdb9e875f5cee1d3c52b91e110e2c06b0cce5
Instruction Fuzzy Hash: F2A1C1707043219BD628DA14E981F7BB3E5ABC8704F91481EF5869B380D7AAEC45879E

Function 0046C7CA Relevance: 4.6, APIs: 3, Instructions: 75timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0046C7D7
GetSystemTime.KERNEL32(?), ref: 0046C7E1
GetTimeZoneInformation.KERNEL32(?), ref: 0046C836

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Time$InformationLocalSystemZone
String ID:
API String ID: 2475273158-0
Opcode ID: dc48934cfac1f77103c576b6f6f7a05b928112a32c4f0f3263b11d64d515ac2e
Instruction ID: 72dd2472fc56987dde3d1c9023a215753ae4cac8b21691ef9ef1ac6b271c2edd
Opcode Fuzzy Hash: dc48934cfac1f77103c576b6f6f7a05b928112a32c4f0f3263b11d64d515ac2e
Instruction Fuzzy Hash: 09214F3990011AE5CF60BF94D848AFE72B9BB18711F900556F891A72D0E37C8D86C7AD

Function 0041B3D0 Relevance: 4.5, APIs: 3, Instructions: 49keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0041B401
GetKeyState.USER32(00000010), ref: 0041B416
GetKeyState.USER32(00000012), ref: 0041B42B

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 2de802864c9613af45c1394fda6545c91a93b66b460ddbc8f9fdb2baa4824495
Instruction ID: 1d35725cb8a4d0262ca3ac26f15305e91d55fc871973c354da70a8c29c16881f
Opcode Fuzzy Hash: 2de802864c9613af45c1394fda6545c91a93b66b460ddbc8f9fdb2baa4824495
Instruction Fuzzy Hash: 2101213AC416A945EF342665AA087F24601C710B50F9AC077CD0C37793878C0CC623EB

Function 00468C42 Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d453fa2544fa2eefd26ab3e882d4a878d0eb187f05776c99fffed8dcb8b038ac
Instruction ID: 955a725d8846f08e36daf97ab98ec6a726a8d9b3e6c3ef63855fb7c33dde70f1
Opcode Fuzzy Hash: d453fa2544fa2eefd26ab3e882d4a878d0eb187f05776c99fffed8dcb8b038ac
Instruction Fuzzy Hash: 7FF08C31205009AECF01AF61CD089BE3B6CAB00744F04852AF81694021EF39CA169B6B

Function 0047E6B4 Relevance: 4.5, APIs: 3, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 0047E6DB
GetKeyState.USER32(00000011), ref: 0047E6E4
GetKeyState.USER32(00000012), ref: 0047E6ED

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: b80ff78519e9a535d35732aebb26073e5a5ef7a232756518d5e9d4b2be85348e
Instruction ID: b9031d53043acebf89a92b2246e6cfe2be6ee6d6c02020d4fd192bdb5b58482b
Opcode Fuzzy Hash: b80ff78519e9a535d35732aebb26073e5a5ef7a232756518d5e9d4b2be85348e
Instruction Fuzzy Hash: C8E09B3954027ADDEB0053CF9900FD576905B28790F80C6D7E74CAB092DAE8888397AD

Function 0041D710 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 638COMMON

Download Yara Rule

Strings

`qA, xrefs: 0041DAB6, 0041DE2D, 0041DEC4

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: `qA
API String ID: 0-2154376067
Opcode ID: e7b4d2ed7e4a998abd7c7414941d666345490845e36009d3b21aa517eb7b1844
Instruction ID: 7580f955e47973dd2d6e9998ff8b832f4f68af9483b336c2a4b4775baae53725
Opcode Fuzzy Hash: e7b4d2ed7e4a998abd7c7414941d666345490845e36009d3b21aa517eb7b1844
Instruction Fuzzy Hash: 6E32D5B1E04205DFCB14DFA8C881BEEB7B5BF48314F24426AE516A7381D738AD81CB95

Function 0043C9A0 Relevance: 4.0, Strings: 3, Instructions: 200COMMON

Download Yara Rule

Strings

copyright violation: edited ICC profile ignored, xrefs: 0043CB37
out-of-date sRGB profile with no signature, xrefs: 0043CB96
known incorrect sRGB profile, xrefs: 0043CB7E

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: copyright violation: edited ICC profile ignored$known incorrect sRGB profile$out-of-date sRGB profile with no signature
API String ID: 0-1307623137
Opcode ID: 915df5c12261b5b3f5179cd46e272c38edae3ad50e8cc6cba60166aa2d03cea3
Instruction ID: c68fc3239f23dfc4c1b00899493554f203ff490ea23c200a588ce9b68b118492
Opcode Fuzzy Hash: 915df5c12261b5b3f5179cd46e272c38edae3ad50e8cc6cba60166aa2d03cea3
Instruction Fuzzy Hash: 3F5147B2B0878107DB28DE395C9176BFBE25FD9304F09986DE4D6D7302E524E409C768

Function 0047BE2E Relevance: 3.4, APIs: 2, Instructions: 422COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0047BE33
GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 0047BFE6

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: H_prologVersion
String ID:
API String ID: 1836448879-0
Opcode ID: 339f114ce39716bceb613f0927d9fedccbd5e7d0c24ccbd30f7ce888a6c1a7a5
Instruction ID: 8edecc6ef81b30700c54bd4965b560e762633077e3b44db0d5d5f329c1a00fce
Opcode Fuzzy Hash: 339f114ce39716bceb613f0927d9fedccbd5e7d0c24ccbd30f7ce888a6c1a7a5
Instruction Fuzzy Hash: 73E16E71600209EBDB14DFA5CC80BFE77A9EF04714F10C55AF819EA292D738D911DBAA

Function 0044AB50 Relevance: 3.3, Strings: 2, Instructions: 788COMMON

Download Yara Rule

Strings

invalid background gamma type, xrefs: 0044B35C
libpng does not support gamma+background+rgb_to_gray, xrefs: 0044AFDC

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: invalid background gamma type$libpng does not support gamma+background+rgb_to_gray
API String ID: 0-3995106164
Opcode ID: dbdeea499f170d5dbde07c552715ed3cdb0ff37d467b12b748d9d5e42d96aec7
Instruction ID: 485b4c7123f8cb256ada6ee778d08cd35e8a707784d2136a66fc6c5e6126ad50
Opcode Fuzzy Hash: dbdeea499f170d5dbde07c552715ed3cdb0ff37d467b12b748d9d5e42d96aec7
Instruction Fuzzy Hash: B6623835504B814AE3219F35C8417F7FBE1EF9A304F08896ED9EA87342E639E415C79A

Function 00416BB0 Relevance: 3.2, APIs: 2, Instructions: 209windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00416CE0

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 713d0b0564593b987a1961ce68074d955352068c0860a684a8aaee25b4e65782
Instruction ID: 73822546fb2965b9d4067d51f8fc3497fa97246c0302675353e5f298b79b494d
Opcode Fuzzy Hash: 713d0b0564593b987a1961ce68074d955352068c0860a684a8aaee25b4e65782
Instruction Fuzzy Hash: 4381AC76214711CFD310CF28D480B8AB7E5FBA9310F10886EE49ACB350D376E886CBA5

Function 0041B220 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 0041B230
FindClose.KERNEL32(00000000), ref: 0041B23C

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 6cd3cbb0a5e78fe62a03f4095f64469efe2176a563fe1ffbd619e908ec996969
Instruction ID: 0a8bfa3afd1b22ba9efe3a8dd4f2d879ac9e2b0a39b7b8a2f2361e7a77d0fb49
Opcode Fuzzy Hash: 6cd3cbb0a5e78fe62a03f4095f64469efe2176a563fe1ffbd619e908ec996969
Instruction Fuzzy Hash: BFD05E744006005BE7159B74DC096BE3398A74C310FCC0A28BD2CC12E0E63ECC588651

Function 0043FA00 Relevance: 2.9, Strings: 2, Instructions: 445COMMON

Download Yara Rule

Strings

color-map index out of range, xrefs: 0043FA4F
bad encoding (internal error), xrefs: 0043FBAD

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: bad encoding (internal error)$color-map index out of range
API String ID: 0-7351992
Opcode ID: 3f6c68d81a5d4ee8bde09f41146708d81bdf140c02277d60488f7b7df2c8df5c
Instruction ID: d9ce653ecb8a9da0ad343cfae06d85cf9fc4986d7a576fcc8de47f727f751aa2
Opcode Fuzzy Hash: 3f6c68d81a5d4ee8bde09f41146708d81bdf140c02277d60488f7b7df2c8df5c
Instruction Fuzzy Hash: BDF1E472E083024BC718DF28C89126AB7D1FBDD304F054A7EE999D7751E638E909C795

Function 00463EE0 Relevance: 2.9, Strings: 2, Instructions: 405COMMON

Download Yara Rule

Strings

K, xrefs: 00463F03
P, xrefs: 00463EF4

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: K$P
API String ID: 0-420285281
Opcode ID: 1c7b2ccdeeeddba721736ec1dc4bfc125495b0ad89618cf55ada5aa0aec28a9a
Instruction ID: 4987b1b5730ddd6f98cf2aefb9a17a3bbcd9a54b240708a5f4e1aafa9caa4864
Opcode Fuzzy Hash: 1c7b2ccdeeeddba721736ec1dc4bfc125495b0ad89618cf55ada5aa0aec28a9a
Instruction Fuzzy Hash: FAD18D30119381AFD621CB698CC0EABFBF9AFDAB00F44490DF6D583291D6A1E5498766

Function 00463AF0 Relevance: 2.8, Strings: 2, Instructions: 275COMMON

Download Yara Rule

Strings

PTU, xrefs: 00463B0B, 00463B11
K, xrefs: 00463B13

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: K$PTU
API String ID: 0-3860820754
Opcode ID: d9d7c021faa5aa006803064c67ea797f7eddb5ea43c61edc3565542cf26a862f
Instruction ID: 1a75eb4539a1f84ef12f76d2579aa1b5157394e0c53fa3f455c34d8f904b1463
Opcode Fuzzy Hash: d9d7c021faa5aa006803064c67ea797f7eddb5ea43c61edc3565542cf26a862f
Instruction Fuzzy Hash: B991913011A3856EDB04DB688CC0E9BFBED9FD6704F04494EFA809B296D5E1D549CBB2

Function 0044A360 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Row has too many bytes to allocate in memory, xrefs: 0044A62C
VUUU, xrefs: 0044A478

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: Row has too many bytes to allocate in memory$VUUU
API String ID: 0-4092465491
Opcode ID: 5b8bb55a786642afb1015ede935373bb745e7aaf1ee28193f8907c1304cdf43a
Instruction ID: 96638fea931af0021c4e42e33cacdfe70d3ff9ee1ca71eb7a11265c2d27446c1
Opcode Fuzzy Hash: 5b8bb55a786642afb1015ede935373bb745e7aaf1ee28193f8907c1304cdf43a
Instruction Fuzzy Hash: 03916D71644F404BF7298A38CC5A3FBB3D2AB95314F58492ED5ABC7392E67C6850830A

Function 00424660 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

MTrk, xrefs: 004247DC
d, xrefs: 004248A4

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: MTrk$d
API String ID: 0-4044675371
Opcode ID: 44cbe7efe90a3faff257c61787e700670401ba367266dcd0a9b6a624e246d2b0
Instruction ID: a55e2529243f2b4033813cfcba43d18a269039476818e00c551f2814c068b569
Opcode Fuzzy Hash: 44cbe7efe90a3faff257c61787e700670401ba367266dcd0a9b6a624e246d2b0
Instruction Fuzzy Hash: 5B91E475B007158FD718DF29D88096AB7E2EFC8314B94893EE85ACB341DB38E905CB58

Function 0043C810 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

ICC profile tag start not a multiple of 4, xrefs: 0043C8D9
ICC profile tag outside profile, xrefs: 0043C928

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: ICC profile tag outside profile$ICC profile tag start not a multiple of 4
API String ID: 0-2051163487
Opcode ID: 42d2138ee3d5921c796eb730538b427a85791a61cea8c96c4547c1671dce7cdf
Instruction ID: 049e412f8f3cbab0d4856bca2c266d690a7479ff8d7b8b87c3b138f369d5df7f
Opcode Fuzzy Hash: 42d2138ee3d5921c796eb730538b427a85791a61cea8c96c4547c1671dce7cdf
Instruction Fuzzy Hash: 873100F360879107E72CCA2D9CA16A7BBD2ABCC244F1DD96DE4EAC3301E82496058758

Function 0045F500 Relevance: 1.6, Strings: 1, Instructions: 334COMMON

Download Yara Rule

Strings

(J, xrefs: 0045F782

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: (J
API String ID: 0-2968454112
Opcode ID: 4bd93b7fd3000e45d8c99c8bf91ab9af7a4c09d249f082f78b13b7751ea02012
Instruction ID: c18390630d5223e08482fa3107076a7bea75f6c9172922aa096dd72a01b550d4
Opcode Fuzzy Hash: 4bd93b7fd3000e45d8c99c8bf91ab9af7a4c09d249f082f78b13b7751ea02012
Instruction Fuzzy Hash: 86C1A0756087518FC718CF2DD5A012AFBE1FB8D310F194A7EE89A93752C734A819CB89

Function 0047512D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000750E7), ref: 00475132

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7020b502afdf6240576df955543f6b9ff5e99816191890b31b79a6cffbdd2bc2
Instruction ID: de14747691b41c346cb4cabdde4353959ca2c6d030f7bbfd6015f15762a8623c
Opcode Fuzzy Hash: 7020b502afdf6240576df955543f6b9ff5e99816191890b31b79a6cffbdd2bc2
Instruction Fuzzy Hash: 07A002F4546B819B97516F72BC4D9983A60B744B12B3884BEE84685364DBB40840DF5D

Function 0047513F Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00475144

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e1ba9acd733b7c20b08d013c2f5b068657642bf2f602079443bd3ef7c4eb4fec
Instruction ID: 55da2a21d2fd260fa81bcb61e0e114c43a36dd748180708e9c988e09cd44d877
Opcode Fuzzy Hash: e1ba9acd733b7c20b08d013c2f5b068657642bf2f602079443bd3ef7c4eb4fec
Instruction Fuzzy Hash:

Function 0044EE70 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

aC, xrefs: 0044EE7B

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: aC
API String ID: 0-2630910332
Opcode ID: 8b353d0773b41f47809e1cfa63d2845d7c940ebf712ed092f1ebc412c1b2d8c3
Instruction ID: ce375c94616b5572d34646e070ea424ea90d84af8abd2202ae62645e7f20298f
Opcode Fuzzy Hash: 8b353d0773b41f47809e1cfa63d2845d7c940ebf712ed092f1ebc412c1b2d8c3
Instruction Fuzzy Hash: CA41D4327009511BE778CA2BD4A01EBB7D3EBC6301B28C86FD59ECB725C5356409CB84

Function 00462B00 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

bad d_code, xrefs: 00462BFE

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: bad d_code
API String ID: 0-2582332627
Opcode ID: 8c61c6db84738744d76871f123a1259b45404b1061fbf194b793605eeba35169
Instruction ID: 90e9367da10aa42216606942fdd307c9687a8893c99826fd95930b7e9e6e73e7
Opcode Fuzzy Hash: 8c61c6db84738744d76871f123a1259b45404b1061fbf194b793605eeba35169
Instruction Fuzzy Hash: FE411271208642AFC314DF29D941AFB77E5AF98708F08446EF88987301F674A906C7AB

Function 00465CA0 Relevance: .9, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7588268db9ad160e2392b48f534035be178d540a008719f74208fe9ed0531eb1
Instruction ID: a56514411eae0bc4f03c4e7509e882e37929032b0a91075889339eaef5a7a640
Opcode Fuzzy Hash: 7588268db9ad160e2392b48f534035be178d540a008719f74208fe9ed0531eb1
Instruction Fuzzy Hash: 8652C9767447094BD308CE9ACC9159EF3E3ABC8304F498A3CE955C3346EEB8ED0A8655

Function 0045392E Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bed7ae27a1126d3d531e962ff7eb08a1e4931150582efa18b7b7e0332088c73
Instruction ID: b669ceeef5103c45fdf624fb30eaab8584e89b0ac7d53b2bc605275b329c92cf
Opcode Fuzzy Hash: 0bed7ae27a1126d3d531e962ff7eb08a1e4931150582efa18b7b7e0332088c73
Instruction Fuzzy Hash: 241251B16043018FCB18CF19C59062BBBE6EBC9346F14896EE885CB346E774DD49CB95

Function 00453B7E Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e97a2dcb69cd549efd33fe435b2d168f915536065213655221918a9423c2d8d
Instruction ID: d9284208bf754f341bc50a73591837cfe377b23804a19ff7faf507886035fe9e
Opcode Fuzzy Hash: 5e97a2dcb69cd549efd33fe435b2d168f915536065213655221918a9423c2d8d
Instruction Fuzzy Hash: 2D1251B16043018FCB18CF19C59062BBBE6EBC9346F14896EE885CB346E774DD49CB95

Function 0045B750 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaafa10d057adb48c3d539226cda34edf924db5b6f20f8bcbf06ad9c7162e3bf
Instruction ID: ac236b65868a753a6c01679e6d5202f1e963b0f73a691795d1cd8a9569f3c330
Opcode Fuzzy Hash: aaafa10d057adb48c3d539226cda34edf924db5b6f20f8bcbf06ad9c7162e3bf
Instruction Fuzzy Hash: 3A123F746087018FC708CF29D590A2ABBE1FF88315F14896EE89AC7752D734E949CF99

Function 00475EC1 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a0851634cfcd7688d8e2932b25622bc8d10c8e40d4d5ff29afc99f47341a1c
Instruction ID: 1290e4eed1a381540f5cef23bc797eeba7d5112fcb65abeacc38256bd8f1d2c7
Opcode Fuzzy Hash: 97a0851634cfcd7688d8e2932b25622bc8d10c8e40d4d5ff29afc99f47341a1c
Instruction Fuzzy Hash: 28E11530E55A498EEF25CF58C9153FE7BB2EB04300F69C05BD409AA292C77D8982C75E

Function 0044DD30 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f054bb5a8d078b8f9bc369e9e5b4286debad71bae45e17749ce6416cb7e491
Instruction ID: 647d5aef08561b674ed581b5c526d6f95d19906d7ee7afad09fb98dd370d649d
Opcode Fuzzy Hash: 76f054bb5a8d078b8f9bc369e9e5b4286debad71bae45e17749ce6416cb7e491
Instruction Fuzzy Hash: D0C1442174E6924FEB198E6D94E92BBFFD1EB6A310B0881FEC9D5CB323C5258409C354

Function 0044E430 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7d6e5bdf9180fc249a7cdffd82ac3d4432134ef2b1545fd9ebd85a9bab015f
Instruction ID: 5b404b94533f9d7d9866a8a203b00bec3badbfbd146f8a4a96fd66cff575b4b3
Opcode Fuzzy Hash: bd7d6e5bdf9180fc249a7cdffd82ac3d4432134ef2b1545fd9ebd85a9bab015f
Instruction Fuzzy Hash: BFD1C82150D7D28BE722CE2984A03A7FFD1BFA6314F58CADED4D44F342D6669809C396

Function 0045D3D0 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
Instruction ID: f6135a06b0282ad4f6f63f7d7023d4769b1bedf7dbee82c89cc3e1ae8551bfb2
Opcode Fuzzy Hash: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
Instruction Fuzzy Hash: B9F1CE7290D2408FC3198F18D5989E27BE2FFA9314B1F42FAD4499B363D7329845CB96

Function 00445DD0 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdbffbc363f92d759cfbb37365f394cc17b51c7ef35fa557d83bc02c10f01f0
Instruction ID: c8deb79ea171fb3a2aae06eb969e8adceac3de7be380e95bd9dd139a8cf982cf
Opcode Fuzzy Hash: cfdbffbc363f92d759cfbb37365f394cc17b51c7ef35fa557d83bc02c10f01f0
Instruction Fuzzy Hash: 4FE1F3B5600A018FD734CF1AC490A26FBF2EF89310B25C96ED59ACB762D735E846CB54

Function 0044C810 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdb0e9a48f9cc5b8454a5ea312c92bd26660b050e477f45892fe8a81102f325
Instruction ID: 68a660025ac0916a848df4ca7aefb29f1f69a3193df7e4101acbe3cf40b7149c
Opcode Fuzzy Hash: dcdb0e9a48f9cc5b8454a5ea312c92bd26660b050e477f45892fe8a81102f325
Instruction Fuzzy Hash: 45D1A1356097828FD325CF29C4D12A6FBE1EF9A304F0C856EE4D99B312D234E806CB95

Function 0044CD29 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e7a137c45b800eb80b095620a607a9c3176366d7daf7cbfc6dae78f233ae48
Instruction ID: 8601d6ed252320510493d9988209289914c25938d5de720c7cddfb6f60b9fb72
Opcode Fuzzy Hash: 30e7a137c45b800eb80b095620a607a9c3176366d7daf7cbfc6dae78f233ae48
Instruction Fuzzy Hash: D9B17C2674A2828BEB656A3C90A03F77FA1DB96310FAC107ED5DAC7742D11F990ED314

Function 004498A0 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634d3c6f822fe932ec4105bab15b9045aa4158b0ed7c0756ca4d71c70af3befd
Instruction ID: 797c78708d6120a8541d6ebe160dab51f79bcc16f3b3a349b9a57eeb5ed5ab08
Opcode Fuzzy Hash: 634d3c6f822fe932ec4105bab15b9045aa4158b0ed7c0756ca4d71c70af3befd
Instruction Fuzzy Hash: 7CD1AD72A097428FE704CF18C49436BBBE1FBD9314F544A2EE49597350D738AE0ADB86

Function 00454AB0 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ac16173427cf5da67b14ac4b7ca56e13fa5ab24a54b43dd7c0b81c48d09c58
Instruction ID: 682064e0f810d932f0f17b8c2a970d79901ea17961bdbf79354754b8fd8b3db1
Opcode Fuzzy Hash: 34ac16173427cf5da67b14ac4b7ca56e13fa5ab24a54b43dd7c0b81c48d09c58
Instruction Fuzzy Hash: 6FD12875210B418FD328CF29C980AA7B7E5FF89309B18492ED8D687B52D735F889CB44

Function 00466E90 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6977bcc1b153c914c7408978c30644b13292ad340430f3ac54ad080647b377f
Instruction ID: 8e1ceef4b50cd28f529b57c28aea8bd2e40c520b942fedc44c772a2d00849596
Opcode Fuzzy Hash: e6977bcc1b153c914c7408978c30644b13292ad340430f3ac54ad080647b377f
Instruction Fuzzy Hash: 56D12775214B418FD324CF29C990AA7B7E5FF89308B14892EE8DA87B41E735F846CB45

Function 0041BA90 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63086771fed5f2931d054b3797012156a4c949c0ac4c228b2c7c4d86cc9e9b04
Instruction ID: db4e51844a190625a78d05e34d10e83d25d3a2483e8c4a575453cb0a147f6739
Opcode Fuzzy Hash: 63086771fed5f2931d054b3797012156a4c949c0ac4c228b2c7c4d86cc9e9b04
Instruction Fuzzy Hash: F7C1BC715087844FD725CE19C4A13EBB7E2EF81700F98885FE5C147766E738A9858BCA

Function 0044D8FE Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209fc5673e656db3213c2d2fbf9a8a4af23a33bfddf6ddf1f62eb543b428bd05
Instruction ID: 8481a2beae4ead387782aa66f7edf4b477ed7b531c59a10d5a30ca2a74311782
Opcode Fuzzy Hash: 209fc5673e656db3213c2d2fbf9a8a4af23a33bfddf6ddf1f62eb543b428bd05
Instruction Fuzzy Hash: 5DC1D0356087C24BD72DDB2894A45FBBFE29FAA300B1ED5BDC48A8B3A3D9215409C744

Function 0045D950 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8bb651f25540cc386ceca50e9d33ad079fe2253c71ab40bff6276ea49b86475
Instruction ID: 659b3f46dd7866d04e4e66e42e31a39134b06edf51181e1dc772e4c084797d0f
Opcode Fuzzy Hash: d8bb651f25540cc386ceca50e9d33ad079fe2253c71ab40bff6276ea49b86475
Instruction Fuzzy Hash: 37D19C756082518FC319CF18E9D88E27BE1BFA8740F0E42F9C94A9B323D7359945CB55

Function 00467C90 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f6535d6b8b2957e0b5270f7536087446572a48a99db73dbeccfe5b3a5c1abb
Instruction ID: 102ce313dd665b4ff09a2a92b962f304856488be598530725c65cf49c5035d7c
Opcode Fuzzy Hash: 30f6535d6b8b2957e0b5270f7536087446572a48a99db73dbeccfe5b3a5c1abb
Instruction Fuzzy Hash: F8D18B752082518FC319CF28E9D88E27BE1BFA8740F0E42F9D94A8B323D7369945CB55

Function 00454610 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192c2d3ca9b688c6fc730256c073ca3d539a18f10cb8cdb7613e2655670f3dbc
Instruction ID: 80e4fd399fde06cf6be41d290ab1c707e179c16568ebd7b8eecccc49aab775d6
Opcode Fuzzy Hash: 192c2d3ca9b688c6fc730256c073ca3d539a18f10cb8cdb7613e2655670f3dbc
Instruction Fuzzy Hash: 28B14975214B418FD324DF29C9909A7B3E5FF89308B18892ED8DACBB52D635F885CB44

Function 00466B60 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89da98ba6fe841f6ba3373786e5c20982ddd97623092b1651690ac4f92731b5
Instruction ID: edc3d99fc1dfa4e723cb50336e298c1e9a1ab3432307869e8a3294d9bc60851a
Opcode Fuzzy Hash: d89da98ba6fe841f6ba3373786e5c20982ddd97623092b1651690ac4f92731b5
Instruction Fuzzy Hash: ABB13575214B408BD328CF29C9909A7B7E6FF89704B19892ED4CAC7B41EA35F841CB49

Function 00471FB6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 7bac8f8739d4acdf15103cdf770def85d660761ee48b5ea16b472fb6ce569290
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 74B17A3590024ADFDB25CF04C6D0AE9BBA1FF58318F24C1AED95A5B342C775EA42CB90

Function 00459FC0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
Instruction ID: 4f576039abe9bcdcb6627f187c2b91fa6047153ac82ba442fd4ce4a0adf46cd8
Opcode Fuzzy Hash: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
Instruction Fuzzy Hash: 75A11775A087418FC314CF29C49085AFBF2BFC8714F198A6EE99987325E731E955CB82

Function 0044E200 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4664e54bd8655df0b62760be2564d86677a0bae60cff444b8354291ceb51d8c8
Instruction ID: 3689971e3a96d1f4b5a358eac53365b48eaa5b5f85dda38982338363b596872b
Opcode Fuzzy Hash: 4664e54bd8655df0b62760be2564d86677a0bae60cff444b8354291ceb51d8c8
Instruction Fuzzy Hash: 0171D63550C6828ADB12CF29C444666FFD2BFA6304F0CC6DEC8C99F356D666E909C791

Function 0044D684 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09e427cc0f5c48326d696f622ddb13854d7e20a58c35d846649955e18978596
Instruction ID: ecc24ab14e816d164099ada8df19730459613414a665a225b25063427b650441
Opcode Fuzzy Hash: e09e427cc0f5c48326d696f622ddb13854d7e20a58c35d846649955e18978596
Instruction Fuzzy Hash: 7F71212560D7C24BD72A9B2888A02F6FFE1AFA7301F5D96FED8D64F392C4065409C721

Function 00459520 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction ID: 8ee7d9dbd3e7b0349ad0b192d2280ae42c7538e5d0c3e00f53694cb04399715b
Opcode Fuzzy Hash: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction Fuzzy Hash: C681F73954A7819FC711CF29C0D04A6FBE2BF9E204F5C999DE9C50B317D231A91ACB92

Function 0044BFD0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3724b47e3fae1aaf75b4a2995fdf245a697509258a10bcceebd6786515bcf4d2
Instruction ID: 581f318bfc82b0e7b9031e3b7326b664bba7d4338038577f8217aa410c00fd52
Opcode Fuzzy Hash: 3724b47e3fae1aaf75b4a2995fdf245a697509258a10bcceebd6786515bcf4d2
Instruction Fuzzy Hash: A451F4217097504FE345CF3E989016AFBD29BCE314F1C8A6EC4D9C7712D62598098B95

Function 0044D4D1 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4d2dea2c165661568dc7cef3cf9871e53b13df2d48047b3dc5f70df1b2c506
Instruction ID: d348229da76815d86ada27a335adfbdd3226f150cb8cf84ed2b070ba8737a3eb
Opcode Fuzzy Hash: 4d4d2dea2c165661568dc7cef3cf9871e53b13df2d48047b3dc5f70df1b2c506
Instruction Fuzzy Hash: 7E41363A7192834BD3289E3C84502F7FBA1AF9A300F5847BEC4D5C7742DA29D50AC750

Function 0044D1E6 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c27889d51f487b201adba72a386df83b8ac4b76ef92a9fc20cd27d85f323ea
Instruction ID: 9d7572cb2f470b0bf2707920cb80e092ae8d393ee47570bf6f693825b53b08c0
Opcode Fuzzy Hash: a8c27889d51f487b201adba72a386df83b8ac4b76ef92a9fc20cd27d85f323ea
Instruction Fuzzy Hash: 0451C02960DBD14AD71A9B3C54A96F7FFE29F6B301B4E90EEC4DA8B323C5164008C761

Function 004672C0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction ID: 3008c9219a3bd929948c44f6a9413c4be8a1d159a56ae405da7803a2f7108b18
Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction Fuzzy Hash: 36316F3374958203F71DCA2F8CA12BEEBD34FC522872DD47E99C98B316ECB984168148

Function 00464470 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0270ed3f11b69facbfa01d54a011bff3fb3da6e36442f45604787a81796ff8
Instruction ID: 5e069e4042d85dd10d519bc7dcdd50a33e183cb2ca464a72bacfb8efafc2abe0
Opcode Fuzzy Hash: cd0270ed3f11b69facbfa01d54a011bff3fb3da6e36442f45604787a81796ff8
Instruction Fuzzy Hash: 3E31D522BB65920BD310DEBD9C80277BB93D7DB306B6DC679D584C7B1AC839D8075244

Function 00445AC0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab99120cc8d310d1db545a97aa4e82021b85ea482b9b1a9370ca2248bd62d2cb
Instruction ID: c0ed56492b9f6c2714a20304f08bb49ec68c4f68c3d0198ed1cfd061c35e2d2f
Opcode Fuzzy Hash: ab99120cc8d310d1db545a97aa4e82021b85ea482b9b1a9370ca2248bd62d2cb
Instruction Fuzzy Hash: FC3186627B549207D355CEBD9CC0277B693D7CA206B6DCABCD584D7A1AC43DD8078214

Function 0046B110 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction ID: 192a6884eec176cf098052cbf1a57fe9c0faff84299832fd86adb65d2d9a5213
Opcode Fuzzy Hash: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction Fuzzy Hash: 7E11EBA734014163A6148A2DD8B43F7A395EBC73E0B2D827BD041CB354F7299DC6958A

Function 00436F40 Relevance: 54.5, APIs: 36, Instructions: 459windowsleepCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00436F62

Part of subcall function 0041C8B0: EnumDisplaySettingsA.USER32(00000000,000000FF,?), ref: 0041C8BF

SetStretchBltMode.GDI32(00000000,00000000), ref: 00436F75
SelectObject.GDI32(00000000,00000000), ref: 00436FEC
SelectObject.GDI32(?,?), ref: 00437016
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 00437038
SelectObject.GDI32(?,?), ref: 00437048
SelectObject.GDI32(?,?), ref: 00437054
GetTickCount.KERNEL32 ref: 004370A2
SelectObject.GDI32(?,?), ref: 004370DA
SelectObject.GDI32(00000000,00000000), ref: 004370F6
SelectObject.GDI32(00000000,?), ref: 00437127
DeleteObject.GDI32(00000000), ref: 0043712E
SelectObject.GDI32(00000000,00000000), ref: 0043717E
SelectObject.GDI32(00000000,?), ref: 004371AF
SelectObject.GDI32(00000000,?), ref: 004371B7
SelectObject.GDI32(00000000,?), ref: 00437213
SelectObject.GDI32(00000000,?), ref: 00437223
SetBkColor.GDI32(00000000,?), ref: 00437235
SetBkColor.GDI32(00000000,?), ref: 00437262
SelectObject.GDI32(00000000,?), ref: 004372F2
DeleteObject.GDI32(00000000), ref: 004372F9
SelectObject.GDI32(00000000,?), ref: 00437305
DeleteObject.GDI32(00000000), ref: 0043730C
DeleteDC.GDI32(00000000), ref: 00437319
DeleteDC.GDI32(00000000), ref: 0043731C
SelectObject.GDI32(00000000,?), ref: 00437355
DeleteObject.GDI32(?), ref: 0043735C
IsWindow.USER32(?), ref: 00437366
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,?,?,00CC0020), ref: 004373CA
SelectObject.GDI32(?,?), ref: 00437404
Sleep.KERNEL32(0000000A), ref: 00437450
GetTickCount.KERNEL32 ref: 00437456
DeleteObject.GDI32(00000000), ref: 00437483
DeleteDC.GDI32(00000000), ref: 00437490
DeleteDC.GDI32(?), ref: 00437497
ReleaseDC.USER32(?,00000000), ref: 0043749E

Part of subcall function 00436A60: GetClientRect.USER32(?,?), ref: 00436A87
Part of subcall function 00436A60: __ftol.LIBCMT ref: 00436B5E
Part of subcall function 00436A60: __ftol.LIBCMT ref: 00436B71

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Object$Select$Delete$ColorCountStretchTick__ftol$ClientDisplayEnumModeRectReleaseSettingsSleepWindow
String ID:
API String ID: 2510766597-0
Opcode ID: 033a5f67a6589520d6dc4d14cbd6b7f3aa2d44596120c3ac767594e4f8abd1b3
Instruction ID: 3d2691d1312d896627b7be414a2641ebc3a5f872c6b84f324167ee18c06915f5
Opcode Fuzzy Hash: 033a5f67a6589520d6dc4d14cbd6b7f3aa2d44596120c3ac767594e4f8abd1b3
Instruction Fuzzy Hash: 0B02E3B1204700AFE324DB65CC85F6BB7F9FB89B00F14491DFA9697290C774E8058B29

Function 00435870 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 356windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BFE0: SendMessageA.USER32(?,00000143,00000000,?), ref: 0041C003

GetProfileStringA.KERNEL32(windows,device,,,,,?,000001F4), ref: 004358C9
GetProfileStringA.KERNEL32(devices,00000000,004C119C,?,00001000), ref: 00435908
GetProfileStringA.KERNEL32(devices,?,,,,,?,000000C8), ref: 0043594A
SendMessageA.USER32(?,00000143,00000000), ref: 00435A0B
SendMessageA.USER32(?,0000014E,?,00000000), ref: 00435A48
SendMessageA.USER32(?,0000014E,?,00000000), ref: 00435AEB
wsprintfA.USER32 ref: 00435B04
wsprintfA.USER32 ref: 00435B2A
wsprintfA.USER32 ref: 00435B50
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00435B83
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00435BAE
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00435BC4
SendMessageA.USER32(?,0000014E,?,00000000), ref: 00435BDB
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00435C1F
wsprintfA.USER32 ref: 00435C32
wsprintfA.USER32 ref: 00435C5C
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00435C82
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00435CC3
wsprintfA.USER32 ref: 00435CD4

Strings

none, xrefs: 00435988
devices, xrefs: 00435903, 00435945
windows, xrefs: 004358C4
device, xrefs: 004358BF
,,,, xrefs: 004358BA, 0043593F

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend$wsprintf$ProfileString
String ID: ,,,$device$devices$none$windows
API String ID: 2373861888-528626633
Opcode ID: 242a381d6c771d62a6ad5f9f88adaa43918d330770a2631af037fb252c0abc1c
Instruction ID: 719a95a20cf6448b5aa9c26a851184c5c165c408b914dac43ceb0772a8db48b6
Opcode Fuzzy Hash: 242a381d6c771d62a6ad5f9f88adaa43918d330770a2631af037fb252c0abc1c
Instruction Fuzzy Hash: 06C1C9B1650B016FD624EB70CC82FEB73A8AF88744F044A1EB55A971C0EB78F605CB59

Function 004122C0 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 293windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041234F
GetWindowRect.USER32(?,?), ref: 004123A6
GetParent.USER32(?), ref: 004123B6
GetParent.USER32(?), ref: 004123E9
GlobalSize.KERNEL32(00000000), ref: 00412433
GlobalLock.KERNEL32(00000000), ref: 0041243B
IsWindow.USER32(?), ref: 00412454
GetTopWindow.USER32(?), ref: 00412491
GetWindow.USER32(00000000,00000002), ref: 004124AA
SetParent.USER32(?,?), ref: 004124D6
SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 00412521
SendMessageA.USER32(?,00008076,00000000,00000000), ref: 00412530
GetParent.USER32(?), ref: 00412543
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 0041255C
GetWindowLongA.USER32(?,000000F0), ref: 00412564
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 00412594
SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 004125A2
IsWindow.USER32(?), ref: 004125EE
GetFocus.USER32 ref: 004125F8
SetFocus.USER32(?,00000000), ref: 00412610
GlobalUnlock.KERNEL32(00000000), ref: 0041261B
GlobalFree.KERNEL32(00000000), ref: 00412622

Strings

`qA, xrefs: 004124EB

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
String ID: `qA
API String ID: 300820980-2154376067
Opcode ID: af69fca7a35ef5c171024706501e7b3ba82dfb9f5076418c90db1def1353cc8b
Instruction ID: c12e15e4c0e5e94e14824f9c70a5f9f485cc0ec1c6615bc262022118c619378a
Opcode Fuzzy Hash: af69fca7a35ef5c171024706501e7b3ba82dfb9f5076418c90db1def1353cc8b
Instruction Fuzzy Hash: 9DA169B0604701AFD710EF65CC84B6FB7E9BB88700F14891EFA55D7281DBB8E8418B69

Function 00444250 Relevance: 33.5, APIs: 22, Instructions: 452COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000010), ref: 004442D8

Part of subcall function 0048222A: SetBkColor.GDI32(?,?), ref: 00482239
Part of subcall function 0048222A: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0048226B

GetSysColor.USER32(00000014), ref: 00444310
InflateRect.USER32(?,000000FF,000000FF), ref: 00444342
GetSysColor.USER32(00000016), ref: 0044435B
GetSysColor.USER32(0000000F), ref: 0044436B
DrawEdge.USER32(?,?,00000002,0000000F), ref: 004443A4
GetSysColor.USER32(00000014), ref: 004445E9
GetSysColor.USER32(0000000F), ref: 004445FB
GetSysColor.USER32(0000000F), ref: 004442B1

Part of subcall function 00482200: SetBkColor.GDI32(?,?), ref: 0048220A
Part of subcall function 00482200: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00482220

GetSysColor.USER32(0000000F), ref: 00444408
InflateRect.USER32(?,000000FF,000000FF), ref: 00444441
GetSysColor.USER32(00000016), ref: 00444456
GetSysColor.USER32(0000000F), ref: 00444462
InflateRect.USER32(?,?,?), ref: 004444A3
GetSysColor.USER32(00000010), ref: 004444A7
Rectangle.GDI32(?,?,?,?,?), ref: 004444EE
DrawEdge.USER32(?,?,00000002,0000000F), ref: 00444529
DrawEdge.USER32(?,?,00000002,0000000F), ref: 00444630
GetSysColor.USER32(00000010), ref: 0044468D
CreatePen.GDI32(00000000,00000001,00000000), ref: 00444694
InflateRect.USER32(?,?,?), ref: 004446D3
Rectangle.GDI32(?,?,?,?,?), ref: 004446F1

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Color$InflateRect$DrawEdge$RectangleText$Create
String ID:
API String ID: 85069867-0
Opcode ID: 3f17d654f2ea90438f373f070e59371d08943ad2ae84a590e3ebaf0f4b9c724c
Instruction ID: 9524f575a4c86191262fdf315b4195af8fa8346fa94c484226a47d44b6caf9f6
Opcode Fuzzy Hash: 3f17d654f2ea90438f373f070e59371d08943ad2ae84a590e3ebaf0f4b9c724c
Instruction Fuzzy Hash: 6BF15871204701AFD714EF64C884B6FB7E9BBC8704F148A2EF65687291DBB4E805CB56

Function 00417A70 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 245COMMON

Download Yara Rule

APIs

SetWindowRgn.USER32(?,00000000,00000001), ref: 00417AA1
GetWindowRect.USER32(?,?), ref: 00417ACE
BeginPath.GDI32(?), ref: 00417B57
MulDiv.KERNEL32(7FFF0000,?,00007FFF), ref: 00417B70
MulDiv.KERNEL32(00000000,?,00007FFF), ref: 00417B7F
MulDiv.KERNEL32(3FFF0000,?,00007FFF), ref: 00417BA7
MulDiv.KERNEL32(00000000,?,00007FFF), ref: 00417BB6
EndPath.GDI32(?), ref: 00417BD1
PathToRegion.GDI32(?), ref: 00417BDC

Strings

gfff, xrefs: 00417CAA
"%H, xrefs: 00417AE4, 00417CC2, 00417CC3
gfff, xrefs: 00417C9A

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Path$Window$BeginRectRegion
String ID: "%H$gfff$gfff
API String ID: 3989698161-656959165
Opcode ID: a18e4aa915f693e5891dd610c5c50b4645a3bc501272182991e4c88497917778
Instruction ID: 89c97755c272dfc98ac18dbbbbce57a51ad6a2ebf5c65e2d25747fc0868cac66
Opcode Fuzzy Hash: a18e4aa915f693e5891dd610c5c50b4645a3bc501272182991e4c88497917778
Instruction Fuzzy Hash: E881E2B1508741ABC314EF25CC45A6FBBA9EB85704F044D2EF58683290EB38AD49C766

Function 00439610 Relevance: 31.7, APIs: 21, Instructions: 205COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000022B8), ref: 00439625
EnterCriticalSection.KERNEL32(?), ref: 00439648
LeaveCriticalSection.KERNEL32(?), ref: 00439656
waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00439678
waveOutPrepareHeader.WINMM(?,?,00000020), ref: 004396C1
waveOutWrite.WINMM(?,?,00000020), ref: 004396CE
EnterCriticalSection.KERNEL32(?), ref: 004396D8
LeaveCriticalSection.KERNEL32(?), ref: 004396E6
EnterCriticalSection.KERNEL32(?), ref: 00439715
ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 00439733
LeaveCriticalSection.KERNEL32(?), ref: 0043973A
waveOutPause.WINMM(?), ref: 00439749
waveOutReset.WINMM(?), ref: 00439753
waveOutUnprepareHeader.WINMM(?,00000000,00000020), ref: 00439771
waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00439796
EnterCriticalSection.KERNEL32(004C11C0), ref: 004397AC
LeaveCriticalSection.KERNEL32(004C11C0), ref: 00439808
CloseHandle.KERNEL32(?), ref: 00439836
CloseHandle.KERNEL32(?), ref: 0043983C
CloseHandle.KERNEL32(?), ref: 00439842
DeleteCriticalSection.KERNEL32(?), ref: 00439848

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CriticalSection$wave$EnterHeaderLeave$CloseHandleUnprepare$DeleteMultipleObjectsPausePrepareReleaseResetSemaphoreWaitWrite
String ID:
API String ID: 361331667-0
Opcode ID: 642c48d0594c0909d6a3ba413b2cc56f9f549875fe937e4382311f210139937e
Instruction ID: 707f5dd4cc716979964c8d25471c3f6a89d45ccd75e720333aaeaf3ecd0dd06a
Opcode Fuzzy Hash: 642c48d0594c0909d6a3ba413b2cc56f9f549875fe937e4382311f210139937e
Instruction Fuzzy Hash: 6A717E75600219AFCB14DF64DC89AAE37A9EF8C704F08592AF906E7351D778DD01CB98

Function 00408420 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 384windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004800B5: __EH_prolog.LIBCMT ref: 004800BA
Part of subcall function 004800B5: BeginPaint.USER32(?,?,?,?,004072F9), ref: 004800E3

Part of subcall function 0047FC66: GetClipBox.GDI32(?,?), ref: 0047FC6D

IsRectEmpty.USER32(?), ref: 00408465
GetCurrentObject.GDI32(?,00000002), ref: 004084AA
GetCurrentObject.GDI32(?,00000001), ref: 004084BD
GetClientRect.USER32 ref: 00408542
CreatePen.GDI32(-00000003,00000000,?), ref: 0040855E
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00408622

Part of subcall function 00480127: __EH_prolog.LIBCMT ref: 0048012C
Part of subcall function 00480127: EndPaint.USER32(?,?,?,?,00407373), ref: 00480149

Strings

gfff, xrefs: 00408792

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CurrentH_prologObjectPaintRect$BeginClientClipCreateEmpty
String ID: gfff
API String ID: 3506841274-1553575800
Opcode ID: d21ca1a36fca8a2d6e87697b9fafa593b255a1cf10569d18beeeac902a37fa3a
Instruction ID: 25dabfca1df31b98e03c5147673c2eff2a67991c219e37b174993a832a88db1a
Opcode Fuzzy Hash: d21ca1a36fca8a2d6e87697b9fafa593b255a1cf10569d18beeeac902a37fa3a
Instruction Fuzzy Hash: CFE18BB15083419BC714DF59CD84E6FB7E8FB88310F144A2EF59693280DB38E909CB6A

Function 0047CE8E Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047D7F0: GetWindowLongA.USER32(?,000000F0), ref: 0047D7FC

GetParent.USER32(?), ref: 0047CEB9
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 0047CEDC
GetWindowRect.USER32(?,?), ref: 0047CEF5
GetWindowLongA.USER32(00000000,000000F0), ref: 0047CF08
CopyRect.USER32(?,?), ref: 0047CF55
CopyRect.USER32(?,?), ref: 0047CF5F
GetWindowRect.USER32(00000000,?), ref: 0047CF68
CopyRect.USER32(?,?), ref: 0047CF84

Strings

(, xrefs: 0047CF20
@, xrefs: 0047CEF7

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: a33a48c71ff2642a485f83a88271ddfacfec73a7fb6d95e20bae2f30e238011d
Instruction ID: 9a50746ca5f0ca7ee6d780c2ab8f73c5e75ef27e2a2cd0a061f2642a8c02a34a
Opcode Fuzzy Hash: a33a48c71ff2642a485f83a88271ddfacfec73a7fb6d95e20bae2f30e238011d
Instruction Fuzzy Hash: ED519472900619AFDB14DFB8CD85EEEBBB9AF48314F19411AF905F3281DA34ED068B54

Function 00435F00 Relevance: 25.9, APIs: 17, Instructions: 351windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047B952: GetWindowTextLengthA.USER32(?), ref: 0047B95F
Part of subcall function 0047B952: GetWindowTextA.USER32(?,00000000,00000000), ref: 0047B977

__ftol.LIBCMT ref: 00435F76
__ftol.LIBCMT ref: 00435FCC
__ftol.LIBCMT ref: 00436022
__ftol.LIBCMT ref: 00436078
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00436099
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004360B3
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043617B
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004361AD
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004361CA
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004361EA
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00436204
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043621C
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043623B
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004362A4
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00436309
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043634B

Part of subcall function 0047D716: GetDlgItem.USER32(?,?), ref: 0047D724

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00436377

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend$__ftol$TextWindow$ItemLength
String ID:
API String ID: 2143175130-0
Opcode ID: 470302e737ac862f0da5e8f98094cc16eeebaffb358615de8a42a9b175c366b3
Instruction ID: c6fae342f9a61f06140666f5c59a39755d4aca7e80a63fdf4fbe909d5c306860
Opcode Fuzzy Hash: 470302e737ac862f0da5e8f98094cc16eeebaffb358615de8a42a9b175c366b3
Instruction Fuzzy Hash: 1DD1C7B1544702BBD324DB71CC42FEB77A8BB44704F108D2EF2AA961D1EA79E4458B4A

Function 00468B14 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,00468C4D), ref: 00468B36
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00468B4E
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00468B5F
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00468B70
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00468B81
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00468B92
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00468BA3

Strings

GetMonitorInfoA, xrefs: 00468B9D
GetSystemMetrics, xrefs: 00468B48
EnumDisplayMonitors, xrefs: 00468B8C
MonitorFromRect, xrefs: 00468B6A
MonitorFromWindow, xrefs: 00468B59
MonitorFromPoint, xrefs: 00468B7B
USER32, xrefs: 00468B31

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: 12054a4b0a083ea204f95b9cc544e8e2e845b5c1e817b729abcdff155debabc5
Instruction ID: ad3e93f97737a489878173f38bea0b347c357742c1d5b5f043d32ef0230d3385
Opcode Fuzzy Hash: 12054a4b0a083ea204f95b9cc544e8e2e845b5c1e817b729abcdff155debabc5
Instruction Fuzzy Hash: A31127B1584612BA8F519F35DCC8D69BBA4B2C8B413640ABFE045E2650DF785842DB1D

Function 00442390 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 372COMMON

Download Yara Rule

APIs

Part of subcall function 004800B5: __EH_prolog.LIBCMT ref: 004800BA
Part of subcall function 004800B5: BeginPaint.USER32(?,?,?,?,004072F9), ref: 004800E3

Part of subcall function 004418E0: GetWindowExtEx.GDI32(?,?), ref: 00441903

MulDiv.KERNEL32(?,00000064,?), ref: 0044244B
GetClientRect.USER32(?,?), ref: 004424D9
DPtoLP.GDI32(?,?,00000002), ref: 004424EE
OffsetRect.USER32 ref: 0044253D
Rectangle.GDI32(?,?,?,?,?), ref: 0044257B
FillRect.USER32(?,?,?), ref: 004425D3
FillRect.USER32(?,00000032,?), ref: 00442616
LPtoDP.GDI32(?,?,00000002), ref: 004426BF
IsRectEmpty.USER32(?), ref: 004426C6
CreateRectRgnIndirect.GDI32(?), ref: 0044270A

Part of subcall function 0047FC76: SelectClipRgn.GDI32(?,00000000), ref: 0047FC98
Part of subcall function 0047FC76: SelectClipRgn.GDI32(?,?), ref: 0047FCAE

LPtoDP.GDI32(?,?,00000001), ref: 0044274A
DPtoLP.GDI32(?,?,00000001), ref: 00442771

Strings

2, xrefs: 00442535

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$ClipFillSelect$BeginClientCreateEmptyH_prologIndirectOffsetPaintRectangleWindow
String ID: 2
API String ID: 2521159323-450215437
Opcode ID: 29cf499733a17de0d6030f97eec1b245375f35284242761ee4cb73d18ee28ab3
Instruction ID: a77cd240c65c6c9cfe9873cd6a6a7fdfa58244310512cb4194f0e1ae08f39583
Opcode Fuzzy Hash: 29cf499733a17de0d6030f97eec1b245375f35284242761ee4cb73d18ee28ab3
Instruction Fuzzy Hash: 84E128716087409FD324DF69C980A6BB7E5BFC8704F408A2EF59A83391DB74E905CB56

Function 0041F9D0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000F), ref: 0041FA24
GetObjectA.GDI32(?,00000018,?), ref: 0041FA37
GlobalAlloc.KERNEL32(00000002,00000028), ref: 0041FAA6
GlobalLock.KERNEL32(00000000), ref: 0041FAC4
GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 0041FAF3
GlobalUnlock.KERNEL32(00000000), ref: 0041FB49
GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 0041FB52
GlobalLock.KERNEL32(00000000), ref: 0041FB5F
GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 0041FB82
GlobalUnlock.KERNEL32(00000000), ref: 0041FB9C
GlobalFree.KERNEL32(00000000), ref: 0041FBA3

Part of subcall function 0047FFBF: __EH_prolog.LIBCMT ref: 0047FFC4
Part of subcall function 0047FFBF: ReleaseDC.USER32(00000000,00000000), ref: 0047FFE3

Strings

(, xrefs: 0041FA4A

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Global$AllocBitsLockObjectUnlock$FreeH_prologReleaseStock
String ID: (
API String ID: 3583456853-3887548279
Opcode ID: 5f499bc39c3cb20de2db9aa528533f18e0e02a9297dd89ed4a22fa745da30fe7
Instruction ID: bd2be9b718583758c7a5fe6d128cb7445255d7b2849d9c2b9619b686b08d317a
Opcode Fuzzy Hash: 5f499bc39c3cb20de2db9aa528533f18e0e02a9297dd89ed4a22fa745da30fe7
Instruction Fuzzy Hash: 85615C726087509FC320DB64CC45BAFB7E8FB89B10F14492DFA8597290C778E8498B96

Function 00477CEA Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 119registryclipboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048307F: TlsGetValue.KERNEL32(004C92A4,00000000,?,00479B6F,00482405,?,00403600), ref: 004830BE

RegisterClipboardFormatA.USER32(commdlg_LBSelChangedNotify), ref: 00477D42
RegisterClipboardFormatA.USER32(commdlg_ShareViolation), ref: 00477D4E
RegisterClipboardFormatA.USER32(commdlg_FileNameOK), ref: 00477D5A
RegisterClipboardFormatA.USER32(commdlg_ColorOK), ref: 00477D66
RegisterClipboardFormatA.USER32(commdlg_help), ref: 00477D72
RegisterClipboardFormatA.USER32(commdlg_SetRGBColor), ref: 00477D7E

Part of subcall function 0047D6AD: SetWindowLongA.USER32(?,000000FC,00000000), ref: 0047D6DC

SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 00477E71

Strings

commdlg_ColorOK, xrefs: 00477D5C
commdlg_FileNameOK, xrefs: 00477D50
commdlg_ShareViolation, xrefs: 00477D44
commdlg_LBSelChangedNotify, xrefs: 00477D3D
commdlg_help, xrefs: 00477D68
commdlg_SetRGBColor, xrefs: 00477D74

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ClipboardFormatRegister$LongMessageSendValueWindow
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 3913284445-3888057576
Opcode ID: 412eec9c295bc924bc9be5ae60092f637f3af21dfe4a3fd36bceef6d90fd93c3
Instruction ID: c696486e68defb83b50051567060f72b0f361836493d366e5dbb62f6e9d9cf92
Opcode Fuzzy Hash: 412eec9c295bc924bc9be5ae60092f637f3af21dfe4a3fd36bceef6d90fd93c3
Instruction Fuzzy Hash: 8C41AB32604205FBCB329F25DD48BEE3BA1EB44740F55846BF809972A0DB789C40CB99

Function 00434700 Relevance: 22.8, APIs: 15, Instructions: 255windowCOMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 00434736

Part of subcall function 004802B2: __EH_prolog.LIBCMT ref: 004802B7
Part of subcall function 004802B2: CreateSolidBrush.GDI32(?), ref: 004802D4

FillRect.USER32(?,?,00000000), ref: 00434774
GetSystemMetrics.USER32(0000002E), ref: 0043479D
GetSystemMetrics.USER32(0000002D), ref: 004347A3
DrawFrameControl.USER32(?,?,00000003,?), ref: 00434816
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00434829
InflateRect.USER32(?,00FFFFFD,00000001), ref: 00434844
GetSysColor.USER32(0000000F), ref: 00434868
Rectangle.GDI32(?,?,?,?,?), ref: 004348BB
OffsetRect.USER32(?,00000001,00000001), ref: 00434925
GetSysColor.USER32(00000014), ref: 0043492B
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434953
GetSysColor.USER32(00000010), ref: 00434959
InflateRect.USER32(?,000000FF,000000FF), ref: 004349A2
DrawFocusRect.USER32(?,?), ref: 004349B1

Part of subcall function 0047B952: GetWindowTextLengthA.USER32(?), ref: 0047B95F
Part of subcall function 0047B952: GetWindowTextA.USER32(?,00000000,00000000), ref: 0047B977

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$ColorDraw$InflateMetricsOffsetSystemTextWindow$BrushControlCopyCreateEdgeFillFocusFrameH_prologLengthRectangleSolid
String ID:
API String ID: 4239342997-0
Opcode ID: 81bbae6b6951ed390d61e78bb361511f19341f88b4e456ff6a4ef1649eaea550
Instruction ID: b26d1f5174a57746846421903af711519390e1422373b4482e078daba88947f8
Opcode Fuzzy Hash: 81bbae6b6951ed390d61e78bb361511f19341f88b4e456ff6a4ef1649eaea550
Instruction Fuzzy Hash: 08A17A74208745AFC714DF64C888AABBBE8FF88714F004A1DF59687390DBB4E945CB56

Function 00421D70 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 366COMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 00421E26
SelectObject.GDI32(?,00000000), ref: 00421E49
SelectObject.GDI32(00000000,?), ref: 00421E75
DeleteDC.GDI32(00000000), ref: 00421E82
SelectObject.GDI32(?,?), ref: 00421E8A
DeleteDC.GDI32(?), ref: 00421E91
DeleteObject.GDI32(?), ref: 00421E97

Strings

(, xrefs: 00421F7C
, xrefs: 00421F93
`qA, xrefs: 00421D73
(, xrefs: 0042212F

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Object$Select$Delete
String ID: $($($`qA
API String ID: 4028988585-3630326855
Opcode ID: afa03d66a1e134006d2562a3647ccab15bf8f1ed84c3df4e1d08f733a5bcd8e3
Instruction ID: 1d77c2764e869a09c65e5282d204d3204433c8bbd7af4fc4a1a4ed632f7b8c88
Opcode Fuzzy Hash: afa03d66a1e134006d2562a3647ccab15bf8f1ed84c3df4e1d08f733a5bcd8e3
Instruction Fuzzy Hash: 8DD167B16047019FC710CF25D984A6BBBE9EFC9310F14892EFA9687360D775E844CB66

Function 00439230 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 331threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0043939B
CreateSemaphoreA.KERNEL32(00000000,00000014,00000014,00000000), ref: 004393B0
InitializeCriticalSection.KERNEL32(?), ref: 004393DB
CreateThread.KERNEL32(00000000,00000000,00439610,?,00000004,?), ref: 00439410
EnterCriticalSection.KERNEL32(004C11C0), ref: 00439422
LeaveCriticalSection.KERNEL32(004C11C0,?,?,?), ref: 004395D5
ResumeThread.KERNEL32(?), ref: 004395E3
ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 004395F5

Strings

WAVE, xrefs: 00439271, 00439288
RIFF, xrefs: 00439244, 00439258
data, xrefs: 004392D5
fmt , xrefs: 004392B4

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CreateCriticalSection$SemaphoreThread$EnterEventInitializeLeaveReleaseResume
String ID: RIFF$WAVE$data$fmt
API String ID: 1802393137-4212202414
Opcode ID: 487de4c627b35c5b1c5ff44856622e7f24a4f1fd18e85399232a67a9101efe8d
Instruction ID: fa508b4ddde52a3d0d496156193378dd402ae2d59165c2ec4bd50475f84a8a68
Opcode Fuzzy Hash: 487de4c627b35c5b1c5ff44856622e7f24a4f1fd18e85399232a67a9101efe8d
Instruction Fuzzy Hash: 3EB1D1B5600300ABD714DB64DC81B2B7795FB8D308F184A2EF94697391EABCED01CB99

Function 00412F40 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 310libraryregistryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,004C0720,00000000), ref: 00413024
LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,004A4C7C,?,?,?,?,?,?,00000000,004C0720,00000000), ref: 00413061
GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00413097
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,004C0720,00000000), ref: 004130A2
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,004C0720,00000000), ref: 004130B0
LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004131BD
RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 004131F2
CLSIDFromString.COMBASE(00000000), ref: 004132B7
UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 004132D3

Strings

DllUnregisterServer, xrefs: 00413090, 00413095
`qA, xrefs: 0041320C, 0041324C, 004132E3
DllRegisterServer, xrefs: 00413089

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Library$LoadType$FreeRegister$AddressFromProcString
String ID: DllRegisterServer$DllUnregisterServer$`qA
API String ID: 2476498075-204837202
Opcode ID: a315e5b4d7fc145d75c709660bc7fea3a7cdae744face6605217b18acd0931d5
Instruction ID: fcf34129dd1bd037d8a127377996d0a793d873d5caf966ea24c392c8679c5a03
Opcode Fuzzy Hash: a315e5b4d7fc145d75c709660bc7fea3a7cdae744face6605217b18acd0931d5
Instruction Fuzzy Hash: BCB1C471900209ABDB14EFA4CC45FEEB7B8EF44318F14855EF815A7281DB389E45CB69

Function 00475BC9 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 221COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00496AEC,00000001,00496AEC,00000001,00000000,023711FC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00469763), ref: 00475C07
CompareStringA.KERNEL32(00000000,00000000,00496AE8,00000001,00496AE8,00000001), ref: 00475C24
CompareStringA.KERNEL32(00452176,00000000,00000000,00000000,00469763,00000000,00000000,023711FC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00469763), ref: 00475C82
GetCPInfo.KERNEL32(00000000,00000000,00000000,023711FC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00469763,00000000), ref: 00475CD3
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000), ref: 00475D52
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 00475DB3
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 00475DC6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 00475E12
CompareStringW.KERNEL32(00452176,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00475E2A

Strings

v!E, xrefs: 00475BC9
jI, xrefs: 00475C1A
jI, xrefs: 00475BFD

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID: v!E$jI$jI
API String ID: 1651298574-3558089814
Opcode ID: 3f6c0ec4d8083ac8729ec3b82dae7a8bd8bad72fa485efc8729711569433b55e
Instruction ID: 516fc3ced1e91195594630a3380b157279528e61900a230e23794a2763caffa7
Opcode Fuzzy Hash: 3f6c0ec4d8083ac8729ec3b82dae7a8bd8bad72fa485efc8729711569433b55e
Instruction Fuzzy Hash: 1671F471900A49AFCF229F54DC89AEF7FB5FB05300F14842BF859AA250D37A8D51CB99

Function 00464760 Relevance: 21.2, APIs: 14, Instructions: 192COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?), ref: 00464769
GetFileInformationByHandle.KERNEL32(?,?), ref: 00464784

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: File$HandleInformationType
String ID:
API String ID: 4064226416-0
Opcode ID: 8ea6cb832e61640ec9e928d21c66251dd760ba3de0cd151283f2721efa612dd4
Instruction ID: 4c4e13de2cbbff53b5fece1374734699dd6ec542b92f5755af7e39245fd383a9
Opcode Fuzzy Hash: 8ea6cb832e61640ec9e928d21c66251dd760ba3de0cd151283f2721efa612dd4
Instruction Fuzzy Hash: AB517E715047056FEB20EB58CC84FABB3E9AFC5704F54491DF681A7280E678ED048B5A

Function 004053E0 Relevance: 19.9, APIs: 13, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779f84cd8654b46b6b2855047c627e48e197fbe2ef1277ee44420566f8bdb1
Instruction ID: 1978b0661de78022761fc40b10e168e36d8c3f4ccbbafa1541739583d52c43c1
Opcode Fuzzy Hash: b6779f84cd8654b46b6b2855047c627e48e197fbe2ef1277ee44420566f8bdb1
Instruction Fuzzy Hash: F4D13AB1604A00DFD7249B64C881F2BB7E5EB48368F14493EE59AE7691D738EC42CF15

Function 0042EB60 Relevance: 19.8, APIs: 13, Instructions: 320windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0042EB7E
SetCapture.USER32(?,?,?,?,?,?,?,?,?,004867D8,000000FF,0042E3BD,?,?,?,?), ref: 0042EB9B

Part of subcall function 0047FF4D: __EH_prolog.LIBCMT ref: 0047FF52
Part of subcall function 0047FF4D: GetDC.USER32(?), ref: 0047FF7B

Part of subcall function 004418E0: GetWindowExtEx.GDI32(?,?), ref: 00441903

Part of subcall function 0047FE7B: GetWindowExtEx.GDI32(?,?), ref: 0047FE8C
Part of subcall function 0047FE7B: GetViewportExtEx.GDI32(?,?), ref: 0047FE99
Part of subcall function 0047FE7B: MulDiv.KERNEL32(?,00000000,00000000), ref: 0047FEBE
Part of subcall function 0047FE7B: MulDiv.KERNEL32(?,00000000,00000000), ref: 0047FED9

Part of subcall function 0047FA0C: SetMapMode.GDI32(?,?), ref: 0047FA25
Part of subcall function 0047FA0C: SetMapMode.GDI32(?,?), ref: 0047FA33

Part of subcall function 0047F981: SetROP2.GDI32(?,?), ref: 0047F99A
Part of subcall function 0047F981: SetROP2.GDI32(?,?), ref: 0047F9A8

Part of subcall function 0047F925: SetBkMode.GDI32(?,?), ref: 0047F93E
Part of subcall function 0047F925: SetBkMode.GDI32(?,?), ref: 0047F94C

Part of subcall function 00480262: __EH_prolog.LIBCMT ref: 00480267
Part of subcall function 00480262: CreatePen.GDI32(?,?,?), ref: 0048028A

Part of subcall function 0047F849: SelectObject.GDI32(004050D5,00000000), ref: 0047F86B
Part of subcall function 0047F849: SelectObject.GDI32(004050D5,?), ref: 0047F881

GetCapture.USER32 ref: 0042EC61
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0042EC80
DispatchMessageA.USER32(?), ref: 0042ECC1
DispatchMessageA.USER32(?), ref: 0042ECDD
ScreenToClient.USER32(?,?), ref: 0042ED24
GetCapture.USER32 ref: 0042ED4C
ReleaseCapture.USER32 ref: 0042ED74
ReleaseCapture.USER32 ref: 0042EDD0
DPtoLP.GDI32 ref: 0042EE14
InvalidateRect.USER32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,?,?), ref: 0042EE9D
InvalidateRect.USER32(?,00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0042EF2B

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Capture$Mode$Message$DispatchH_prologInvalidateObjectRectReleaseSelectWindow$ClientCreateScreenViewport
String ID:
API String ID: 453157188-0
Opcode ID: af6f8d6610008a6111f39e913973f00f5202c5632b4d9963e3afa4d387b4a95d
Instruction ID: 9e213c49084d6d8d1d6049db90ec8fb4f2cbe8d2515161d0092579318cfade44
Opcode Fuzzy Hash: af6f8d6610008a6111f39e913973f00f5202c5632b4d9963e3afa4d387b4a95d
Instruction Fuzzy Hash: 7AB1D171304710ABD324EB66D885E6FB7E8BF88704F544E1EF15683291DB38AD05CB6A

Function 004077E0 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 430COMMON

Download Yara Rule

APIs

Part of subcall function 004800B5: __EH_prolog.LIBCMT ref: 004800BA
Part of subcall function 004800B5: BeginPaint.USER32(?,?,?,?,004072F9), ref: 004800E3

Part of subcall function 0047FC66: GetClipBox.GDI32(?,?), ref: 0047FC6D

IsRectEmpty.USER32(?), ref: 00407827
GetClientRect.USER32(?,?), ref: 0040783F
InflateRect.USER32(?,?,?), ref: 004078FD
IntersectRect.USER32(?,?,?), ref: 00407967
CreateRectRgn.GDI32(?,?,?,?), ref: 00407981
FillRgn.GDI32(?,?,?), ref: 00407B40
GetCurrentObject.GDI32(?,00000006), ref: 00407BBF

Part of subcall function 0047F80D: GetStockObject.GDI32(?), ref: 0047F816
Part of subcall function 0047F80D: SelectObject.GDI32(004050D5,00000000), ref: 0047F830
Part of subcall function 0047F80D: SelectObject.GDI32(004050D5,00000000), ref: 0047F83B

OffsetRect.USER32(?,00000001,00000001), ref: 00407C9D
OffsetRect.USER32(?,00000002,00000002), ref: 00407D31
OffsetRect.USER32(?,00000001,00000001), ref: 00407CE4

Part of subcall function 0047F9DD: SetTextColor.GDI32(?,?), ref: 0047F9F7
Part of subcall function 0047F9DD: SetTextColor.GDI32(?,?), ref: 0047FA05

Strings

`qA, xrefs: 00407848

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$Object$Offset$ColorSelectText$BeginClientClipCreateCurrentEmptyFillH_prologInflateIntersectPaintStock
String ID: `qA
API String ID: 4264835570-2154376067
Opcode ID: 7f7b3d59a5eb8d0b4f5c86bc7504df1308011155a9c809e40680cb868bfd0398
Instruction ID: 3bbfd1f818861feff674c3a97243605add37194576b9d131ba58911407928f8e
Opcode Fuzzy Hash: 7f7b3d59a5eb8d0b4f5c86bc7504df1308011155a9c809e40680cb868bfd0398
Instruction Fuzzy Hash: AC0249715087809FD324EF65C884AAFB7E9BBC8304F104D2EF19697290DB78A949CB57

Function 00421360 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 405COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,?,?), ref: 00421406

Part of subcall function 00421130: SetRect.USER32(?,00000000,00000032,00000032,?), ref: 00421219
Part of subcall function 00421130: OffsetRect.USER32(?,?,?), ref: 00421226
Part of subcall function 00421130: IntersectRect.USER32(?,?,?), ref: 00421242
Part of subcall function 00421130: IsRectEmpty.USER32(?), ref: 0042124D

InflateRect.USER32(?,?,?), ref: 00421479
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042167D
GetClipRgn.GDI32(?,00000000), ref: 0042168C
CreatePolygonRgn.GDI32 ref: 0042170A
SelectClipRgn.GDI32(?,?), ref: 004217ED
CreatePolygonRgn.GDI32(?,00000005,00000002), ref: 00421810
SelectClipRgn.GDI32(?,?), ref: 00421891
DeleteObject.GDI32(?), ref: 004218A7

Strings

gfff, xrefs: 0042156D
`qA, xrefs: 0042137B

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$ClipCreate$InflatePolygonSelect$DeleteEmptyIntersectObjectOffset
String ID: `qA$gfff
API String ID: 1105800552-1917748260
Opcode ID: 797ccd661cc7bf92a57553c33a2f4b04045756b302bd186640b4ba24df8d7c11
Instruction ID: 90c1dad10d611fa942a983aa18a85047f77652ac7ad0ad2bd766f1490ebf77ba
Opcode Fuzzy Hash: 797ccd661cc7bf92a57553c33a2f4b04045756b302bd186640b4ba24df8d7c11
Instruction Fuzzy Hash: 95F125B06083419FC324DF19D880B6BBBE5BBD8344F508A2EF989873A0D774E945CB56

Function 004127A0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 281libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,004B0564), ref: 00412807
LoadLibraryA.KERNEL32(?,?,004C08F0), ref: 004128F7
LoadLibraryA.KERNEL32(?,?), ref: 0041293D
LoadLibraryA.KERNEL32(?,?,004C07F8,00000001), ref: 00412985
LoadLibraryA.KERNEL32(00000001), ref: 0041299B
GetProcAddress.KERNEL32(00000000,?), ref: 004129AD
FreeLibrary.KERNEL32(00000000), ref: 00412A40

Strings

HJJ, xrefs: 004129CF

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Library$Load$AddressProc$Free
String ID: HJJ
API String ID: 3120990465-492243563
Opcode ID: 326d5993ffc081efa7f1d949ebe51187b0e82f2700a630b06d8558cfb21194d5
Instruction ID: 0ac4d345a2665a21cbdf83232c46227d6d2fee20b804590a161dc375671bf013
Opcode Fuzzy Hash: 326d5993ffc081efa7f1d949ebe51187b0e82f2700a630b06d8558cfb21194d5
Instruction Fuzzy Hash: 28A1E1B1600701AFC724DF65C880BABB3A8FF98314F044A2EF859D7341E778A955CB99

Function 0040A990 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130stringprocessCOMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,?), ref: 0040AA28
lstrcatA.KERNEL32(?,\shell\open\command,80000000,.htm,?,?,?,?), ref: 0040AA67
lstrlenA.KERNEL32(?), ref: 0040AABC
lstrcatA.KERNEL32(00000000,004A4C90), ref: 0040AB05
lstrcatA.KERNEL32(00000000,?), ref: 0040AB0D
WinExec.KERNEL32(?,?), ref: 0040AB15

Part of subcall function 004795AE: InterlockedDecrement.KERNEL32(-000000F4), ref: 004795C2

Strings

\shell\open\command, xrefs: 0040AA61
open, xrefs: 0040AA21
.htm, xrefs: 0040AA40
"%1", xrefs: 0040AA8B
mailto:, xrefs: 0040A9F6

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: lstrcat$DecrementExecExecuteInterlockedShelllstrlen
String ID: "%1"$.htm$\shell\open\command$mailto:$open
API String ID: 51986957-2182632014
Opcode ID: f03748839995af2342101b3343800c349e21235266f730efe3e6d37ccef28e3f
Instruction ID: 57658bd381d2fbfd2d41f770f7e876213e1ea9e5b20a9861da79444433d0d6a9
Opcode Fuzzy Hash: f03748839995af2342101b3343800c349e21235266f730efe3e6d37ccef28e3f
Instruction Fuzzy Hash: 3E41B432244302ABC324DF65DD44FAFB7A4ABD4764F104A2DF559A32C0E778AD05CB6A

Function 00418B60 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 387windowCOMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 00418B98
GetParent.USER32(?), ref: 00418C29
IsWindow.USER32(?), ref: 00418D5B
IsWindowVisible.USER32(?), ref: 00418D6D

Part of subcall function 0047D97F: IsWindowEnabled.USER32(?), ref: 0047D989

GetParent.USER32(?), ref: 00418DBE
IsChild.USER32(?,?), ref: 00418DDE
GetParent.USER32(?), ref: 00418F87
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00418FA4
IsWindow.USER32(?), ref: 00418FFF

Part of subcall function 0040F0E0: IsChild.USER32(?,?), ref: 0040F15D
Part of subcall function 0040F0E0: GetParent.USER32(?), ref: 0040F177

Strings

`qA, xrefs: 00419010

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ParentWindow$Child$EnabledMessageSendVisible
String ID: `qA
API String ID: 2452671399-2154376067
Opcode ID: 815da352d1475b5faae39645e7b1b70ab6421d2cda9a65172b3521f57d9a104b
Instruction ID: fc2f60d24b9f41b1ccf276333a8a6c5c9557c1793f2b6875bfa48e7b05c443f7
Opcode Fuzzy Hash: 815da352d1475b5faae39645e7b1b70ab6421d2cda9a65172b3521f57d9a104b
Instruction Fuzzy Hash: F1E1AD716043419FC720DF25C880BAFB7E5BB95704F044A2EF98697281DB38ED85CB9A

Function 00407E90 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

Part of subcall function 00421D70: SelectObject.GDI32(00000000,?), ref: 00421E26
Part of subcall function 00421D70: SelectObject.GDI32(?,00000000), ref: 00421E49
Part of subcall function 00421D70: SelectObject.GDI32(00000000,?), ref: 00421E75
Part of subcall function 00421D70: DeleteDC.GDI32(00000000), ref: 00421E82
Part of subcall function 00421D70: SelectObject.GDI32(?,?), ref: 00421E8A
Part of subcall function 00421D70: DeleteDC.GDI32(?), ref: 00421E91

__ftol.LIBCMT ref: 00407FB5
__ftol.LIBCMT ref: 00407FC2
CreateRectRgn.GDI32(00000000,?,00000000,?), ref: 00408034
CombineRgn.GDI32(?,?,0048CB70,00000004), ref: 0040805A
SetRect.USER32(?,00000000,?,?,?), ref: 004080A6
IntersectRect.USER32(?,?,?), ref: 004080BE
IsRectEmpty.USER32(?), ref: 004080E9
CreateRectRgn.GDI32(00000000,?,?,00000000), ref: 0040818E
CombineRgn.GDI32(?,?,0048CB70,00000004), ref: 004081B4

Strings

`qA, xrefs: 00407EF0

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$ObjectSelect$CombineCreateDelete__ftol$EmptyIntersect
String ID: `qA
API String ID: 1957208593-2154376067
Opcode ID: b7138754a3799b80b841ee8835e3c67a7ddcdad84ef9b4f88891edf2019ec4b3
Instruction ID: ad544f47c117b4ff8c69b503917ab2d01636de923d9cc5432e59fd151d6f49da
Opcode Fuzzy Hash: b7138754a3799b80b841ee8835e3c67a7ddcdad84ef9b4f88891edf2019ec4b3
Instruction Fuzzy Hash: 87A17B716087429FC314DF28C984A6FBBE9FBC8740F544A2DF59587290EB74E848CB96

Function 0042B8C0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 0042B937
IsRectEmpty.USER32(?), ref: 0042B942
GetClientRect.USER32(00000000,?), ref: 0042B981
DPtoLP.GDI32(?,?,00000002), ref: 0042B993
LPtoDP.GDI32(?,?,00000002), ref: 0042B9D0
CreateRectRgnIndirect.GDI32(?), ref: 0042B9E8
OffsetRect.USER32(?,?,?), ref: 0042BA0D
LPtoDP.GDI32(?,?,00000002), ref: 0042BA1F

Part of subcall function 00480262: __EH_prolog.LIBCMT ref: 00480267
Part of subcall function 00480262: CreatePen.GDI32(?,?,?), ref: 0048028A

Part of subcall function 0047F849: SelectObject.GDI32(004050D5,00000000), ref: 0047F86B
Part of subcall function 0047F849: SelectObject.GDI32(004050D5,?), ref: 0047F881

Part of subcall function 0047F80D: GetStockObject.GDI32(?), ref: 0047F816
Part of subcall function 0047F80D: SelectObject.GDI32(004050D5,00000000), ref: 0047F830
Part of subcall function 0047F80D: SelectObject.GDI32(004050D5,00000000), ref: 0047F83B

Part of subcall function 0047F981: SetROP2.GDI32(?,?), ref: 0047F99A
Part of subcall function 0047F981: SetROP2.GDI32(?,?), ref: 0047F9A8

Rectangle.GDI32(?,?,?,?,?), ref: 0042BA93

Part of subcall function 0047FC76: SelectClipRgn.GDI32(?,00000000), ref: 0047FC98
Part of subcall function 0047FC76: SelectClipRgn.GDI32(?,?), ref: 0047FCAE

Part of subcall function 0048024C: DeleteObject.GDI32(00000000), ref: 0048025B

Part of subcall function 0047FFBF: __EH_prolog.LIBCMT ref: 0047FFC4
Part of subcall function 0047FFBF: ReleaseDC.USER32(00000000,00000000), ref: 0047FFE3

Strings

"%H, xrefs: 0042B9D6

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ObjectSelect$Rect$ClipCreateH_prolog$ClientCopyDeleteEmptyIndirectOffsetRectangleReleaseStock
String ID: "%H
API String ID: 2841338838-1417433817
Opcode ID: 7a27f667ba9576114e8facadccd43e17a4e9d5b5c7942d8c96661612176a492f
Instruction ID: 3316c78a760f5998a8d0b35bb2d0bc6c30a3152aeac9a0046f41757d25809e9e
Opcode Fuzzy Hash: 7a27f667ba9576114e8facadccd43e17a4e9d5b5c7942d8c96661612176a492f
Instruction Fuzzy Hash: 7E615A71208700AFC314EF65C885E6FB7E9EB88714F408E1DF59683291DB78E908CB96

Function 0047A37E Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0047A383
GetSystemMetrics.USER32(0000002A), ref: 0047A434
GlobalLock.KERNEL32(?), ref: 0047A4BE
CreateDialogIndirectParamA.USER32(?,?,?,Function_0007A1C6,00000000), ref: 0047A4F0

Strings

MS Sans Serif, xrefs: 0047A455
Helv, xrefs: 0047A468
MS Shell Dlg, xrefs: 0047A442

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 2364537584-2894235370
Opcode ID: be385ed0be4839695d43575cf036e1e1887b174868817332de9033f2ef1831fa
Instruction ID: df884b5e03f8c00ea3223685344a7f036b7f58d324024f85a5950e33b41f5c26
Opcode Fuzzy Hash: be385ed0be4839695d43575cf036e1e1887b174868817332de9033f2ef1831fa
Instruction Fuzzy Hash: 3C616D7190020AEFCF14EFA4C985AEEBBB5BF44314F14852FE409A2291D7788E54CB5A

Function 00464970 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,00000000,00465970,?,?,?,00000002,?,?), ref: 004649C0
GetCurrentProcess.KERNEL32(?,00000000), ref: 004649C8
DuplicateHandle.KERNEL32(00000000), ref: 004649CB
GetFileType.KERNEL32 ref: 004649E3
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004649FD
CreateFileA.KERNEL32(pYF,40000000,00000000,00000000,00000000,00000080,00000000,?,00000000,00000000,00465970,?,?,?,00000002,?), ref: 00464A26

Strings

pYF, xrefs: 00464A67, 00464A13, 00464A25

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: File$CurrentProcess$CreateDuplicateHandlePointerType
String ID: pYF
API String ID: 3364526186-1601614842
Opcode ID: 0c90b2ed61bdcd9cea1daa865a3272347b672dfd54488f3097ccf1d878ea6576
Instruction ID: 314728b4f5e375bfbc5923157a4ab82c06b8bfb7aef1692a07244a01ae0cbecc
Opcode Fuzzy Hash: 0c90b2ed61bdcd9cea1daa865a3272347b672dfd54488f3097ccf1d878ea6576
Instruction Fuzzy Hash: 2E41A972205601AFDB309F58A8C8E6B779CE7E4325F10493FF181C6640D3759C94CB69

Function 00443D20 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

GetTextExtentPoint32A.GDI32(?,?,?,00000090), ref: 00443D9F
GetTextExtentPoint32A.GDI32(?,?,?,00000090), ref: 00443DC4
GetWindowRect.USER32(?,?), ref: 00443E4E
SetRect.USER32(00000080,?,?,?,?), ref: 00443E83
SetRect.USER32(00000070,?,?,?,?), ref: 00443EC8
SetRect.USER32(00000060,?,?,?,?), ref: 00443F3B
GetSystemMetrics.USER32(00000001), ref: 00443F66
GetSystemMetrics.USER32(00000000), ref: 00443F6C
OffsetRect.USER32(00000080,00000000,00000000), ref: 00443F84
OffsetRect.USER32(00000080,00000000,00000000), ref: 00443F92
OffsetRect.USER32(00000080,00000000,00000000), ref: 00443FA4

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$Offset$ExtentMetricsPoint32SystemText$Window
String ID:
API String ID: 1551820068-0
Opcode ID: 3384538f052ab1d9b2f99a6bee2ceff36e81a2f63cbb6339c56361ac1a3100a4
Instruction ID: ba2a6f56538d558019c96042ae8a84ea0bf2e9f63e6e5adaabda5098d55d40a8
Opcode Fuzzy Hash: 3384538f052ab1d9b2f99a6bee2ceff36e81a2f63cbb6339c56361ac1a3100a4
Instruction Fuzzy Hash: C4915771600B029FD318CF29C985E6AF7E5FB88700F148A2DA95AC3754EB74FD098B54

Function 0040D480 Relevance: 16.7, APIs: 11, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetCurrentObject.GDI32(?,00000001), ref: 0040D4B9
GetCurrentObject.GDI32(?,00000002), ref: 0040D503
GetCurrentObject.GDI32(?,00000006), ref: 0040D54D
GetTextColor.GDI32(?), ref: 0040D58C
GetBkMode.GDI32(?), ref: 0040D5B6
GetBkColor.GDI32(?), ref: 0040D5D5
GetBkMode.GDI32(?), ref: 0040D5F8
GetBkColor.GDI32(?), ref: 0040D617
GetROP2.GDI32(?), ref: 0040D63F
GetStretchBltMode.GDI32(?), ref: 0040D660
GetPolyFillMode.GDI32(?), ref: 0040D68C

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Mode$ColorCurrentObject$FillPolyStretchText
String ID:
API String ID: 544274770-0
Opcode ID: 31902cacc531530214e8a1a179306d35661109dfe9113a1a4057da114eee640a
Instruction ID: d2bb0e8d7d97ea526974c6fe0738d699276d9bc1aad24ada7795e0b8967308c5
Opcode Fuzzy Hash: 31902cacc531530214e8a1a179306d35661109dfe9113a1a4057da114eee640a
Instruction Fuzzy Hash: 18513171610A019BC764DBB4CD88FABB3A5EF84305F144A2DE65FA7290DB34F849CB58

Function 004221B0 Relevance: 15.3, APIs: 10, Instructions: 305windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C8B0: EnumDisplaySettingsA.USER32(00000000,000000FF,?), ref: 0041C8BF

SetStretchBltMode.GDI32(?,00000000), ref: 004221C4
GetObjectA.GDI32(?,00000018,?), ref: 004222A2
StretchBlt.GDI32(?,000000FF,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0042236F
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,008800C6), ref: 004223A9
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 004223E3
SelectObject.GDI32(00000000,?), ref: 00422468
StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?), ref: 004224AB
SelectObject.GDI32(00000000,?), ref: 004224B7
DeleteDC.GDI32(00000000), ref: 004224BE
DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 004224FD

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Stretch$Object$Select$DeleteDisplayDrawEnumIconModeSettings
String ID:
API String ID: 595586566-0
Opcode ID: 8741a45ae6a2ef4923ba3ebb02067b5689fc8def90343f4a1ccb491cd8b3d49d
Instruction ID: e1a6c5c4a8d57126f7fa73ae521b89f4e83789783a577923df6199a5632301ef
Opcode Fuzzy Hash: 8741a45ae6a2ef4923ba3ebb02067b5689fc8def90343f4a1ccb491cd8b3d49d
Instruction Fuzzy Hash: B0B14771204704AFD214DB24DD85F6BB3E9FF89714F208A1DFA9A87290DB74EC058B66

Function 0041EAF0 Relevance: 15.3, APIs: 10, Instructions: 288COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(00FFFFFF), ref: 0041EC4F
GetWindowRect.USER32(?), ref: 0041EC79
GetStockObject.GDI32(00000005), ref: 0041ECA7
LoadCursorA.USER32(00000000,00007F00), ref: 0041ECB5
GetWindowRect.USER32(?,?), ref: 0041ED23
GetWindowRect.USER32(?,?), ref: 0041ED34
GetWindowRect.USER32(?,?), ref: 0041ED49
GetSystemMetrics.USER32(00000001), ref: 0041ED5F
GetWindowRect.USER32(?,?), ref: 0041EDEA
OffsetRect.USER32(?,00000000,?), ref: 0041EE04

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$Window$BrushCreateCursorLoadMetricsObjectOffsetSolidStockSystem
String ID:
API String ID: 3805611468-0
Opcode ID: 18ea4422961e1ed83f07187e6cc297196c91b47f8c5e176a5a3ff74866a5c769
Instruction ID: 326d8ca898e997f69d5ec49687fa368f6d10426df5753064f6fba01a0e722669
Opcode Fuzzy Hash: 18ea4422961e1ed83f07187e6cc297196c91b47f8c5e176a5a3ff74866a5c769
Instruction Fuzzy Hash: 70A19F706447019FD724DF26C885BAFB7E5AFC8704F00892EF65A87281EB78E8458B59

Function 0041D3C0 Relevance: 15.2, APIs: 10, Instructions: 179COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0041D3DD
GetWindowRect.USER32(?,?), ref: 0041D3EC
IntersectRect.USER32(?,?,?), ref: 0041D445
EqualRect.USER32(?,?), ref: 0041D475
GetWindowRect.USER32(?,?), ref: 0041D493
OffsetRect.USER32(?,?,?), ref: 0041D50A
OffsetRect.USER32(?,?,00000000), ref: 0041D524
OffsetRect.USER32(?,?,00000000), ref: 0041D53C
OffsetRect.USER32(?,00000000,?), ref: 0041D556
OffsetRect.USER32(?,00000000,?), ref: 0041D56E

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$Offset$Window$EqualIntersect
String ID:
API String ID: 2638238157-0
Opcode ID: 22550212a4d541649fd122a6724041e73bac01f67ea12bb1ab95c1d0928b96e6
Instruction ID: 644cdacebdda62e947c30d9be5291a310e5356de38eb86f7f01c84e6c1e5b64d
Opcode Fuzzy Hash: 22550212a4d541649fd122a6724041e73bac01f67ea12bb1ab95c1d0928b96e6
Instruction Fuzzy Hash: 3351FCB5618306AFC708CF28C98096FBBE9ABC8744F004A2EF585D3354D674ED45CB56

Function 00434AB0 Relevance: 15.1, APIs: 10, Instructions: 86COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000002E), ref: 00434AC1
GetSystemMetrics.USER32(0000002D), ref: 00434AC7
GetSystemMetrics.USER32(0000000A), ref: 00434ACD
GetSystemMetrics.USER32(0000000A), ref: 00434AD8
GetSystemMetrics.USER32(00000009), ref: 00434AE6
GetSystemMetrics.USER32(00000009), ref: 00434AF2
GetWindowRect.USER32(?,?), ref: 00434B17
GetParent.USER32(?), ref: 00434B1D
GetWindowRect.USER32(?,00000000), ref: 00434B42
SetRect.USER32(?,?,00000000,?,?), ref: 00434B74

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MetricsSystem$Rect$Window$Parent
String ID:
API String ID: 3457858938-0
Opcode ID: 6418db504b353ff004d494ea2ff1ed21a1c5dcd0fd01710324e729c26938c859
Instruction ID: be2e948862b947bf6dfc73dd4b7bc4dc9366f0959cc0f19955f7a0ed3ab414db
Opcode Fuzzy Hash: 6418db504b353ff004d494ea2ff1ed21a1c5dcd0fd01710324e729c26938c859
Instruction Fuzzy Hash: 0A216271A443066BD704DF68DC8597F77A9EBC8700F04492EF906D3280DBB4ED098BA6

Function 00427FF0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 279COMMON

Download Yara Rule

APIs

GetProfileStringA.KERNEL32(windows,device,,,,,?,000001F4), ref: 0042806F
GetProfileStringA.KERNEL32(devices,00000000,004C1128,?,00001000), ref: 004280A3
GetProfileStringA.KERNEL32(devices,?,,,,,?,000000C8), ref: 0042812A

Strings

device, xrefs: 00428065
devices, xrefs: 0042809E, 00428125
windows, xrefs: 0042806A
,,,, xrefs: 00428060, 0042811F
none, xrefs: 00428160

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ProfileString
String ID: ,,,$device$devices$none$windows
API String ID: 1468043044-528626633
Opcode ID: 46365c4ff1fc3bdad38c550f36fd39f83b02428ffb18d7eb4c64ffed9c0f9326
Instruction ID: b3a708feb0d6ff2f6d13d1be28250e64420e0e2224a99240c423c2e4a071b553
Opcode Fuzzy Hash: 46365c4ff1fc3bdad38c550f36fd39f83b02428ffb18d7eb4c64ffed9c0f9326
Instruction Fuzzy Hash: 49B1C3712083409BC324DF65C885BEFB7E4AF95718F404A1EF99983391EB789904CB6B

Function 00474F9E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,00496AEC,00000001,-00000030,?,00000000,-00000030,?,?,00469CB1,00000000,00413272,00000000), ref: 00474FDD
GetStringTypeA.KERNEL32(00000000,00000001,00496AE8,00000001,?,?,?,00469CB1,00000000,00413272,00000000), ref: 00474FF7
GetStringTypeA.KERNEL32(-00000030,r2A,00000000,00469CB1,?,?,00000000,-00000030,?,?,00469CB1,00000000,00413272,00000000), ref: 0047502B
MultiByteToWideChar.KERNEL32(?,00000001,00000000,00469CB1,00000000,00000000,?,00000000,-00000030,?,?,00469CB1,00000000,00413272,00000000), ref: 00475063
MultiByteToWideChar.KERNEL32(?,00000001,00000000,00469CB1,?,?,?,?,?,?,?,00469CB1,00000000,00413272), ref: 004750B9
GetStringTypeW.KERNEL32(00413272,?,00000000,?,?,?,?,?,?,?,?,00469CB1,00000000,00413272), ref: 004750CB

Strings

r2A, xrefs: 004750C8
r2A, xrefs: 00475027

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID: r2A$r2A
API String ID: 3852931651-1580492803
Opcode ID: 4b042b31d39f6f6dcb163afc3f572e04d26e8953228db0bb1dc9418cd04f4be6
Instruction ID: a2b5b74daa47ad0dee0051f3aff1feea5edcc6bf0670cc73f69f72d7330b5d30
Opcode Fuzzy Hash: 4b042b31d39f6f6dcb163afc3f572e04d26e8953228db0bb1dc9418cd04f4be6
Instruction Fuzzy Hash: 81417C72500649BFCF219F94DC89EEF3F68EB05350F24882AF915D6250D3798D51CBA9

Function 0047524F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0046DF7F,?,Microsoft Visual C++ Runtime Library,00012010,?,00496864,?,004968B4,?,?,?,Runtime Error!Program: ), ref: 00475261
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00475279
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0047528A
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00475297

Strings

GetLastActivePopup, xrefs: 0047528C
MessageBoxA, xrefs: 00475273
user32.dll, xrefs: 0047525C
GetActiveWindow, xrefs: 00475284

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 6f4bc5c6f4a22812081479e6496b3a30da0472953cc642e26d314ffe236c48dc
Instruction ID: 80324310f5ab8dd1edf16d330b5743b4b061baa5210386c2f28d0be355e4aa04
Opcode Fuzzy Hash: 6f4bc5c6f4a22812081479e6496b3a30da0472953cc642e26d314ffe236c48dc
Instruction Fuzzy Hash: 50017571605702BF8B919FB56C84EAB3FD89688750315447EA509D6362E7B88C00DF69

Function 00436BF0 Relevance: 13.7, APIs: 9, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00436C2E
FillRect.USER32(?,?,?), ref: 00436C92
FillRect.USER32(?,?,?), ref: 00436CFE
FillRect.USER32(?,?,?), ref: 00436D77
SelectObject.GDI32(00000000,?), ref: 00436DB9
SetStretchBltMode.GDI32(?,00000000), ref: 00436DED
StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00436E24
SelectObject.GDI32(00000000,00000000), ref: 00436E5B
DeleteDC.GDI32(00000000), ref: 00436E68

Part of subcall function 004802B2: __EH_prolog.LIBCMT ref: 004802B7
Part of subcall function 004802B2: CreateSolidBrush.GDI32(?), ref: 004802D4

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$Fill$ObjectSelectStretch$BrushClientCreateDeleteH_prologModeSolid
String ID:
API String ID: 3514727852-0
Opcode ID: 63ec8da4bb64016d992cc8f3346fd8733eee47bd2a99d92d517defc15d70dcbf
Instruction ID: 89efbb9d26d35addfcc06a52699b134ab02283e30e9f01fec701f2da0c1f0503
Opcode Fuzzy Hash: 63ec8da4bb64016d992cc8f3346fd8733eee47bd2a99d92d517defc15d70dcbf
Instruction Fuzzy Hash: 5F714DB4204741ABD760DF64C884F6BB7E8FB88700F248D1EF59A97250C778E845CB2A

Function 00471384 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00496AEC,00000001,00000000,00000000,7622E860,004C99F0,?,?,?,0046ACDD,?,?,?,00000000), ref: 004713C6
LCMapStringA.KERNEL32(00000000,00000100,00496AE8,00000001,00000000,00000000,?,?,0046ACDD,?,?,?,00000000,00000001), ref: 004713E2
LCMapStringA.KERNEL32(?,?,?,0046ACDD,?,?,7622E860,004C99F0,?,?,?,0046ACDD,?,?,?,00000000), ref: 0047142B
MultiByteToWideChar.KERNEL32(?,004C99F1,?,0046ACDD,00000000,00000000,7622E860,004C99F0,?,?,?,0046ACDD,?,?,?,00000000), ref: 00471463
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0046ACDD,?,00000000,?,?,0046ACDD,?), ref: 004714BB
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0046ACDD,?), ref: 004714D1
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0046ACDD,?), ref: 00471504
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0046ACDD,?), ref: 0047156C

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 1ad270d811134c14184e1eacf99739e0334de599a41abc55a0e0b41b030b3954
Instruction ID: 2f917b9929bb12088151f03ab6c0f8472d7d2fb6ef456b078e89f4e1e1612dfe
Opcode Fuzzy Hash: 1ad270d811134c14184e1eacf99739e0334de599a41abc55a0e0b41b030b3954
Instruction Fuzzy Hash: 24519171900609FBCF228F58CC49AEF7FB4FB85754F24812AF916A2160D3398D50EB69

Function 0041D160 Relevance: 13.6, APIs: 9, Instructions: 118COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0041D166
ClientToScreen.USER32(?,?), ref: 0041D1A3
OffsetRect.USER32(?,?,?), ref: 0041D1CC
GetParent.USER32(?), ref: 0041D1D2

Part of subcall function 0047FDBB: ScreenToClient.USER32(?,?), ref: 0047FDCF
Part of subcall function 0047FDBB: ScreenToClient.USER32(?,?), ref: 0047FDD8

GetClientRect.USER32(?,?), ref: 0041D1F5
OffsetRect.USER32(?,?,00000000), ref: 0041D213
OffsetRect.USER32(?,?,00000000), ref: 0041D22B
OffsetRect.USER32(?,00000000,?), ref: 0041D249
OffsetRect.USER32(?,00000000,?), ref: 0041D269

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$Offset$Client$Screen$CaptureParent
String ID:
API String ID: 838496554-0
Opcode ID: 56fa5921391c66237af0d8a17047b226f07601daaab62c14f86f85be2b85d9ac
Instruction ID: d6c1c6bf9dcf6dd0113d9450f8022dfa0dbb7ea31649cc561a0d20c53687c7a6
Opcode Fuzzy Hash: 56fa5921391c66237af0d8a17047b226f07601daaab62c14f86f85be2b85d9ac
Instruction Fuzzy Hash: A841F5B5608301AFD708DF68D984D7FB7E9ABC8704F008A1DF996C3251DA74ED488B66

Function 0041A9B0 Relevance: 13.6, APIs: 9, Instructions: 85windowCOMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,?,00000001,?,?,?,?), ref: 0041A9CA
GetTopWindow.USER32(?), ref: 0041A9D0
IsWindowVisible.USER32(00000000), ref: 0041A9E1
GetWindowLongA.USER32(00000000,000000EC), ref: 0041A9F2
GetClientRect.USER32(00000000,?), ref: 0041AA45
IntersectRect.USER32(?,?,?), ref: 0041AA5A
IsRectEmpty.USER32(?), ref: 0041AA65
InvalidateRect.USER32(00000000,00000000,00000000,?,?,?,?), ref: 0041AA76
GetWindow.USER32(00000000,00000002), ref: 0041AA7B

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$Window$Invalidate$ClientEmptyIntersectLongVisible
String ID:
API String ID: 938479747-0
Opcode ID: 899c2bf112f175f03ba478e0526cc957dba6ab75f8ca1accb1e3aa882f1bf58d
Instruction ID: 91f8f1b6424307a104e22c24c5e75ce3795695b05a28c835485bfcb3adf2e5a9
Opcode Fuzzy Hash: 899c2bf112f175f03ba478e0526cc957dba6ab75f8ca1accb1e3aa882f1bf58d
Instruction Fuzzy Hash: 89218D71505702AB8311DF65CC84DBFB7ACBF88754B044A2EF94192240DB24DD89CBAA

Function 00421130 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

SetRect.USER32(?,00000000,00000032,00000032,?), ref: 00421219
OffsetRect.USER32(?,?,?), ref: 00421226
IntersectRect.USER32(?,?,?), ref: 00421242
IsRectEmpty.USER32(?), ref: 0042124D
OffsetRect.USER32(?,?,?), ref: 0042128A

Strings

`qA, xrefs: 00421137
2, xrefs: 004211D6

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$Offset$EmptyIntersect
String ID: 2$`qA
API String ID: 765610062-1304155651
Opcode ID: 44ca7088c912e3cd5282594bb22651437efd9f7115237b882e3f2a380cda38ac
Instruction ID: 69033902080456b3d6b89db0e52e16713a806fe4336b12a5a0b7f5521c311588
Opcode Fuzzy Hash: 44ca7088c912e3cd5282594bb22651437efd9f7115237b882e3f2a380cda38ac
Instruction Fuzzy Hash: 3F6132756083419FD718CF29D88496BBBEABBD8344F548A2EF98987320D730E905CF56

Function 0041F560 Relevance: 12.4, APIs: 8, Instructions: 368windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 0041F6DE
AppendMenuA.USER32(?,?,00000000,?), ref: 0041F841
AppendMenuA.USER32(?,00000000,00000000,?), ref: 0041F879
ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041F897
AppendMenuA.USER32(?,?,00000000,?), ref: 0041F8F5
ModifyMenuA.USER32(?,?,?,?,?), ref: 0041F91A
AppendMenuA.USER32(?,?,?,?), ref: 0041F962
ModifyMenuA.USER32(?,?,?,?,?), ref: 0041F987

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Menu$Append$Modify$CreatePopup
String ID:
API String ID: 3846898120-0
Opcode ID: da91b9976c8fdf4bc74e4b14ddb116b74e8fb59e34879197afbe1e6f3069b9ed
Instruction ID: 6331f3c5b2ce11e520301fedc0f4dee95f721aef72460b711d7f2ecbe8015322
Opcode Fuzzy Hash: da91b9976c8fdf4bc74e4b14ddb116b74e8fb59e34879197afbe1e6f3069b9ed
Instruction Fuzzy Hash: 80D19BB16043049BD714DF58D880AABBBE4FF89714F04493EF98593351E738AC4ACB9A

Function 0046DE5B Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0046DEC8
GetStdHandle.KERNEL32(000000F4,00496864,00000000,?,00000000,?), ref: 0046DF9E
WriteFile.KERNEL32(00000000), ref: 0046DFA5

Strings

Microsoft Visual C++ Runtime Library, xrefs: 0046DF74
Runtime Error!Program: , xrefs: 0046DF2E
<program name unknown>, xrefs: 0046DED8
..., xrefs: 0046DF1A

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 2c72b3fb22c3e8420460721bb6a56f27edb8d1ba0b9dbbdbb575d77b50668cac
Instruction ID: e1cdace9fde268650fb574c7897b86e9c1c82a136065a3724cd4c4b22c3ac008
Opcode Fuzzy Hash: 2c72b3fb22c3e8420460721bb6a56f27edb8d1ba0b9dbbdbb575d77b50668cac
Instruction Fuzzy Hash: 7A31A472F41218AFDF24EB60CC46FEA776CEB45304F54087BF44AD6190F678A9418B6A

Function 00426630 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93networkCOMMON

Download Yara Rule

APIs

accept.WS2_32 ref: 00426674

Strings

%s:%d, xrefs: 004266EE
P, xrefs: 0042666C

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: accept
String ID: %s:%d$P
API String ID: 3005279540-612342447
Opcode ID: 9b9e7bcb60eda2b7971b7aedf1127c7e7fccffedd67a5ec0e35e4df5b4722916
Instruction ID: 39fe134afe0820dc6a39a9f4848f48722b6c3a0df56db430c035ad0768343434
Opcode Fuzzy Hash: 9b9e7bcb60eda2b7971b7aedf1127c7e7fccffedd67a5ec0e35e4df5b4722916
Instruction Fuzzy Hash: 4B318471204A015FD310EB28EC88DBF73E8FFD4729F044A2DF5A1922D0EA7499198B55

Function 0047F45B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 0047F477
GetStockObject.GDI32(0000000D), ref: 0047F47F
GetObjectA.GDI32(00000000,0000003C,?), ref: 0047F48C
GetDC.USER32(00000000), ref: 0047F49B
MulDiv.KERNEL32(?,00000048,00000000), ref: 0047F4BE
ReleaseDC.USER32(00000000,00000000), ref: 0047F4C9

Strings

System, xrefs: 0047F470, 0047F4DF

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Object$Stock$Release
String ID: System
API String ID: 1719843520-3470857405
Opcode ID: 3cc53a2c22f20d383b3867beda79e1b6c2ca13ec31ce00896ac74c68c8ffa7d3
Instruction ID: bdc88ec613434e5e0144434789ed12a36c59226cbe6fb319b369e670486df1ab
Opcode Fuzzy Hash: 3cc53a2c22f20d383b3867beda79e1b6c2ca13ec31ce00896ac74c68c8ffa7d3
Instruction Fuzzy Hash: 8B118631A00618BBEB109BA1DC49FEF3BB8EB14751F04843AFA05E61C0E7749D05C7A8

Function 0045EA40 Relevance: 12.3, APIs: 8, Instructions: 306COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0045ED98
__ftol.LIBCMT ref: 0045EDB5
__ftol.LIBCMT ref: 0045EDD1
__ftol.LIBCMT ref: 0045EDEB
__ftol.LIBCMT ref: 0045EE09
__ftol.LIBCMT ref: 0045EE27
__ftol.LIBCMT ref: 0045EE43
__ftol.LIBCMT ref: 0045EE5D

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: __ftol
String ID:
API String ID: 495808979-0
Opcode ID: 6cddb77b8bf7e40a7c8c8006c2caa328126905ed49c06548928291eb1914bb5a
Instruction ID: 4345d517504d49e37df0313702906a1eeff355aced3ded4eed1a76419b39ac18
Opcode Fuzzy Hash: 6cddb77b8bf7e40a7c8c8006c2caa328126905ed49c06548928291eb1914bb5a
Instruction Fuzzy Hash: FCD14372909342DFD3019F22D08925ABFB0FFD5744FA60999E0D56626AE331C978CF86

Function 0040C650 Relevance: 12.2, APIs: 8, Instructions: 198COMMON

Download Yara Rule

APIs

Part of subcall function 004800B5: __EH_prolog.LIBCMT ref: 004800BA
Part of subcall function 004800B5: BeginPaint.USER32(?,?,?,?,004072F9), ref: 004800E3

Part of subcall function 0047FC66: GetClipBox.GDI32(?,?), ref: 0047FC6D

GetClientRect.USER32(?,?), ref: 0040C69E
IntersectRect.USER32(?,?,?), ref: 0040C6B6
IsRectEmpty.USER32(?), ref: 0040C6E6
GetObjectA.GDI32(?,00000018,?), ref: 0040C71D
IntersectRect.USER32(?,?,?), ref: 0040C798
IsRectEmpty.USER32(?), ref: 0040C7A3
DPtoLP.GDI32(?,?,00000002), ref: 0040C866
IsWindow.USER32(?), ref: 0040C8C8

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$EmptyIntersect$BeginClientClipH_prologObjectPaintWindow
String ID:
API String ID: 611846025-0
Opcode ID: 18bedf412ef574f68bff7ee7ed97e4ed801b3479abf91fd7601cc4a2c14a588a
Instruction ID: 8bc3ffdda0b592d459f9f67de61b63182c9fbf4ba877a87485173b3433439645
Opcode Fuzzy Hash: 18bedf412ef574f68bff7ee7ed97e4ed801b3479abf91fd7601cc4a2c14a588a
Instruction Fuzzy Hash: A5812AB5508742DFC324DF65C884AABB7E9FBC8704F008E2EF59A93250D734A909CB56

Function 0046D894 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,004690D9), ref: 0046D8AF
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,004690D9), ref: 0046D8C3
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,004690D9), ref: 0046D8EF
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,004690D9), ref: 0046D927
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,004690D9), ref: 0046D949
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,004690D9), ref: 0046D962
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,004690D9), ref: 0046D975
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0046D9B3

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 56ff4066ecb744412af1ddb00a4af03c1b9f60664bc5c314ec9f7b4a68efa160
Instruction ID: ce85a42c12010ef769005a935ade716c5bc32c347a2b90035eb4b5e85346da1c
Opcode Fuzzy Hash: 56ff4066ecb744412af1ddb00a4af03c1b9f60664bc5c314ec9f7b4a68efa160
Instruction Fuzzy Hash: BC31F2F2F092556F9B203F745C8883BB69CEA46748B15083FF552D3300F6294C4987AB

Function 00433F40 Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 00434011

Part of subcall function 0047D97F: IsWindowEnabled.USER32(?), ref: 0047D989

GetClientRect.USER32(?,?), ref: 00433F67
PtInRect.USER32(?,?,?), ref: 00433F7C
ClientToScreen.USER32(?,?), ref: 00433F8D
WindowFromPoint.USER32(?,?), ref: 00433F9D
ReleaseCapture.USER32 ref: 00433FB7
GetCapture.USER32 ref: 00433FD1
SetCapture.USER32(?), ref: 00433FDC

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Capture$ClientRectReleaseWindow$EnabledFromPointScreen
String ID:
API String ID: 3076215760-0
Opcode ID: 2b721b0132b1722d26e41dcb69415f6e9e78d1ea413631893c90b1fbc7456ded
Instruction ID: b97ab4dc60735a0e062687e1650fb11a8c4410ec0fa4102250131f383faa6a77
Opcode Fuzzy Hash: 2b721b0132b1722d26e41dcb69415f6e9e78d1ea413631893c90b1fbc7456ded
Instruction Fuzzy Hash: 0821C4362046006BD315EF19D848ABF73B4AFC8709F08492EF94582251E779ED058B69

Function 0040A870 Relevance: 12.1, APIs: 8, Instructions: 55COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040A88C
PtInRect.USER32(?,?,?), ref: 0040A8A1
ReleaseCapture.USER32 ref: 0040A8B1
InvalidateRect.USER32(?,00000000,00000000), ref: 0040A8BF
GetCapture.USER32 ref: 0040A8CF
SetCapture.USER32(?), ref: 0040A8DA
InvalidateRect.USER32(?,00000000,00000000), ref: 0040A8FB
SetCapture.USER32(?), ref: 0040A905

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CaptureRect$Invalidate$ClientRelease
String ID:
API String ID: 3559558096-0
Opcode ID: f6f8430d9d10813b5d2994fc306f6d3cb4f5aab29afc455156f4be81325058e2
Instruction ID: d2163a438d1c4d38cef08cc3bafcca1165ed7bbf56b64a676b5a631c321f4ca4
Opcode Fuzzy Hash: f6f8430d9d10813b5d2994fc306f6d3cb4f5aab29afc455156f4be81325058e2
Instruction Fuzzy Hash: 2D114C76500B10AFD360AF64DC48BAB77A8BB84700F048E2EF586D2291EB34A815CB59

Function 0040EAD0 Relevance: 10.8, APIs: 7, Instructions: 268windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0040EB0D
GetParent.USER32(?), ref: 0040EB1F
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 0040EB47
GetWindowRect.USER32(?,?), ref: 0040EBD1
InvalidateRect.USER32(?,?,00000001,?), ref: 0040EBF4
GetWindowRect.USER32(?,?), ref: 0040EDBC
InvalidateRect.USER32(?,?,00000001,?), ref: 0040EDDD

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$Window$Invalidate$MessageParentSend
String ID:
API String ID: 236041146-0
Opcode ID: e02ca1a74122d02a76a6c8d4cab74a4d7d151bc96e7bc0418baa7964b6ab5a36
Instruction ID: c3c34b3b071058090f9e39a8685e3b2a14625a06d78a8c2eb5b7c76864c06917
Opcode Fuzzy Hash: e02ca1a74122d02a76a6c8d4cab74a4d7d151bc96e7bc0418baa7964b6ab5a36
Instruction Fuzzy Hash: F491C6B16043059BD724EF66D840B6B73E4AF84758F04492EF945AB3C2E738ED118B99

Function 00442C90 Relevance: 10.8, APIs: 7, Instructions: 260windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00442CBD
GetParent.USER32(?), ref: 00442CC9
GetClientRect.USER32(?,?), ref: 00442CDA

Part of subcall function 0047FDF7: ClientToScreen.USER32(004067F8,?), ref: 0047FE0B
Part of subcall function 0047FDF7: ClientToScreen.USER32(004067F8,?), ref: 0047FE14

GetParent.USER32(?), ref: 00442CEC

Part of subcall function 0047FDBB: ScreenToClient.USER32(?,?), ref: 0047FDCF
Part of subcall function 0047FDBB: ScreenToClient.USER32(?,?), ref: 0047FDD8

Part of subcall function 0047FF4D: __EH_prolog.LIBCMT ref: 0047FF52
Part of subcall function 0047FF4D: GetDC.USER32(?), ref: 0047FF7B

SendMessageA.USER32 ref: 00442D1F

Part of subcall function 0047F849: SelectObject.GDI32(004050D5,00000000), ref: 0047F86B
Part of subcall function 0047F849: SelectObject.GDI32(004050D5,?), ref: 0047F881

GetTextExtentPoint32A.GDI32(?,004AC0E8,00000001,?), ref: 00442D4C
EqualRect.USER32(?,?), ref: 00442F0A

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Client$Screen$Rect$ObjectParentSelect$EqualExtentH_prologMessagePoint32SendText
String ID:
API String ID: 98060165-0
Opcode ID: 6929b81689a2a3f7ac2d1929fbce6542a7902516b3159d253fd991cf73ed5da3
Instruction ID: 810e4dc79026fd74f2114e6213ef83f9636c8a8d514c5ae71b2401d0bcde5992
Opcode Fuzzy Hash: 6929b81689a2a3f7ac2d1929fbce6542a7902516b3159d253fd991cf73ed5da3
Instruction Fuzzy Hash: 1F91AC716087019FD718DF28C981A6BB7E5EBC8704F544A2EF596C3341DBB8E809CB5A

Function 0041A570 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 196windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0041A64C
SendMessageA.USER32(?,00008003,00000000,00000000), ref: 0041A663
GetWindowRect.USER32(?,00000000), ref: 0041A6B5
GetClientRect.USER32(?,00000000), ref: 0041A70D
GetWindowRect.USER32(?,00000000), ref: 0041A731

Strings

`qA, xrefs: 0041A781

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: RectWindow$ClientMessageSend
String ID: `qA
API String ID: 1071774122-2154376067
Opcode ID: 71f1d8d3d19a1bc522b742d81ad01087ef89310e37353c0a1c838910c5fec8d3
Instruction ID: 95dc7c2aab6c451b5e896e07e5430953efc1b4d146725dd20a392e36406c3e45
Opcode Fuzzy Hash: 71f1d8d3d19a1bc522b742d81ad01087ef89310e37353c0a1c838910c5fec8d3
Instruction Fuzzy Hash: 0961B3B16043519FC710DF65C884AAFBBE8EF88744F044A2EF98597381D638DE45CB9A

Function 00481C9F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000019F,00000000,00000000), ref: 00481CC3
GetParent.USER32(?), ref: 00481CCA

Part of subcall function 0047D7F0: GetWindowLongA.USER32(?,000000F0), ref: 0047D7FC

SendMessageA.USER32(?,00000187,00000000,00000000), ref: 00481D1D
SendMessageA.USER32(0000AC84,00000111,?,?), ref: 00481D6E
SendMessageA.USER32(?,00000185,00000000,00000000), ref: 00481DF9

Strings

, xrefs: 00481CA0

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend$LongParentWindow
String ID:
API String ID: 779260966-3916222277
Opcode ID: 0ee10392b1e08a1c42c96366692289a08096ae3b9befb0cc3c1e0cfb9b464ceb
Instruction ID: 6412636678c8b38922af8636e79bca1c99986faeaee5b9ed41c37c9a28e03f04
Opcode Fuzzy Hash: 0ee10392b1e08a1c42c96366692289a08096ae3b9befb0cc3c1e0cfb9b464ceb
Instruction Fuzzy Hash: B031D9706107146FCA247A768C81E7F75DDEF84748B154D2FF552C22A1CB19EC038769

Function 00435D00 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00435D1B

Part of subcall function 0047D99A: EnableWindow.USER32(?,00000000), ref: 0047D9A8

Part of subcall function 0047D716: GetDlgItem.USER32(?,?), ref: 0047D724

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00435D55
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00435D6C
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00435DBD
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00435DF7
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00435E24
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00435E5A

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend$EnableItemWindow
String ID:
API String ID: 607626308-0
Opcode ID: 613847ae0913facc45eea72d647a62a2d91bf6931fe7c4dc2f49549abb49e6c0
Instruction ID: 95e086c19d1941256825895026780c29aeb79f9cd58caf15b4b9cc29000c3e7c
Opcode Fuzzy Hash: 613847ae0913facc45eea72d647a62a2d91bf6931fe7c4dc2f49549abb49e6c0
Instruction Fuzzy Hash: A63190B1790B0027D6386235CC96FEF2265AFC5B04F10991EB35F9F1C6DEA8A841871C

Function 0047D195 Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0047D1C9
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0047D1F2
UpdateWindow.USER32(?), ref: 0047D20E
SendMessageA.USER32(?,00000121,00000000,?), ref: 0047D234
SendMessageA.USER32(?,0000036A,00000000,00000001), ref: 0047D253
UpdateWindow.USER32(?), ref: 0047D296
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0047D2C9

Part of subcall function 0047D7F0: GetWindowLongA.USER32(?,000000F0), ref: 0047D7FC

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 35e05b8c82dbb1be7e1a562e4a4a25e49d289926c3fe11b26b1b89f88913af98
Instruction ID: 40ee9a522f2c65808d61ea3afd221a1b3b3d87dc79be56c2a097cb89df69b4ac
Opcode Fuzzy Hash: 35e05b8c82dbb1be7e1a562e4a4a25e49d289926c3fe11b26b1b89f88913af98
Instruction Fuzzy Hash: 8141C530A047419BD7209F26CC48A5FBBF4FFC5B05F048A6EF48992292D779C906CB5A

Function 004819F0 Relevance: 10.6, APIs: 7, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00483114: __EH_prolog.LIBCMT ref: 00483119

Part of subcall function 0047D7F0: GetWindowLongA.USER32(?,000000F0), ref: 0047D7FC

SendMessageA.USER32(?,000001A1,00000000,00000000), ref: 00481A39
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 00481A48
SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 00481A61
SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 00481A89
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 00481A98
SendMessageA.USER32(?,00000198,?,?), ref: 00481AAE
PtInRect.USER32(?,000000FF,?), ref: 00481ABA

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend$H_prologLongRectWindow
String ID:
API String ID: 2846605207-0
Opcode ID: 9f99a98315091b3dd1381ca61ab31afeb6a0067b443383ca9c02bd4a44fa8318
Instruction ID: d30bdc6135c0398e81d8811c593015a2f47b5e8869d0c7423fd7c99fa950f496
Opcode Fuzzy Hash: 9f99a98315091b3dd1381ca61ab31afeb6a0067b443383ca9c02bd4a44fa8318
Instruction Fuzzy Hash: F2312771A0060DFFDF14EF94CC81DAEB7B9EB44358B10886AE515A72A1D774AE02DB14

Function 004778C2 Relevance: 10.6, APIs: 7, Instructions: 80windowstringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,0000000C,?,?,0041EF79,?,-00000001,00000000,?,?,?,004A9B70), ref: 004778CC
GetFocus.USER32 ref: 004778E7

Part of subcall function 0047B4A2: UnhookWindowsHookEx.USER32(?), ref: 0047B4C7

IsWindowEnabled.USER32(?), ref: 00477910
EnableWindow.USER32(?,00000000), ref: 00477922
EnableWindow.USER32(?,00000001), ref: 0047796B
IsWindow.USER32(?), ref: 00477971
SetFocus.USER32(?), ref: 0047797F

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$EnableFocus$EnabledHookUnhookWindowslstrlen
String ID:
API String ID: 1607871872-0
Opcode ID: 8d9d7e3bc42763ef059778d6092419a618daa850abcb2dcd86c6a7c03b7e8ce8
Instruction ID: 4ed47c3e99b53dd9193c064822e02fb9f67b25441a7bec857956d60e23f3cb4a
Opcode Fuzzy Hash: 8d9d7e3bc42763ef059778d6092419a618daa850abcb2dcd86c6a7c03b7e8ce8
Instruction Fuzzy Hash: 232177B12047016BEB216F32DC46BAF77D8EF44314F04882FF69995291DB79E805C759

Function 00483DF9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 00483E27
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00483E4A
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00483E69
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00483E79
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00483E83

Strings

software, xrefs: 00483E11

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 73d492b1a5fcfd96b4c7dbbb870a3445d144825fb12b04fc054d0ded20722daf
Instruction ID: 432a204db6715a2159e73f5973f6336aad7929a4e65763466d76983092c40cd8
Opcode Fuzzy Hash: 73d492b1a5fcfd96b4c7dbbb870a3445d144825fb12b04fc054d0ded20722daf
Instruction Fuzzy Hash: 2A11B372901159FBCB21DF9ACC88DEFFFBCEF89B04B1444AAA504A2121D7719A00DB64

Function 00468CAD Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00468CEB
GetSystemMetrics.USER32(00000000), ref: 00468D03
GetSystemMetrics.USER32(00000001), ref: 00468D0A
lstrcpyA.KERNEL32(?,DISPLAY), ref: 00468D2E

Strings

B, xrefs: 00468CCC
DISPLAY, xrefs: 00468D28

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: 656acd6b068f280b62ae5e250e9e7e597907c504f4fb3a344f0a49f846615b6c
Instruction ID: c23c31d7326447d3e6e80af63c1d4c735b61855b717f9aec61f0ab42c110a03d
Opcode Fuzzy Hash: 656acd6b068f280b62ae5e250e9e7e597907c504f4fb3a344f0a49f846615b6c
Instruction Fuzzy Hash: 0F110A71601224AFCF119F64CC8499B7FA8EF16790B04496BFC05EE181EBB9D801CBB9

Function 0047D360 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,0047D65A,?,00020000), ref: 0047D369
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 0047D372
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0047D386
FreeLibrary.KERNEL32(00000000), ref: 0047D3C9

Strings

COMCTL32.DLL, xrefs: 0047D362, 0047D368, 0047D36F
InitCommonControlsEx, xrefs: 0047D37E

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: 5e9cf15a886a76b891613edd3832a28912b75c72a29d399ed24dc58c0b6e6b03
Instruction ID: 3b6c66edcffcfe01f0d6de5bc83cb0134f674d5312ef0c0e335769d9c906e398
Opcode Fuzzy Hash: 5e9cf15a886a76b891613edd3832a28912b75c72a29d399ed24dc58c0b6e6b03
Instruction Fuzzy Hash: 4DF0A932A10F12574721AF749C885AF76B8AFD5751719483AFC09E3240C724DD05976A

Function 0047F4EC Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 0047F4F8
GetSysColor.USER32(00000010), ref: 0047F4FF
GetSysColor.USER32(00000014), ref: 0047F506
GetSysColor.USER32(00000012), ref: 0047F50D
GetSysColor.USER32(00000006), ref: 0047F514
GetSysColorBrush.USER32(0000000F), ref: 0047F521
GetSysColorBrush.USER32(00000006), ref: 0047F528

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 53d8ce0e8b1e2f3aacae66e40443110d1079d1a0a00159bd9c770028d17ebcb2
Instruction ID: 4fe4e69226b2b4789c2fb7290f1ae54501e5d23c316b8edb4a1cc38c28838c21
Opcode Fuzzy Hash: 53d8ce0e8b1e2f3aacae66e40443110d1079d1a0a00159bd9c770028d17ebcb2
Instruction Fuzzy Hash: 4DF01C719407489BD730BF729D09B4BBAE0FFC4B10F020D2ED2858BA90E6B5A440DF54

Function 0040CA60 Relevance: 9.3, APIs: 6, Instructions: 316windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040CA9F
CreateRectRgn.GDI32(00000000,00000000,00000001,?), ref: 0040CBC0
SetRect.USER32(?,00000000,00000000,00000001,?), ref: 0040CBE9

Part of subcall function 00407E90: __ftol.LIBCMT ref: 00407FB5
Part of subcall function 00407E90: __ftol.LIBCMT ref: 00407FC2

FillRgn.GDI32(?,?,?), ref: 0040CC66
PatBlt.GDI32(?,00000000,00000000,00000001,?,00F00021), ref: 0040CCD9

Part of subcall function 00404600: GetSysColor.USER32(0000000F), ref: 0040460D

Part of subcall function 004802B2: __EH_prolog.LIBCMT ref: 004802B7
Part of subcall function 004802B2: CreateSolidBrush.GDI32(?), ref: 004802D4

GetObjectA.GDI32(?,00000018,?), ref: 0040CD55

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$Create__ftol$BrushClientColorFillH_prologObjectSolid
String ID:
API String ID: 522557250-0
Opcode ID: 056a07af5fb3190f3b56d8fc21caa6192e3384281ab980cf411a30994ddd2c38
Instruction ID: 997f1dabdecaec79ed9a03202355d8bd87ba4df54ce9f80ae6de76d3865f47da
Opcode Fuzzy Hash: 056a07af5fb3190f3b56d8fc21caa6192e3384281ab980cf411a30994ddd2c38
Instruction Fuzzy Hash: B4C18171108741DFD324DB65C885BAFB7E8AF84704F148D2EF58A93291DB78E809CB66

Function 0041C240 Relevance: 9.2, APIs: 6, Instructions: 181windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004800B5: __EH_prolog.LIBCMT ref: 004800BA
Part of subcall function 004800B5: BeginPaint.USER32(?,?,?,?,004072F9), ref: 004800E3

Part of subcall function 0047FC66: GetClipBox.GDI32(?,?), ref: 0047FC6D

IsRectEmpty.USER32(?), ref: 0041C28D
GetSysColor.USER32(0000000F), ref: 0041C29E

Part of subcall function 004802B2: __EH_prolog.LIBCMT ref: 004802B7
Part of subcall function 004802B2: CreateSolidBrush.GDI32(?), ref: 004802D4

Part of subcall function 0047F849: SelectObject.GDI32(004050D5,00000000), ref: 0047F86B
Part of subcall function 0047F849: SelectObject.GDI32(004050D5,?), ref: 0047F881

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041C2E8
GetClientRect.USER32(?,?), ref: 0041C301
LoadBitmapA.USER32(?,?), ref: 0041C338
GetObjectA.GDI32(?,00000018,?), ref: 0041C387

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Object$H_prologRectSelect$BeginBitmapBrushClientClipColorCreateEmptyLoadPaintSolid
String ID:
API String ID: 4061870766-0
Opcode ID: 05baf120bacbfc99f99e3b3ec70eecfbb6db9668004512db879a527f7b78b44a
Instruction ID: 6eb3e4f870aafdba2d08adba4ac2adf5493290cfd60f1c0f82cacb724bdf17be
Opcode Fuzzy Hash: 05baf120bacbfc99f99e3b3ec70eecfbb6db9668004512db879a527f7b78b44a
Instruction Fuzzy Hash: 5F615D71118781AFD314EB69CC45FAFB7E8FBC5714F048A1DB59983280DB789908CB56

Function 004190F0 Relevance: 9.2, APIs: 6, Instructions: 176windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00419141
IsWindow.USER32(?), ref: 00419156
IsChild.USER32(?,?), ref: 00419167
SetFocus.USER32(?), ref: 00419178
IsWindow.USER32(?), ref: 00419270
IsWindowVisible.USER32(?), ref: 0041927E

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$ChildFocusVisible
String ID:
API String ID: 372613587-0
Opcode ID: 6354af6bb81abe9440a98383328ec3d022225359753991fc7f69bfef5d079c12
Instruction ID: 412bce5923efbe157ec192e7ba206abb68f9ab970b6a714b9201e6aaa5f5b2cf
Opcode Fuzzy Hash: 6354af6bb81abe9440a98383328ec3d022225359753991fc7f69bfef5d079c12
Instruction Fuzzy Hash: 2E519FB1600306AFD720EF65D880DABB3E8BF84758F04492EF95597241DB38EC45CB69

Function 00434020 Relevance: 9.1, APIs: 6, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004800B5: __EH_prolog.LIBCMT ref: 004800BA
Part of subcall function 004800B5: BeginPaint.USER32(?,?,?,?,004072F9), ref: 004800E3

GetClientRect.USER32(?,?), ref: 0043405D

Part of subcall function 0047F7F6: SelectObject.GDI32(?,?), ref: 0047F7FE

PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 004340FA
GetObjectA.GDI32(00000000,00000018,?), ref: 00434115
SelectObject.GDI32(00000000,00000000), ref: 00434130
SelectObject.GDI32(00000000,?), ref: 0043415F
DeleteDC.GDI32(00000000), ref: 00434162

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Object$Select$BeginClientDeleteH_prologPaintRect
String ID:
API String ID: 2713081445-0
Opcode ID: 3548499cc9acced3ebf0b38c7ff5986f479c7aa648a75a10cfd23034fceecce6
Instruction ID: d21bf5ff6bb3b635e80332994c6ec75982ab2133e09bf4ef55da78f53b15c019
Opcode Fuzzy Hash: 3548499cc9acced3ebf0b38c7ff5986f479c7aa648a75a10cfd23034fceecce6
Instruction Fuzzy Hash: 95514D71208341AFD350DF64DC49F6FBBE8EBC9704F14492DB68987291D778A809CB66

Function 0042BB80 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 0042BBC2
IsRectEmpty.USER32(?), ref: 0042BBF3
OffsetRect.USER32(?,00000000,?), ref: 0042BC43
LPtoDP.GDI32(?,?,00000002), ref: 0042BC78
GetClientRect.USER32(?,?), ref: 0042BC87
IntersectRect.USER32(?,?,?), ref: 0042BC9C

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$ClientCopyEmptyIntersectOffset
String ID:
API String ID: 1743551499-0
Opcode ID: f94500b050601fa10bef35236de7b05a9d8d1dc7660ff5e7961c24231d76e063
Instruction ID: df38e5078ccb4afd0a5fedec8bb3bb23683f123dba0658a64f8944dce336540b
Opcode Fuzzy Hash: f94500b050601fa10bef35236de7b05a9d8d1dc7660ff5e7961c24231d76e063
Instruction Fuzzy Hash: 184106B66087019FC318DF69D8809ABB7E9FBC8710F048A2EF556C7251DB34D945CBA2

Function 0041D5B0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041D63D
wsprintfA.USER32 ref: 0041D659

Strings

- , xrefs: 0041D684
%d / %d], xrefs: 0041D637
- [, xrefs: 0041D5D8
?? / %d], xrefs: 0041D653

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: wsprintf
String ID: - $ - [$%d / %d]$?? / %d]
API String ID: 2111968516-3107364983
Opcode ID: 4f06d0d1ff5749c31f2e21615bda5ecec382eef5573ff31183a51f9c69912ab6
Instruction ID: dded039bc77661b50438146b76fb1853492d0720877044d8c38d4c94ed3f7a9f
Opcode Fuzzy Hash: 4f06d0d1ff5749c31f2e21615bda5ecec382eef5573ff31183a51f9c69912ab6
Instruction Fuzzy Hash: 47319EB0208740AFD314EB65C841BEBB7E4AF94714F00891EF49E83391DB78AC45CB5A

Function 00482E87 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(004C92A4,004C9294,00000000,?,004C92A4,?,004830EF,004C9294,00000000,?,00403600), ref: 00482E92
EnterCriticalSection.KERNEL32(004C92C0,00000010,?,004C92A4,?,004830EF,004C9294,00000000,?,00403600), ref: 00482EE1
LeaveCriticalSection.KERNEL32(004C92C0,00000000,?,004C92A4,?,004830EF,004C9294,00000000,?,00403600), ref: 00482EF4
LocalAlloc.KERNEL32(00000000,00000004,?,004C92A4,?,004830EF,004C9294,00000000,?,00403600), ref: 00482F0A
LocalReAlloc.KERNEL32(?,00000004,00000002,?,004C92A4,?,004830EF,004C9294,00000000,?,00403600), ref: 00482F1C
TlsSetValue.KERNEL32(004C92A4,00000000), ref: 00482F58

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 39375d7dcc650da27149be0eb6c618ba8c5f29f64b18ec1be0cb713da148b05e
Instruction ID: fa296fb9dd7251f03c409cf59fe4d6836496ce31ffa3639b9a9b56cf1c75418b
Opcode Fuzzy Hash: 39375d7dcc650da27149be0eb6c618ba8c5f29f64b18ec1be0cb713da148b05e
Instruction Fuzzy Hash: B931AE31100605EFD724EF55C885E6EB7B8FB45324F00892EF55AC7650E7B4E805DB68

Function 0047BCC2 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0047BCC7
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0047BD14
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0047BD36
GetCapture.USER32 ref: 0047BD48
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0047BD57
WinHelpA.USER32(?,?,?,?), ref: 0047BD6B

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: afe603f8150a8bda3632b633670486c0dedbeaf893d4599128b5c448664d52e3
Instruction ID: 25a641454ef0e503b93b52990e69aa3d0647c6a742199cc840119920e62b6cc4
Opcode Fuzzy Hash: afe603f8150a8bda3632b633670486c0dedbeaf893d4599128b5c448664d52e3
Instruction Fuzzy Hash: 8E21A031200608BFEB306F65CC85FAE76A9EF04748F04852EB105971E2CBB98C009B14

Function 0045F9D0 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0045F9D6
IsWindow.USER32(00000000), ref: 0045F9E3
GetForegroundWindow.USER32 ref: 0045F9F7
GetParent.USER32(00000000), ref: 0045FA46
IsWindowEnabled.USER32(00000000), ref: 0045FA55
EnableWindow.USER32(00000000,00000000), ref: 0045FA72

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$ActiveEnableEnabledForegroundParent
String ID:
API String ID: 774377434-0
Opcode ID: 8086d2754366d5dc5a8543e42529161d421fa07992e63ad6c491da122b86f100
Instruction ID: 4150a06cf7034545583718447454580504a9db1fd3d42c0fe735236a034ca650
Opcode Fuzzy Hash: 8086d2754366d5dc5a8543e42529161d421fa07992e63ad6c491da122b86f100
Instruction Fuzzy Hash: E411A1316447129BC311DF259C41B6FB7D4BB84B52F04093EFD45D3282EB68A90D8BAB

Function 00481198 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004811CB
GetLastActivePopup.USER32(?), ref: 004811DA
IsWindowEnabled.USER32(?), ref: 004811EF
EnableWindow.USER32(?,00000000), ref: 00481202
GetWindowLongA.USER32(?,000000F0), ref: 00481214
GetParent.USER32(?), ref: 00481222

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 4dac25d47bd0965b8206f954fe76126caa0cb79689d8e6875cf08abf98282134
Instruction ID: e7d06e493802abe04064b76ac671a7bff85576bc60f3cebc5971a60ef6946ad5
Opcode Fuzzy Hash: 4dac25d47bd0965b8206f954fe76126caa0cb79689d8e6875cf08abf98282134
Instruction Fuzzy Hash: FF1151326017215786217AA95C88B2FB7DC9F59B61F190EABED01F3320DB28DC0343AD

Function 0040A340 Relevance: 9.1, APIs: 6, Instructions: 54windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000002,?), ref: 0040A35B
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 0040A36D
SendMessageA.USER32(?,0000110A,00000002,?), ref: 0040A37B
SendMessageA.USER32(?,0000110A,00000001,?), ref: 0040A38D
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 0040A39F
SendMessageA.USER32(?,0000110A,00000001,?), ref: 0040A3AD

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ff1a9f4253e625b7349589b18840991f38973b0a5bdff81bbf178506d5d1df43
Instruction ID: 73404120646dfc5cdd49f60a6f21fb7dc03b8df4c212bb473959d8f025816bbc
Opcode Fuzzy Hash: ff1a9f4253e625b7349589b18840991f38973b0a5bdff81bbf178506d5d1df43
Instruction Fuzzy Hash: B40167B2B403053AF534D6658CC1FA7A2AD9F98B51F018619BB41AB5C0C5F5EC414670

Function 0042E850 Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0042E872
ScreenToClient.USER32(00000001,?), ref: 0042E881

Part of subcall function 0042E900: DPtoLP.GDI32(?,?,00000001), ref: 0042EA17

LoadCursorA.USER32(00000000,00007F85), ref: 0042E8B1
SetCursor.USER32(00000000), ref: 0042E8B8
LoadCursorA.USER32(00000000,00007F84), ref: 0042E8D7
SetCursor.USER32(00000000), ref: 0042E8DE

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Cursor$Load$ClientScreen
String ID:
API String ID: 789353160-0
Opcode ID: 10277f8a53683f5efdd156ae0676cb6255e04a50418e51cae4d7f7c69dfc8bf8
Instruction ID: 933a0753f31bb67e5e5ebcc9e0f789046bcc62aad061dd797fd6cb9deecdf40c
Opcode Fuzzy Hash: 10277f8a53683f5efdd156ae0676cb6255e04a50418e51cae4d7f7c69dfc8bf8
Instruction Fuzzy Hash: 5111A531608211ABDB10EB64ED49EAF73A8AF94B01F444D2EF585832C0EA749D49C7B7

Function 00480B9D Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00480BA0

Part of subcall function 00480A42: GetWindowLongA.USER32(00000000,000000F0), ref: 00480A53

GetParent.USER32(00000000), ref: 00480BC7

Part of subcall function 00480A42: GetClassNameA.USER32(00000000,?,0000000A), ref: 00480A6E
Part of subcall function 00480A42: lstrcmpiA.KERNEL32(?,combobox), ref: 00480A7D

GetWindowLongA.USER32(?,000000F0), ref: 00480BE2
GetParent.USER32(?), ref: 00480BF0
GetDesktopWindow.USER32 ref: 00480BF4
SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 00480C08

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: 69f53f737a07e3d5c25be8575cf74231f744ad2b076bfe0607cbbb96d32ecf58
Instruction ID: 293a4b80195ba456fc6a731f70fe86f2b486ed2aadefcd9eef27e98716f0b3f4
Opcode Fuzzy Hash: 69f53f737a07e3d5c25be8575cf74231f744ad2b076bfe0607cbbb96d32ecf58
Instruction Fuzzy Hash: 57F0F931150A1122D3623E245D84F7F51599B82B50F190E2AFC15B32C0EB28DC45C36C

Function 00480AB7 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00480AC6
GetWindow.USER32(?,00000005), ref: 00480AD7
GetDlgCtrlID.USER32(00000000), ref: 00480AE0
GetWindowLongA.USER32(00000000,000000F0), ref: 00480AEF
GetWindowRect.USER32(00000000,?), ref: 00480B01
PtInRect.USER32(?,?,?), ref: 00480B11

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 45a7d241d3b61ad64b6703739d56f95e7d134004587669839fb0485012f918d6
Instruction ID: c38ed65f3cfea3f4964f514232e8b800833a64f939443e446475e3764f328dde
Opcode Fuzzy Hash: 45a7d241d3b61ad64b6703739d56f95e7d134004587669839fb0485012f918d6
Instruction Fuzzy Hash: A2018F32204519BBDB11AF94DC08EBF376CEF44715F044835F901A21A0E734E90ACB98

Function 0046DC7D Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 0046DC9C
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 0046DCD1
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0046DD31

Strings

__MSVCRT_HEAP_SELECT, xrefs: 0046DCCC
__GLOBAL_HEAP_SELECTED, xrefs: 0046DD0B

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 07267485e620c1689c10cec957b95b75f8fe2c23a51ae4e15285048aecd1e394
Instruction ID: 58bd8baad6836138cc718c01942112248dca899c3035c8450732a8d76a46a208
Opcode Fuzzy Hash: 07267485e620c1689c10cec957b95b75f8fe2c23a51ae4e15285048aecd1e394
Instruction Fuzzy Hash: 81310AB1F412486DEB31B770AC457EE3B689B06308F2804EBD145D6282F6798E85CB1F

Function 0047B6B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 0047B769
GetWindowLongA.USER32(?,000000FC), ref: 0047B77A
GetWindowLongA.USER32(?,000000FC), ref: 0047B78A
SetWindowLongA.USER32(?,000000FC,?), ref: 0047B7A6

Strings

(, xrefs: 0047B754

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: 2c8007cee36f6119daa016d00f6775d99a488084f054bef316abb95c22acca9f
Instruction ID: 9cf15f738a21a1965533cc8e61dd4528273d1f984472039466eacaf65de6391b
Opcode Fuzzy Hash: 2c8007cee36f6119daa016d00f6775d99a488084f054bef316abb95c22acca9f
Instruction Fuzzy Hash: 85319030600604AFDB24BF75C984BAEBBB4FF48314F14862EE54697791DB78E8058B99

Function 0048394A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0048397B

Part of subcall function 00483A67: lstrlenA.KERNEL32(00000104,00000000,?,004839AB), ref: 00483A9E

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00483A1C
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00483A49

Strings

.HLP, xrefs: 00483A16
.INI, xrefs: 00483A43

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 412172b0b30fd28655beddf4b6d0c7928414da3cf153ab4ee1b33d2e289351b2
Instruction ID: 6be7c40c2c7b853c845a488de11d372cd6dd6a5bb490bdf564c9ea9255df73a5
Opcode Fuzzy Hash: 412172b0b30fd28655beddf4b6d0c7928414da3cf153ab4ee1b33d2e289351b2
Instruction Fuzzy Hash: 4E3172B5804719AFDB20EF75DC85BDAB7FCAB04314F104DABE189D3141EB78AA848B14

Function 0041FC10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 0041FC50
GlobalSize.KERNEL32(?), ref: 0041FC73
GlobalSize.KERNEL32(?), ref: 0041FCA3
GlobalUnlock.KERNEL32(?), ref: 0041FCB3

Strings

BM, xrefs: 0041FC6D

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Global$Size$LockUnlock
String ID: BM
API String ID: 2233901773-2348483157
Opcode ID: 4ba921fd154b51d9a7a7e134caec0515ac1312ed8f8f69294ee4f7d87d873235
Instruction ID: c12e6bcfd41faa13811709d4e6ca8dc38177294c995da4c3ec62ec8afcc94795
Opcode Fuzzy Hash: 4ba921fd154b51d9a7a7e134caec0515ac1312ed8f8f69294ee4f7d87d873235
Instruction Fuzzy Hash: 9721C476904658ABC710DFA9D845BDEBBB8FF08720F04456EE819E3381D7385940C7A8

Function 0047BBC8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0047BBFE
wsprintfA.USER32 ref: 0047BC1A
GetClassInfoA.USER32(?,-00000058,?), ref: 0047BC29

Strings

Afx:%x:%x:%x:%x:%x, xrefs: 0047BC14
Afx:%x:%x, xrefs: 0047BBF8

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: wsprintf$ClassInfo
String ID: Afx:%x:%x$Afx:%x:%x:%x:%x:%x
API String ID: 845911565-79760390
Opcode ID: f72d456d323e6dc0f86e2043abd9e10d899d769814a432d7860721aef6172226
Instruction ID: 63993bbd73bedadbae078c4ff8122da037cc831ffaa1e3abb77365ff008649e7
Opcode Fuzzy Hash: f72d456d323e6dc0f86e2043abd9e10d899d769814a432d7860721aef6172226
Instruction Fuzzy Hash: 26214571900609AF8F11EF99DD40AEF7BB8FF48754B14842EF908A2201D7788951CBE9

Function 004179A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIcon.SHELL32(00000001), ref: 00417A19
DestroyCursor.USER32(?), ref: 00417A26
Shell_NotifyIcon.SHELL32 ref: 00417A59

Strings

d, xrefs: 004179C9
X, xrefs: 004179B7

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: IconNotifyShell_$CursorDestroy
String ID: X$d
API String ID: 3039372612-651813629
Opcode ID: ca3eb51f86a52baf87eefaf0837c85ee9e7447d82c0584feef777ca5e4d42a20
Instruction ID: 9e3c888aebae26a3597cc8cc4c0c2eb17e197e7c5c19d90ee2d52cf22480f6af
Opcode Fuzzy Hash: ca3eb51f86a52baf87eefaf0837c85ee9e7447d82c0584feef777ca5e4d42a20
Instruction Fuzzy Hash: C5213875608700AFE310DF15D804B9BBBE5BFC8744F04891EF9C992290EBB59A58CB96

Function 0047A206 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0047A247
GetDlgItem.USER32(?,00000002), ref: 0047A266
IsWindowEnabled.USER32(00000000), ref: 0047A271
SendMessageA.USER32(?,00000111,00000002,00000000), ref: 0047A287

Strings

Edit, xrefs: 0047A251

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: c622e6b150300c51dff9b0b256bd743fd017ce67634ba7cdcbeb07e1e4f6e50d
Instruction ID: 5706768c5e4c2b0a61500a03f2cc17a9b18fa80a1d4a2f1f04a5cbda2dbd253c
Opcode Fuzzy Hash: c622e6b150300c51dff9b0b256bd743fd017ce67634ba7cdcbeb07e1e4f6e50d
Instruction Fuzzy Hash: 620108302003016AEA215B21AC49BEF7364AFC1F54F15C86BF50AF13E2CB6ADC61871E

Function 0041FD10 Relevance: 7.8, APIs: 5, Instructions: 265windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041FD4D
MulDiv.KERNEL32(?,?,00000064), ref: 0041FD82
MulDiv.KERNEL32(?,?,00000064), ref: 0041FDAD
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041FF5B
GlobalFree.KERNEL32(00000000), ref: 00420023

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: FreeGlobalObjectStretch
String ID:
API String ID: 3670910119-0
Opcode ID: c16ab1991dbb57188e7ba16890bd35e17eed0db92f7539fc0b78bbbe764956fe
Instruction ID: 6910344424b6b0ec86bdd794808eb9b0d214762c9ffb6f4f26a10b6740c31a62
Opcode Fuzzy Hash: c16ab1991dbb57188e7ba16890bd35e17eed0db92f7539fc0b78bbbe764956fe
Instruction Fuzzy Hash: 6C91B271108345AFC310EF65C885BAFB7E8AB95704F144D2EF69583281DB78EC09CB5A

Function 0042C410 Relevance: 7.7, APIs: 5, Instructions: 229COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 0042C499
GetClientRect.USER32(00000000,?), ref: 0042C4D2
DPtoLP.GDI32 ref: 0042C528
GetClientRect.USER32(00000000,?), ref: 0042C5FC
DPtoLP.GDI32 ref: 0042C652

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$Client$Copy
String ID:
API String ID: 472922470-0
Opcode ID: 9316aedf9bd4ee19e44d08e060143304d266ccf547922c7961503beca7272f56
Instruction ID: 08513fdb5d6a31ae1714d530ca434009b5eccaf40968719e04f8b1dd2ba5e2fc
Opcode Fuzzy Hash: 9316aedf9bd4ee19e44d08e060143304d266ccf547922c7961503beca7272f56
Instruction Fuzzy Hash: 08815D713083559FC714EF69D8D0A6FB3E5BBC8704F804A1EF18A87241DB78A945CB66

Function 0040C450 Relevance: 7.7, APIs: 5, Instructions: 159windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 0040C472
CreateRectRgn.GDI32 ref: 0040C4F4
GetClientRect.USER32(?,?), ref: 0040C51D
FillRgn.GDI32(?,?,?), ref: 0040C596
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0040C60C

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$ClientCreateEmptyFill
String ID:
API String ID: 97219908-0
Opcode ID: 3b8b171492daff3de210e437f7affb0e523094068c4e056d3f3f8397f03aa024
Instruction ID: 2e1b1960b2592c307f3a1f43b063e246da43e16390a1a0a170f70920ebef428d
Opcode Fuzzy Hash: 3b8b171492daff3de210e437f7affb0e523094068c4e056d3f3f8397f03aa024
Instruction Fuzzy Hash: 0E515EB1204701AFD314DF65D885E6BB7E9FF88704F04892EB55A93281D778EC09CBA6

Function 0046D9C6 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 0046DA24
GetFileType.KERNEL32(?,?,00000000), ref: 0046DACF
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 0046DB32
GetFileType.KERNEL32(00000000,?,00000000), ref: 0046DB40
SetHandleCount.KERNEL32 ref: 0046DB77

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: f61d9a11eef4ccd54492a3a7f07c8f5a6f613ac9af6532a07710d7bb6df2a01a
Instruction ID: 253a2f43f934514b883bc701eab13d4d8425c2fa6e6a77ef024890046feaaa37
Opcode Fuzzy Hash: f61d9a11eef4ccd54492a3a7f07c8f5a6f613ac9af6532a07710d7bb6df2a01a
Instruction Fuzzy Hash: 84510731F086419BD714CF68C888A7A77A0EB15728F29466ED452D73E0F738AC06C74E

Function 00461420 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce644e40edd91782462f854e6a326d07eecf95e019fe4761c6dc4ff278adea6
Instruction ID: fbf86999afaad538598c359faf91b92fc44be21e2e5713c0e0de1f4355b43c1e
Opcode Fuzzy Hash: 9ce644e40edd91782462f854e6a326d07eecf95e019fe4761c6dc4ff278adea6
Instruction Fuzzy Hash: 74317C756086428BC710DF69E884A6BB7E8FFD4714F08496FE885C7320EA35DC45CBA6

Function 00418680 Relevance: 7.6, APIs: 5, Instructions: 104windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00418750
WinHelpA.USER32(?,00000000,00000002,00000000), ref: 0041876B
GetMenu.USER32(?), ref: 0041877B
SetMenu.USER32(?,00000000), ref: 00418788
DestroyMenu.USER32(00000000), ref: 00418793

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Menu$DestroyHelpWindow
String ID:
API String ID: 427501538-0
Opcode ID: 956f2d753d0d5cf882c1bfb759888332e842fcf9cdb2cf3bce2f00bbe07d0322
Instruction ID: 4edd920477be23a1f479cf5f5db634dc4ce2f13191daa4902d551dfbf53c56ac
Opcode Fuzzy Hash: 956f2d753d0d5cf882c1bfb759888332e842fcf9cdb2cf3bce2f00bbe07d0322
Instruction Fuzzy Hash: B33103B1600605ABC314AF66DC84EAFB7ACFF45348F154A1EF91593280DB39BC418BA9

Function 00424990 Relevance: 7.6, APIs: 5, Instructions: 103synchronizationCOMMON

Download Yara Rule

APIs

midiStreamStop.WINMM(?,00000000,?,00000000,004244FA,00000000,004C0720,0041AB86,004C0720,?,0041561F,004C0720,004135E6,00000001,00000000,000000FF), ref: 004249C5
midiOutReset.WINMM(?,?,0041561F,004C0720,004135E6,00000001,00000000,000000FF), ref: 004249E3
WaitForSingleObject.KERNEL32(?,000007D0,?,0041561F,004C0720,004135E6,00000001,00000000,000000FF), ref: 00424A06
midiStreamClose.WINMM(?,?,0041561F,004C0720,004135E6,00000001,00000000,000000FF), ref: 00424A43
midiStreamClose.WINMM(?,?,0041561F,004C0720,004135E6,00000001,00000000,000000FF), ref: 00424A77

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: midi$Stream$Close$ObjectResetSingleStopWait
String ID:
API String ID: 3142198506-0
Opcode ID: 724cb76a0e172866382c848733ee82ba73b03dc1c930841afbf5a2502f3b07a0
Instruction ID: 1bf06aafbab09079fdc4124d3f5fed8dd6d6e9b1cfd7b8541d8c32dc67127089
Opcode Fuzzy Hash: 724cb76a0e172866382c848733ee82ba73b03dc1c930841afbf5a2502f3b07a0
Instruction Fuzzy Hash: E8312DB2700A208BCB209FA9E48456FB7E9FF94715B544A3FE186C6640D778DC85CB98

Function 00464D40 Relevance: 7.6, APIs: 5, Instructions: 103timeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,?,?,00000000), ref: 00464D79
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00464DA6
GetLocalTime.KERNEL32(?), ref: 00464DE0
SystemTimeToFileTime.KERNEL32(?,?), ref: 00464DF0
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00464E05

Part of subcall function 00464760: GetFileType.KERNEL32(?,?), ref: 00464769

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: FileTime$Type$DateLocalPointerSystem
String ID:
API String ID: 60630809-0
Opcode ID: a3ea6698b275abc696eb466eebe627a9ccbab6eeca7450a454abd85da5468312
Instruction ID: eda232f623276025bc35ffb20b05a2f9fae7fc7a2e75fd08db975bbb1b82774a
Opcode Fuzzy Hash: a3ea6698b275abc696eb466eebe627a9ccbab6eeca7450a454abd85da5468312
Instruction Fuzzy Hash: 9E3192B25047459FD720DF29D88486BF7E8FBD5314B844E2EF586C2A10E375E9098B62

Function 00414730 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004147A0
GetMenu.USER32(?), ref: 004147AF
DestroyAcceleratorTable.USER32(?), ref: 004147FC
SetMenu.USER32(?,00000000), ref: 00414811
DestroyMenu.USER32(?,?,?,00410BF4,?), ref: 00414821

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Menu$Destroy$AcceleratorTableWindow
String ID:
API String ID: 1240299919-0
Opcode ID: 1e14909185aa03d2ce9051ada55eda7abc0cfec403494e3ee1ac87ae09d4a41e
Instruction ID: 2531b8a61ce14660c37a950a0bd8ad4e30d8bfaf96f6f4adac7376e7fe2b9835
Opcode Fuzzy Hash: 1e14909185aa03d2ce9051ada55eda7abc0cfec403494e3ee1ac87ae09d4a41e
Instruction Fuzzy Hash: FA31A7B66002065FC710EF66EC44D6B77A8EF84758B05492DFD0597242EB38EC06CBA5

Function 0041A400 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 0041A41C

Part of subcall function 0040F0E0: IsChild.USER32(?,?), ref: 0040F15D
Part of subcall function 0040F0E0: GetParent.USER32(?), ref: 0040F177

GetCursorPos.USER32(?), ref: 0041A434
GetClientRect.USER32(?,?), ref: 0041A443
PtInRect.USER32(?,?,?), ref: 0041A464
SetCursor.USER32(?,?,00000000,?,?,?,?,0041A090), ref: 0041A4E2

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ChildCursorRect$ClientParent
String ID:
API String ID: 1110532797-0
Opcode ID: 68692f958bf294caf36bf399f6e1b5a52c476d53822b0e5d68043130e6f8ecc1
Instruction ID: cea39bb1746f4c9f3cd259587777214366109f9ebde11dc279e6a6c409fadde3
Opcode Fuzzy Hash: 68692f958bf294caf36bf399f6e1b5a52c476d53822b0e5d68043130e6f8ecc1
Instruction Fuzzy Hash: 172195726006015FD720EE69DC49FAF73E8AF84714F04492EF845A3281EA78ED5587AB

Function 0047799D Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004779A2
GetParent.USER32(?), ref: 004779DF
SendMessageA.USER32(?,00000464,00000104,00000000), ref: 00477A07
GetParent.USER32(?), ref: 00477A30
SendMessageA.USER32(?,00000465,00000104,00000000), ref: 00477A4D

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageParentSend$H_prolog
String ID:
API String ID: 1056721960-0
Opcode ID: bc12eec89f52c46b8f110af00d70848b1d3999b66479b5ceefc1bad95b7c34a7
Instruction ID: 1418936a151dab2d7c6c625d1f675e6cb327a7a9c9f2911ce4b93de69c3fdc41
Opcode Fuzzy Hash: bc12eec89f52c46b8f110af00d70848b1d3999b66479b5ceefc1bad95b7c34a7
Instruction Fuzzy Hash: 79318271904216EBDB14EBA5CC95EFEB774FF40318F50852EA429A72D1D7389E05CB18

Function 004066C0 Relevance: 7.6, APIs: 5, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00480001: __EH_prolog.LIBCMT ref: 00480006
Part of subcall function 00480001: GetWindowDC.USER32(?,?,?,004066F1), ref: 0048002F

GetClientRect.USER32 ref: 00406702
GetWindowRect.USER32(?,?), ref: 00406711

Part of subcall function 0047FDBB: ScreenToClient.USER32(?,?), ref: 0047FDCF
Part of subcall function 0047FDBB: ScreenToClient.USER32(?,?), ref: 0047FDD8

OffsetRect.USER32(?,?,?), ref: 0040673C

Part of subcall function 0047FCF8: ExcludeClipRect.GDI32(?,?,?,?,?,7694A5C0,?,?,0040674C,?), ref: 0047FD1D
Part of subcall function 0047FCF8: ExcludeClipRect.GDI32(?,?,?,?,?,7694A5C0,?,?,0040674C,?), ref: 0047FD32

OffsetRect.USER32(?,?,?), ref: 0040675F
FillRect.USER32(?,?,?), ref: 0040677A

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect$Client$ClipExcludeOffsetScreenWindow$FillH_prolog
String ID:
API String ID: 2829754061-0
Opcode ID: 09fa90027cf6f98f38b5f2722aeddd0e24d04d749af12b2d18da0765d840a3e9
Instruction ID: dc89b8ae5296a83881022111ea86ae1b923903b570d64eb2b89b396944e7e026
Opcode Fuzzy Hash: 09fa90027cf6f98f38b5f2722aeddd0e24d04d749af12b2d18da0765d840a3e9
Instruction Fuzzy Hash: E1314176208702AFD714EF24C845FABB7E8FB84714F008A1DF59687290DB38E909CB56

Function 00461330 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00000000,00460ED2,*.*,004AE560,00000000,00000001,00000001,?), ref: 0046133D

Part of subcall function 004612B0: lstrlenA.KERNEL32(?,?,?,00460E96,?), ref: 004612BE
Part of subcall function 004612B0: GlobalAlloc.KERNEL32(00000040,00000001), ref: 004612CD
Part of subcall function 004612B0: lstrcpyA.KERNEL32(00000000,?), ref: 004612DB

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: lstrlen$AllocGloballstrcpy
String ID:
API String ID: 3558736328-0
Opcode ID: 7385832055597704fc83c8eb10bc3bdd4c55fd1751f0bdb9827ab938937f1a44
Instruction ID: cea29d11dcc3713aaebe405b7a58ce46732040858333df28eb44be7b06c8093a
Opcode Fuzzy Hash: 7385832055597704fc83c8eb10bc3bdd4c55fd1751f0bdb9827ab938937f1a44
Instruction Fuzzy Hash: 6101A1763001016BD7109B5AE888D7FB3ACEBE4762718883FF642C3360EB349C528769

Function 0040A2C0 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004780A0: SendMessageA.USER32(?,0000110C,00000000,00000040), ref: 004780C1

SendMessageA.USER32(?,0000110A,00000004,?), ref: 0040A2E5
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 0040A305
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 0040A317
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 0040A325
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 0040A337

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: eb3858e103705613490c330adc4075b96910c16b1a831ec697ee88d7e6f9933b
Instruction ID: 1eb64b5f61934f966cc2868b48496e5c7f5aed935dc638abbf7cc412ca601443
Opcode Fuzzy Hash: eb3858e103705613490c330adc4075b96910c16b1a831ec697ee88d7e6f9933b
Instruction Fuzzy Hash: 6901A7B27407057AF534AA665CC1FAB92AC9F98B55F01452EFB01E72C0CAF8EC064635

Function 0045FAA0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,?), ref: 0045FADA
IsWindow.USER32(?), ref: 0045FAF2
SetForegroundWindow.USER32(?), ref: 0045FAF9
IsWindow.USER32(?), ref: 0045FB05
SetActiveWindow.USER32(?), ref: 0045FB0C

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$ActiveEnableForeground
String ID:
API String ID: 714729825-0
Opcode ID: c07db07bcc64382b3799c34b23da58da3d71c057f4944001f3b52a05cabe1ab5
Instruction ID: 40f19136cf31c61f1dcb20d4ac17413723abc6e6eb50c93d440d7330343962d0
Opcode Fuzzy Hash: c07db07bcc64382b3799c34b23da58da3d71c057f4944001f3b52a05cabe1ab5
Instruction Fuzzy Hash: EE0121366046159BC610DF15ED80D2BB7ACEF84751719043EEC49E3312DB65FC09DBAA

Function 0047BB27 Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0047BB2C
GetClassInfoA.USER32(?,?,?), ref: 0047BB47
RegisterClassA.USER32(?), ref: 0047BB52
lstrcatA.KERNEL32(00000034,?,00000001), ref: 0047BB89
lstrcatA.KERNEL32(00000034,?), ref: 0047BB97

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: 27db6a2e81f7afc8e0704a5db8e0e4911614b3312c9138de525f44e6daff88e4
Instruction ID: 6ae526e4f6185c7297cb7d7c36e92ca8a7843ab7bf4fd98cdcc538f55e903c9b
Opcode Fuzzy Hash: 27db6a2e81f7afc8e0704a5db8e0e4911614b3312c9138de525f44e6daff88e4
Instruction Fuzzy Hash: CB110835900204BEC721AF65CC41BEE7BB8EF05714F00895FF806A7551D7B8AA0097A9

Function 0046DBE9 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,0046B3A2,00473925,00000000,004748A2,?,?,00000001,00000800,004C0721,?,?,0047320B,?,00000000), ref: 0046DBEB
TlsGetValue.KERNEL32(?,0047320B,?,00000000,?,00472C3B,00000000,00000000,00000000), ref: 0046DBF9
SetLastError.KERNEL32(00000000,?,0047320B,?,00000000,?,00472C3B,00000000,00000000,00000000), ref: 0046DC45

Part of subcall function 0046B77C: HeapAlloc.KERNEL32(00000008,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0046B872

TlsSetValue.KERNEL32(00000000,?,0047320B,?,00000000,?,00472C3B,00000000,00000000,00000000), ref: 0046DC1D
GetCurrentThreadId.KERNEL32 ref: 0046DC2E

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: cb8d3af5cb6598ac075a777469f5b3004e484c93d546594ebafbad0d16de5fa9
Instruction ID: 3630b8313dcdd67e40d37fb690600195a21d995f8eb90256244431b1ede19d49
Opcode Fuzzy Hash: cb8d3af5cb6598ac075a777469f5b3004e484c93d546594ebafbad0d16de5fa9
Instruction Fuzzy Hash: 27F0FC31E007156BC3312B306D095AE3B509B45B717150B3EF441952B0DBA84C41879D

Function 00482CC1 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(00000000,?,?,004831CE,00000000,00000001), ref: 00482CCD
GlobalHandle.KERNEL32(005F2680), ref: 00482CF5
GlobalUnlock.KERNEL32(00000000), ref: 00482CFE
GlobalFree.KERNEL32(00000000), ref: 00482D05
DeleteCriticalSection.KERNEL32(004C9288,?,?,004831CE,00000000,00000001), ref: 00482D0F

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: 69a246f65ea89de733206a86431e333a5942b2134998e9001e14201ddf34a85b
Instruction ID: 51808bd88055fd229fdace20dd8041fc44e81c657b9e5a86de594d38c6ee3710
Opcode Fuzzy Hash: 69a246f65ea89de733206a86431e333a5942b2134998e9001e14201ddf34a85b
Instruction Fuzzy Hash: ECF05435200A006BD7216B38ED0CA7F76ADAF8572171D0D5DF411D3260DB68DC018768

Function 00413DE0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 291COMMON

Download Yara Rule

Strings

`qA, xrefs: 00414192
<, xrefs: 0041416A

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: <$`qA
API String ID: 0-4069222498
Opcode ID: cc46046899b9763fc92280ce1d939aa2135b0fcc199db0feaddef225f0393dd6
Instruction ID: 0f84249c8228c0592ffc857b299596bfa74f21fc84ac9bae7d40ab4ebbdb9fa1
Opcode Fuzzy Hash: cc46046899b9763fc92280ce1d939aa2135b0fcc199db0feaddef225f0393dd6
Instruction Fuzzy Hash: E4B194716083419FC724CF24C884AABB7E5BFD5311F148A2EF59AD7390DB38D9858B86

Function 0047490E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00470484: InitializeCriticalSection.KERNEL32(00000000,?,?,?,0046A88D,00000009,?,?,00000000), ref: 004704C1
Part of subcall function 00470484: EnterCriticalSection.KERNEL32(?,?,?,0046A88D,00000009,?,?,00000000), ref: 004704DC

Part of subcall function 004704E5: LeaveCriticalSection.KERNEL32(?,0046AA02,00000009,0046A9EE,?,?,00000000,?,?), ref: 004704F2

GetTimeZoneInformation.KERNEL32(0000000C,?,?,?,0000000B,0000000B,?,004748E9,0047518F,?,?,?,?,0046C898,?,?), ref: 0047495C
WideCharToMultiByte.KERNEL32(00000220,004C9894,000000FF,0000003F,00000000,?,?,004748E9,0047518F,?,?,?,?,0046C898,?,?), ref: 004749F2
WideCharToMultiByte.KERNEL32(00000220,004C98E8,000000FF,0000003F,00000000,?,?,004748E9,0047518F,?,?,?,?,0046C898,?,?), ref: 00474A2B

Strings

>K, xrefs: 00474A3E, 00474B71, 00474B7F

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID: >K
API String ID: 3442286286-1157240825
Opcode ID: 6ee06fc0a788278563e8cdf125eeafb4b6bfed1a5dd2392f83eaec5ee37e66b8
Instruction ID: 3b62364e7c39c00df267cb68f0723ac8ab53d5b31ee7a366fcf42c074b0dd946
Opcode Fuzzy Hash: 6ee06fc0a788278563e8cdf125eeafb4b6bfed1a5dd2392f83eaec5ee37e66b8
Instruction Fuzzy Hash: 1F61E871944140EFDB219F2AEC45BBA7BE8A786314F14423FE148872A1D778DE82CB5D

Function 0040FB30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00413350: GetCurrentThreadId.KERNEL32 ref: 00413375
Part of subcall function 00413350: IsWindow.USER32(0001043C), ref: 00413391
Part of subcall function 00413350: SendMessageA.USER32(0001043C,000083E7,?,00000000), ref: 004133AA
Part of subcall function 00413350: ExitProcess.KERNEL32 ref: 004133BF

DeleteCriticalSection.KERNEL32(004C11C0,?,?,?,?,?,?,?,?,0041AAED), ref: 0040FB6A

Part of subcall function 0047B616: __EH_prolog.LIBCMT ref: 0047B61B

Strings

!, xrefs: 0040FB58
`qA, xrefs: 0040FB7B, 0040FC4F, 0040FC65, 0040FC7B, 0040FC91, 0040FCA7, 0040FCBD, 0040FCD3, 0040FCE9, 0040FD2F, 0040FD45, 0040FD5B, 0040FD71, 0040FD87, 0040FD9D, 0040FDB3, 0040FDF6
#, xrefs: 0040FDE3

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CriticalCurrentDeleteExitH_prologMessageProcessSectionSendThreadWindow
String ID: !$#$`qA
API String ID: 2888814780-3196204378
Opcode ID: 4f9ec489ba339a394e208f3cc46aca9a8b76c606cddf6ef6d9168441bce0f810
Instruction ID: 0f49e23084adde7a3cd5e9f9971013485d6aebdabe4cb87690844ae8ca756b0f
Opcode Fuzzy Hash: 4f9ec489ba339a394e208f3cc46aca9a8b76c606cddf6ef6d9168441bce0f810
Instruction Fuzzy Hash: BB914F701087818ED312EF75C4847DABFD4AFA5309F14489EE4D607292DBB9624CCBB6

Function 0042F9C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0042F9FF
CreateFontIndirectA.GDI32(00000028), ref: 0042FA68
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0042FAAF

Strings

(, xrefs: 0042FA54

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CreateExtentFontIndirectPoint32Textwsprintf
String ID: (
API String ID: 3175173087-3887548279
Opcode ID: fd3880daaf16214587546872c848211a904d3c84e5d7aa701d9879eae4a6bc9e
Instruction ID: a1212eed3deb283623f65f10f304c6fa08358b5dbace9e3c8667e7c06769ec55
Opcode Fuzzy Hash: fd3880daaf16214587546872c848211a904d3c84e5d7aa701d9879eae4a6bc9e
Instruction Fuzzy Hash: E551B4712043458FC324DF28D884B6FB7E5FB88304F544A2EE59A83381DBB5AD09CB96

Function 00426750 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

`qA, xrefs: 004268EF
, xrefs: 00426789

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: $`qA
API String ID: 0-1469780705
Opcode ID: 69a78eb0f2aafab879b428fb2b81d1110be4c026bf6ff0f9a41d365e43d2ec7f
Instruction ID: d0a91ba8cdd718c34c82a0afd0b60f472bdf3a894c158c74e1ae371419308dae
Opcode Fuzzy Hash: 69a78eb0f2aafab879b428fb2b81d1110be4c026bf6ff0f9a41d365e43d2ec7f
Instruction Fuzzy Hash: 6551BF716043519BC314EF15D891B6BB7A8FF84318F40062EF94293290DB38ED45CB5A

Function 00420DE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 00420ECC
__ftol.LIBCMT ref: 00420F03
__ftol.LIBCMT ref: 00420F39

Strings

,B, xrefs: 00420F08

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: __ftol
String ID: ,B
API String ID: 495808979-2265382243
Opcode ID: dad2058a0b9a45e96445fafb51a653219d1f3351f07c00621d86043876724f21
Instruction ID: 7b675cdd50a5c454c00d48002e998ad6fde75a7aeb35dfecbc6d005c783c5d4b
Opcode Fuzzy Hash: dad2058a0b9a45e96445fafb51a653219d1f3351f07c00621d86043876724f21
Instruction Fuzzy Hash: ED41F3326093128FC300CF29D4846AA7BE1FF98348F65897EE0858B353D735C94ACB86

Function 0047F341 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 0047F35D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 0047F3B0
GlobalUnlock.KERNEL32(?), ref: 0047F447

Strings

@, xrefs: 0047F39A

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: @
API String ID: 231414890-2766056989
Opcode ID: 8b724904a5d4f69d97ed264a6a6e376cf022503fd6eeccf8054d2e548826b13c
Instruction ID: 1d908b292a53379040e8a3b62e2b3db562197ec61f2bfc4ba7b685cdd1b57204
Opcode Fuzzy Hash: 8b724904a5d4f69d97ed264a6a6e376cf022503fd6eeccf8054d2e548826b13c
Instruction Fuzzy Hash: 2E41B671800215EBCB11DF64D8859EF7BB4FF44354F14C57AE819AB294D3389A4ACB98

Function 004176B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

DestroyCursor.USER32(?), ref: 00417709
DestroyCursor.USER32(?), ref: 0041773E
DestroyCursor.USER32(?), ref: 0041774B

Strings

`qA, xrefs: 00417772, 004177B9, 004177CC, 004177DF

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CursorDestroy
String ID: `qA
API String ID: 1272848555-2154376067
Opcode ID: 20d2de12bede6edc501cc2759cd67657be5b0be2cf6a69c28c952344d53c4c72
Instruction ID: 167886686d2894280e2133d4a55aaaff58bfd709142c159d7e851318de47da02
Opcode Fuzzy Hash: 20d2de12bede6edc501cc2759cd67657be5b0be2cf6a69c28c952344d53c4c72
Instruction Fuzzy Hash: B441A3715097818BC311FF29C48468AFBE4BF49308F444A2EE5DA53781D77CA908CB6A

Function 00411DE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00411E29
GetTickCount.KERNEL32 ref: 00411E6E

Strings

@FK, xrefs: 00411DF1
@FK, xrefs: 00411EDF

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CountTick
String ID: @FK$@FK
API String ID: 536389180-933424924
Opcode ID: 23953910bab1882ba5c5fd07e55df32964cd0c2ef6486cee5887670548f4e2d5
Instruction ID: e8a5331e8418bd79e99699b4d3845a6c34f1f009555cecc7b731965b427fcc8a
Opcode Fuzzy Hash: 23953910bab1882ba5c5fd07e55df32964cd0c2ef6486cee5887670548f4e2d5
Instruction Fuzzy Hash: 5631C7B26003054BC610DF69AC40AABB79DE7E1314F10463FEE1183762D7B9AC9586AD

Function 004264E2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96COMMON

Download Yara Rule

Strings

`qA, xrefs: 004265EA
, xrefs: 00426525

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID: $`qA
API String ID: 0-1469780705
Opcode ID: 8f1489c8fb28751b9200734f0400abc553c13a24d66e4f02d9439418a6af492f
Instruction ID: 2e1533b9e97195f25ab7a542451406e1edcf2ce5a5983e92506eb03eab5fecd5
Opcode Fuzzy Hash: 8f1489c8fb28751b9200734f0400abc553c13a24d66e4f02d9439418a6af492f
Instruction Fuzzy Hash: FC315971208250AFC714DF24D854B6BBBF8FB94724F404A2EF996932D0E738D945CB5A

Function 00414FA7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyCursor.USER32(?), ref: 00415014
GetCursorPos.USER32(?), ref: 0041507E
SetCursorPos.USER32(?,?), ref: 0041508E

Part of subcall function 0041C5B0: LoadCursorA.USER32(?,00000408), ref: 0041C623

Strings

`qA, xrefs: 004154A6

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Cursor$DestroyLoad
String ID: `qA
API String ID: 2444745639-2154376067
Opcode ID: 41db6674de6370eeae06002d5a88aae4aec966edf34d5120a84aad9d862ed5da
Instruction ID: 151b3238402bc6f42ca3423d9b42e32fef60601bb972a4b87b38caab1ed9316c
Opcode Fuzzy Hash: 41db6674de6370eeae06002d5a88aae4aec966edf34d5120a84aad9d862ed5da
Instruction Fuzzy Hash: 3031A7B16047009FC710EFA5DC85E9B7BE8ABC9355F04092EF54593341EB38D945CB6A

Function 004835D2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 004835DE
LoadBitmapA.USER32(00000000,00007FE3), ref: 004836A5

Strings

, xrefs: 004835ED
,]I, xrefs: 0048365E

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: BitmapCheckDimensionsLoadMarkMenu
String ID: $,]I
API String ID: 2557599799-435258841
Opcode ID: bdf8aae82119c4b04409050241c89008ac461086e585c4dce00c34c745e27b01
Instruction ID: 6e39f7c008f2a0f0ac006ced3b77c424394f1f8d44151308106cc4c084c09a7c
Opcode Fuzzy Hash: bdf8aae82119c4b04409050241c89008ac461086e585c4dce00c34c745e27b01
Instruction Fuzzy Hash: 3D213632E00215BFDB109F78DC89BAE7BB4EB44701F0445A6E905EB282D7349A448B84

Function 004353E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00477728: __EH_prolog.LIBCMT ref: 0047772D
Part of subcall function 00477728: lstrcpynA.KERNEL32(?,?,00000104), ref: 0047781A

Part of subcall function 004778C2: lstrlenA.KERNEL32(?,?,?,0000000C,?,?,0041EF79,?,-00000001,00000000,?,?,?,004A9B70), ref: 004778CC
Part of subcall function 004778C2: GetFocus.USER32 ref: 004778E7
Part of subcall function 004778C2: IsWindowEnabled.USER32(?), ref: 00477910
Part of subcall function 004778C2: EnableWindow.USER32(?,00000000), ref: 00477922
Part of subcall function 004778C2: EnableWindow.USER32(?,00000001), ref: 0047796B
Part of subcall function 004778C2: IsWindow.USER32(?), ref: 00477971
Part of subcall function 004778C2: SetFocus.USER32(?), ref: 0047797F

Part of subcall function 0047799D: __EH_prolog.LIBCMT ref: 004779A2
Part of subcall function 0047799D: GetParent.USER32(?), ref: 004779DF
Part of subcall function 0047799D: SendMessageA.USER32(?,00000464,00000104,00000000), ref: 00477A07
Part of subcall function 0047799D: GetParent.USER32(?), ref: 00477A30
Part of subcall function 0047799D: SendMessageA.USER32(?,00000465,00000104,00000000), ref: 00477A4D

Part of subcall function 0047D886: SetWindowTextA.USER32(?,0041D6DA), ref: 0047D894

Part of subcall function 004795AE: InterlockedDecrement.KERNEL32(-000000F4), ref: 004795C2

SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 0043548D
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0043549C

Part of subcall function 0047D9C1: SetFocus.USER32(?,00481B76), ref: 0047D9CB

Strings

prn, xrefs: 0043540E
out.prn, xrefs: 00435409

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$MessageSend$Focus$EnableH_prologParent$DecrementEnabledInterlockedTextlstrcpynlstrlen
String ID: out.prn$prn
API String ID: 3571112515-3109735852
Opcode ID: 7f2e6af7820ea54bfbb05b9530c4d88d76a07a4d2538f004d2119e2c3baf7476
Instruction ID: cc08a611c015d55d368aae8af74a912a787ebce21990a26530c2db228d51c863
Opcode Fuzzy Hash: 7f2e6af7820ea54bfbb05b9530c4d88d76a07a4d2538f004d2119e2c3baf7476
Instruction Fuzzy Hash: 6121A171148340ABD334EB14CC86FDFB7E4AB95724F108A1EB5A9562D2CBBC5448CB97

Function 004602B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 004612B0: lstrlenA.KERNEL32(?,?,?,00460E96,?), ref: 004612BE
Part of subcall function 004612B0: GlobalAlloc.KERNEL32(00000040,00000001), ref: 004612CD
Part of subcall function 004612B0: lstrcpyA.KERNEL32(00000000,?), ref: 004612DB

__ftol.LIBCMT ref: 00460320
IsWindow.USER32(?), ref: 00460333
IsWindow.USER32(?), ref: 0046035B

Strings

xrL, xrefs: 004602D6

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$AllocGlobal__ftollstrcpylstrlen
String ID: xrL
API String ID: 2253332874-3351311925
Opcode ID: ac6d935e04aa519c7c4f2660289648b1ea40311c320a53640490881ba09f10b5
Instruction ID: 1c105810f421e6d341a5947f5e3a74830ed2038f15811a6aecb33357e9871abb
Opcode Fuzzy Hash: ac6d935e04aa519c7c4f2660289648b1ea40311c320a53640490881ba09f10b5
Instruction Fuzzy Hash: 2A21E271A187019FC710DF5AC98096BB7F4BBC9711F00892EF99993350EB74D9448B9B

Function 004163D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(?,WTWindow,00000000), ref: 004163F8
LoadCursorA.USER32(00000000,00007F00), ref: 00416409
GetStockObject.GDI32(00000005), ref: 00416413

Strings

WTWindow, xrefs: 004163EC, 004163F6

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ClassCursorInfoLoadObjectStock
String ID: WTWindow
API String ID: 1762135420-3503404378
Opcode ID: b3bbda6aa73549e15f5b7550d791e83d4909a29e8a9bef50ca15dc2aecbb6155
Instruction ID: f6fe1ce60afe76ca3587c8db00336dd44c974a9fd06a83a019a65f3e2eeb1baa
Opcode Fuzzy Hash: b3bbda6aa73549e15f5b7550d791e83d4909a29e8a9bef50ca15dc2aecbb6155
Instruction Fuzzy Hash: 9411CE70908340AFC300EF2A8C8095FFBE8FF88758F44082EF98883211D738D9458B5A

Function 00480A42 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 00480A53
GetClassNameA.USER32(00000000,?,0000000A), ref: 00480A6E
lstrcmpiA.KERNEL32(?,combobox), ref: 00480A7D

Strings

combobox, xrefs: 00480A77

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: 12ca29b0c5adae67ace49170d402a69135176168ca218f2249443cd9af781bfb
Instruction ID: 6e1a025b8dca27c5d703e90bcc0000476e2182b3fb094f2bfead9501fb030303
Opcode Fuzzy Hash: 12ca29b0c5adae67ace49170d402a69135176168ca218f2249443cd9af781bfb
Instruction Fuzzy Hash: 08E06532564209BFDF51AF64CC49AAE3BB8AB11341F148931B422D51D0D774DA498B59

Function 0046DFFE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0046919E), ref: 0046E003
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0046E013

Strings

IsProcessorFeaturePresent, xrefs: 0046E00D
KERNEL32, xrefs: 0046DFFE

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 86d7233a25eaea4adbd71e0e7575f33de9d22f6d433f8ff969229f298a27a155
Instruction ID: 7b8e53e0d9ece1da808ffa2ac1c64418a1ed249a17d887059e0e9e79a7ab5e22
Opcode Fuzzy Hash: 86d7233a25eaea4adbd71e0e7575f33de9d22f6d433f8ff969229f298a27a155
Instruction Fuzzy Hash: 46C012B074030065DD2017B20C49B2A15886B08B41F2944367403D10C0EBACD801952E

Function 0046BC26 Relevance: 6.5, APIs: 5, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76394fbb887ed4fd1d9531face7d767d19a0ef70ea1b3f0f73628bb90bd5957f
Instruction ID: bd24462b8a2f9b4d36ec9dba7b0a2a3047381aaec21ea60921d03a339632ee3f
Opcode Fuzzy Hash: 76394fbb887ed4fd1d9531face7d767d19a0ef70ea1b3f0f73628bb90bd5957f
Instruction Fuzzy Hash: B191E771D00514AACF21EB69DD859DE7BB9EB04360F244527F814F62A1F7398D80CBAE

Function 004722AC Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,004B1C30,004B1C30,?,?,00472778,?,00000010,00000000,00000009,00000009,?,0046A9E1,00000010,?), ref: 004722CD
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00472778,?,00000010,00000000,00000009,00000009,?,0046A9E1,00000010,?), ref: 004722F1
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00472778,?,00000010,00000000,00000009,00000009,?,0046A9E1,00000010,?), ref: 0047230B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00472778,?,00000010,00000000,00000009,00000009,?,0046A9E1,00000010,?,?), ref: 004723CC
HeapFree.KERNEL32(00000000,00000000,?,?,00472778,?,00000010,00000000,00000009,00000009,?,0046A9E1,00000010,?,?,00000000), ref: 004723E3

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 8d88ec8f04ee3c92696e54bbfa11b3518e6857418e199dc97046f24f468d3039
Instruction ID: 4d2ae326dff7f2e96d0400087c98b526f8f7dd44e93b85d8ee70f6a61def0ee4
Opcode Fuzzy Hash: 8d88ec8f04ee3c92696e54bbfa11b3518e6857418e199dc97046f24f468d3039
Instruction Fuzzy Hash: DE31E4715817069BD3308F35ED84BA67BE0EB44754F108A3AE959973E0DBB8A844C75C

Function 004252F0 Relevance: 6.2, APIs: 4, Instructions: 246COMMON

Download Yara Rule

APIs

midiStreamOpen.WINMM(?,?,00000001,00425920,?,00030000,?,?,?,00000000), ref: 0042531B
midiStreamProperty.WINMM ref: 00425402
midiOutPrepareHeader.WINMM(?,?,00000040,00000001,?,?,?,?,00000000), ref: 00425550

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: midi$Stream$HeaderOpenPrepareProperty
String ID:
API String ID: 2061886437-0
Opcode ID: 61543eec6b77253f92fa13e58876adc1a4369850e030e2296f092140304f28dd
Instruction ID: e0b98e65116212f226c272a415ae1a1f5713bfd7f4af2b30799fee83e169c693
Opcode Fuzzy Hash: 61543eec6b77253f92fa13e58876adc1a4369850e030e2296f092140304f28dd
Instruction Fuzzy Hash: 8AA15A713006158FC724DF28E894BAAB7E6FB84304F90892EE686C7751EB35F959CB44

Function 00423430 Relevance: 6.2, APIs: 4, Instructions: 211windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004800B5: __EH_prolog.LIBCMT ref: 004800BA
Part of subcall function 004800B5: BeginPaint.USER32(?,?,?,?,004072F9), ref: 004800E3

GetClientRect.USER32(?,?), ref: 004234D6
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0042352B
__ftol.LIBCMT ref: 00423610
__ftol.LIBCMT ref: 0042361D

Part of subcall function 00436A60: GetClientRect.USER32(?,?), ref: 00436A87
Part of subcall function 00436A60: __ftol.LIBCMT ref: 00436B5E
Part of subcall function 00436A60: __ftol.LIBCMT ref: 00436B71

Part of subcall function 0047FCB6: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0047FCDA
Part of subcall function 0047FCB6: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0047FCF0

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Rect__ftol$ClientClipExclude$BeginH_prologPaint
String ID:
API String ID: 3882505602-0
Opcode ID: b07872ad0f67b93ee433aee1493448007b30240ff7f1e8f6f87ddd2adc7579f3
Instruction ID: a920499b310e01acc6912d264b204aeccf76397a0ef47da955ce014fb634d1de
Opcode Fuzzy Hash: b07872ad0f67b93ee433aee1493448007b30240ff7f1e8f6f87ddd2adc7579f3
Instruction Fuzzy Hash: 69719F716047019FC314DF69D880A6BBBF9FBC8700F548A2EF19983251EB38E9458B46

Function 00473B28 Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(000001D0,000001D0,00000000,000001D0,00000000,00000000,00000000,00000000), ref: 00473BA2
GetLastError.KERNEL32 ref: 00473BAC
ReadFile.KERNEL32(?,?,00000001,000001D0,00000000), ref: 00473C72
GetLastError.KERNEL32 ref: 00473C7C

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: a6bffc87a8a3f5489d3f14ccab272de1915ebd9443006a3ef3ff9c2ae157c59b
Instruction ID: 1acf063d8ccd79079a5ccaa4e01863b4aa9dd99cf04da93ff8803c63c1249275
Opcode Fuzzy Hash: a6bffc87a8a3f5489d3f14ccab272de1915ebd9443006a3ef3ff9c2ae157c59b
Instruction Fuzzy Hash: 4251F832604385DFDF228F58C884BE97BB0AF01305F54849BE85AAB351D3789B45EB59

Function 0040AB60 Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004800B5: __EH_prolog.LIBCMT ref: 004800BA
Part of subcall function 004800B5: BeginPaint.USER32(?,?,?,?,004072F9), ref: 004800E3

Part of subcall function 0047FC66: GetClipBox.GDI32(?,?), ref: 0047FC6D

IsRectEmpty.USER32(?), ref: 0040ABA6
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0040AC2D
GetCurrentObject.GDI32(?,00000006), ref: 0040ACBA
GetClientRect.USER32(?,?), ref: 0040AD2C

Part of subcall function 00480127: __EH_prolog.LIBCMT ref: 0048012C
Part of subcall function 00480127: EndPaint.USER32(?,?,?,?,00407373), ref: 00480149

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: H_prologPaintRect$BeginClientClipCurrentEmptyObject
String ID:
API String ID: 3717962522-0
Opcode ID: 30acdb299a8d522335e6dbe7cf22bf326e575715ab39bb1f952ad12e7c15b3bb
Instruction ID: f183fb362373c4b5119b4969df68e29e6122a8d92c09d18d2caa5de83d6bb28c
Opcode Fuzzy Hash: 30acdb299a8d522335e6dbe7cf22bf326e575715ab39bb1f952ad12e7c15b3bb
Instruction Fuzzy Hash: FF615C711087419FD324EF65C885FAFB7E8AB98714F004D2EF59A83281DB38A909CB56

Function 004374D0 Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0043750E
GetDC.USER32(?), ref: 00437672
ReleaseDC.USER32(?,?), ref: 00437696
DeleteObject.GDI32(?), ref: 004376C8

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: DeleteObject$Release
String ID:
API String ID: 2600533906-0
Opcode ID: 817887e0efb02423c48d5fc9d68076a814764f6b3c0f794155e6c936cf4fac06
Instruction ID: ee81ed8409d5f672d7e31410947c5b3d29f133216747d69aa401cc9187bfc048
Opcode Fuzzy Hash: 817887e0efb02423c48d5fc9d68076a814764f6b3c0f794155e6c936cf4fac06
Instruction Fuzzy Hash: 22516EB1A042049BDF24DF28C484BDA7BE5BB58314F0885BAEC49CF746DB349905CB65

Function 00410CF0 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00410D64
GetParent.USER32(?), ref: 00410DB4
IsWindow.USER32(?), ref: 00410DD4
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 00410E4F

Part of subcall function 0047D958: ShowWindow.USER32(?,?,0047E51C,?,?,?,00000363,00000001,00000000,?,?,?,0047DD7D,?), ref: 0047D966

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$ParentShow
String ID:
API String ID: 2052805569-0
Opcode ID: 84843ae5d6c90919440092d7eef98d971eea53257bb5d68b0477ede0e21c5201
Instruction ID: 82530bad38c7ee4af68347e6c9b2adbf5295c210afd1655b0ea06ace4e81a8ed
Opcode Fuzzy Hash: 84843ae5d6c90919440092d7eef98d971eea53257bb5d68b0477ede0e21c5201
Instruction Fuzzy Hash: 5A4191727403019BD710DE629C81BEBB3A8AF84754F04492EFD499B381D7B8EC8587A9

Function 00406100 Relevance: 6.1, APIs: 4, Instructions: 144windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047D97F: IsWindowEnabled.USER32(?), ref: 0047D989

IsWindowVisible.USER32(?), ref: 0040613A

Part of subcall function 0047B952: GetWindowTextLengthA.USER32(?), ref: 0047B95F
Part of subcall function 0047B952: GetWindowTextA.USER32(?,00000000,00000000), ref: 0047B977

Part of subcall function 004781A9: SendMessageA.USER32(?,00000466,00000000,00000000), ref: 004781B5

wsprintfA.USER32 ref: 004061D4
SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 00406200
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0040620F

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$MessageSend$Text$EnabledLengthVisiblewsprintf
String ID:
API String ID: 1914814478-0
Opcode ID: dd89e817d66685bb635b31b22ef4487bab6a5c18a83dd4a1e6a8d727976789ae
Instruction ID: 5ebc1f54685a6487765b5dbc13dc578351af34e0452f5b96df88f3582b221f17
Opcode Fuzzy Hash: dd89e817d66685bb635b31b22ef4487bab6a5c18a83dd4a1e6a8d727976789ae
Instruction Fuzzy Hash: C05157B56087019FD324DF14C981B9BB7F5FB88710F10892EE59A9B780DB78E805CB96

Function 00473938 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 004739FF

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8e2e8d9ad5fb746a411bf0b85824f9f0f31cad1bc1da897e2c5a235e1b2d372e
Instruction ID: 8247dee79cadb572db36e7599bae556e64e69ecf91fd9352a004280c273afec3
Opcode Fuzzy Hash: 8e2e8d9ad5fb746a411bf0b85824f9f0f31cad1bc1da897e2c5a235e1b2d372e
Instruction Fuzzy Hash: D951A071A00208EFCB12CF68C885ADE7BB0FF40341F24C5AAE8599B251D734DB80EB59

Function 00460450 Relevance: 6.1, APIs: 4, Instructions: 132windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004800B5: __EH_prolog.LIBCMT ref: 004800BA
Part of subcall function 004800B5: BeginPaint.USER32(?,?,?,?,004072F9), ref: 004800E3

LoadBitmapA.USER32(?,00000068), ref: 004604D8

Part of subcall function 004802B2: __EH_prolog.LIBCMT ref: 004802B7
Part of subcall function 004802B2: CreateSolidBrush.GDI32(?), ref: 004802D4

GetObjectA.GDI32(00000000,00000018,?), ref: 0046050A

Part of subcall function 0047F7F6: SelectObject.GDI32(?,?), ref: 0047F7FE

GetClientRect.USER32(?,?), ref: 00460532
FillRect.USER32(?,?,?), ref: 00460551

Part of subcall function 0048024C: DeleteObject.GDI32(00000000), ref: 0048025B

Part of subcall function 0047F733: __EH_prolog.LIBCMT ref: 0047F738
Part of subcall function 0047F733: DeleteDC.GDI32(00000000), ref: 0047F757

Part of subcall function 00480127: __EH_prolog.LIBCMT ref: 0048012C
Part of subcall function 00480127: EndPaint.USER32(?,?,?,?,00407373), ref: 00480149

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: H_prolog$Object$DeletePaintRect$BeginBitmapBrushClientCreateFillLoadSelectSolid
String ID:
API String ID: 118895722-0
Opcode ID: bebbe8c540588ed4adcfeca33e74913de54eb405ec6fe8ec9ebf33457bd72148
Instruction ID: 8ce81e1ea4f2bb3ae246746caa3702dd33dd455aafc96974f7180f6fdabee07e
Opcode Fuzzy Hash: bebbe8c540588ed4adcfeca33e74913de54eb405ec6fe8ec9ebf33457bd72148
Instruction Fuzzy Hash: AA516E711087819FC354EF68C845FAFB7E9AB84704F048E2DB49983291DB78D909CB56

Function 0042F2A0 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0042F314
SendMessageA.USER32(?,000000B1,?,000000FF), ref: 0042F36D
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0042F37C
SendMessageA.USER32(?,000000C2,00000000,?), ref: 0042F3AA

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend$Window
String ID:
API String ID: 2326795674-0
Opcode ID: f194c30f1e16a95647179e6e841bb6ea9e7dd32ff7ddc1d31c070e89750dab95
Instruction ID: 7f1b9d3759b3f9f661b871e4f5fb849a4089867c74bd9531fe2807a78b27cae9
Opcode Fuzzy Hash: f194c30f1e16a95647179e6e841bb6ea9e7dd32ff7ddc1d31c070e89750dab95
Instruction Fuzzy Hash: 7F41C4722487519BD320DB19D840B5BB7E4EB99710F848B3EF995877D1C3789808CB9A

Function 004429D0 Relevance: 6.1, APIs: 4, Instructions: 100windowCOMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(?), ref: 00442A5A
SendMessageA.USER32(?,00000030,00000000,00000000), ref: 00442A9E
SendMessageA.USER32(?,000000B1,?,000000FF), ref: 00442AD4
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00442AE3

Part of subcall function 0047D886: SetWindowTextA.USER32(?,0041D6DA), ref: 0047D894

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend$BrushCreateSolidTextWindow
String ID:
API String ID: 3501373727-0
Opcode ID: 78a802c93e93361d6847462865fe1a468280fec9811c73680bc5b6ed400ae8ba
Instruction ID: cb44456e70a89e52dc94081b468a876b0343223f111d37cfdaa9f9d287eda42e
Opcode Fuzzy Hash: 78a802c93e93361d6847462865fe1a468280fec9811c73680bc5b6ed400ae8ba
Instruction Fuzzy Hash: D9315AB06047009FD324DF19C851B2AFBE5FB88B14F508A1EF99697791CBB8E804CB59

Function 00420FF0 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0042105F

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: 643f5c7eb38c34306f4343831edfd88ea8513947aafef1412ac6fa2230cde20f
Instruction ID: 1687c0b3834b3bc6ca7da9144fb0e796f379a4a227af30385a9a086fcc1b9253
Opcode Fuzzy Hash: 643f5c7eb38c34306f4343831edfd88ea8513947aafef1412ac6fa2230cde20f
Instruction Fuzzy Hash: 433190762047419FC314DF29D880F6BB7F8FB88724F148A2EF55A83291C738A805CB66

Function 00481020 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00481198: GetParent.USER32(?), ref: 004811CB
Part of subcall function 00481198: GetLastActivePopup.USER32(?), ref: 004811DA
Part of subcall function 00481198: IsWindowEnabled.USER32(?), ref: 004811EF
Part of subcall function 00481198: EnableWindow.USER32(?,00000000), ref: 00481202

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 00481056
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 004810C4
MessageBoxA.USER32(00000000,?,?,00000000), ref: 004810D2
EnableWindow.USER32(00000000,00000001), ref: 004810EE

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 1958756768-0
Opcode ID: fdc812f7fd9eb0a057e11d6250f7bab1db41701771153c49ac0d13c29d9a22b4
Instruction ID: a091b305e8cbfa495683ccc09df73e8f358499aecf8af829f50390cd154fe4a7
Opcode Fuzzy Hash: fdc812f7fd9eb0a057e11d6250f7bab1db41701771153c49ac0d13c29d9a22b4
Instruction Fuzzy Hash: AD21A272A00248AFDB20AF94CCC1AEEB7BDEB05744F14482BE611E76A0C7759DC6DB54

Function 0047DB71 Relevance: 6.1, APIs: 4, Instructions: 85stringtimeCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(0047DB6D,?,00000104,?,?,?,?,?,?,?,0047DB5B,?), ref: 0047DB9B
GetFileTime.KERNEL32(00000000,0047DB5B,?,?,?,?,?,?,?,?,?,0047DB5B,?), ref: 0047DBBC
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0047DB5B,?), ref: 0047DBCB
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,0047DB5B,?), ref: 0047DBEC

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: 322663d28eb38bd9be0d7bb8405e218260f316260936b06e6f6c8ee0836eee7f
Instruction ID: b8232c67c9ae0b42d87f5594a415faa647223c08f5cb34f875fe219af54b3055
Opcode Fuzzy Hash: 322663d28eb38bd9be0d7bb8405e218260f316260936b06e6f6c8ee0836eee7f
Instruction Fuzzy Hash: 6A318EB2910605AFD721DF60C885EEBBBF8BF14310F10892EF15AC7280E774A984CB94

Function 0040C950 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 0040C9E8
ScreenToClient.USER32(?,?), ref: 0040CA0A
ChildWindowFromPointEx.USER32(?,?,?,00000005), ref: 0040CA20
GetFocus.USER32 ref: 0040CA2B

Part of subcall function 0047D9C1: SetFocus.USER32(?,00481B76), ref: 0047D9CB

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Focus$ChildClientFromMessagePointScreenWindow
String ID:
API String ID: 3117237277-0
Opcode ID: 5975d4a064bfaa1799d6e604c203a2ff46c146a9baeb621c372b01db8b0a635b
Instruction ID: 6335d6125088e774ff7b81a89a2a27afb8c658c8302ad07434909f01273f7f9e
Opcode Fuzzy Hash: 5975d4a064bfaa1799d6e604c203a2ff46c146a9baeb621c372b01db8b0a635b
Instruction Fuzzy Hash: 2D21A271300606ABD614EB64DC81F6FB3A9AFC0704F04892EF945976C1DB38E956CB9A

Function 00469043 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00469069

Part of subcall function 0046DDC5: HeapCreate.KERNELBASE(00000000,00001000,00000000,004690A1,00000001), ref: 0046DDD6
Part of subcall function 0046DDC5: HeapDestroy.KERNEL32 ref: 0046DE15

GetCommandLineA.KERNEL32 ref: 004690C9
GetStartupInfoA.KERNEL32(?), ref: 004690F4
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00469117

Part of subcall function 00469170: ExitProcess.KERNEL32 ref: 0046918D

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 488a399134a15b9f486fbc7b33ab2b80fb5bcbb57877bb51bbaad67ebcd0d138
Instruction ID: ffdac6792c62b5005b4da627f487bf7fcc17c16dd5cbb8c81394632b7fcc4456
Opcode Fuzzy Hash: 488a399134a15b9f486fbc7b33ab2b80fb5bcbb57877bb51bbaad67ebcd0d138
Instruction Fuzzy Hash: 702182B1E00715AADB14AFB6DC4ABAD7BA8EF44704F10052FF9059B2A1EB794C40C75A

Function 0040D260 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

StartPage.GDI32(?), ref: 0040D2A5
EndPage.GDI32(?), ref: 0040D2CB

Part of subcall function 0041B260: wsprintfA.USER32 ref: 0041B26F

Part of subcall function 0047D886: SetWindowTextA.USER32(?,0041D6DA), ref: 0047D894

UpdateWindow.USER32(?), ref: 0040D31A
EndPage.GDI32(?), ref: 0040D332

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Page$Window$StartTextUpdatewsprintf
String ID:
API String ID: 104827578-0
Opcode ID: e749e1faa3dfd2999d591c54c9fa0cdddea87afe37f9b22e1bf6c46261039243
Instruction ID: e55d467ac12ddb9cd0fff7e8604f9829a94130fe5a7fbc7705a296fc649280a1
Opcode Fuzzy Hash: e749e1faa3dfd2999d591c54c9fa0cdddea87afe37f9b22e1bf6c46261039243
Instruction Fuzzy Hash: 6B215371A01B009BC7249B7ACC88ADBB7E4EFC5705F148C2EE4AF87250D638A4498B59

Function 004071E0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetParent.USER32(000000D0), ref: 0040720C
GetParent.USER32(?), ref: 00407221
SetParent.USER32(?,?), ref: 0040723F
GetWindowRect.USER32(?,?), ref: 00407254

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Parent$RectWindow
String ID:
API String ID: 2276825053-0
Opcode ID: 2b75fd9734994d837c629c9cd2d5bed432404dffa992bdcf30f01591d719da55
Instruction ID: 1f927fefc88d8fbf6ff72b8262e4a7f937093d0b85d9cd80ea86a4fb6f43638c
Opcode Fuzzy Hash: 2b75fd9734994d837c629c9cd2d5bed432404dffa992bdcf30f01591d719da55
Instruction Fuzzy Hash: AC1160B16047065BD724DF65D884EBB77ADEB84304F04892EF85593341DA38EC0587B6

Function 00475D84 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 00475DB3
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 00475DC6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 00475E12
CompareStringW.KERNEL32(00452176,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00475E2A

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: eb191ce148f9ef003a080948ac666bb3fe91c9b4c136b2293b28f7d4bdf9bf00
Instruction ID: 46d51756f47d9e775bb3ef2dd7991d95a31f07836308019c2f9d1d3211e178ea
Opcode Fuzzy Hash: eb191ce148f9ef003a080948ac666bb3fe91c9b4c136b2293b28f7d4bdf9bf00
Instruction Fuzzy Hash: 91213432800649AFCF218F94CC459DEBFB1FB48360F14816AFA1976160C3769E62DBA4

Function 0047DD8B Relevance: 6.1, APIs: 4, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 0047DDAB
lstrcmpA.KERNEL32(?,?), ref: 0047DDB7
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0047DDF4
GlobalLock.KERNEL32(00000000), ref: 0047DE01

Part of subcall function 00480C14: GlobalFlags.KERNEL32(?), ref: 00480C1E
Part of subcall function 00480C14: GlobalUnlock.KERNEL32(?), ref: 00480C35
Part of subcall function 00480C14: GlobalFree.KERNEL32(?), ref: 00480C40

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Global$Lock$AllocFlagsFreeUnlocklstrcmp
String ID:
API String ID: 2391069079-0
Opcode ID: 17a8928b905dd055c1e440629452244aadb345570a2da6a13f0d458731b48fe8
Instruction ID: d0365ee765816abd242e126de6fca139d2150510aa2512ae1dd4dcd1e049ebbb
Opcode Fuzzy Hash: 17a8928b905dd055c1e440629452244aadb345570a2da6a13f0d458731b48fe8
Instruction Fuzzy Hash: 65118C71500604BAEB21ABB6CC4AEFF7BBDEF85704F04481EF60995112DA399D419778

Function 00404760 Relevance: 6.1, APIs: 4, Instructions: 63windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000030,?,00000001), ref: 004047BD
SendMessageA.USER32(?,00000030,?,00000001), ref: 004047D6
GetStockObject.GDI32(00000011), ref: 004047E1
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 004047F4

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend$ObjectStock
String ID:
API String ID: 1309931672-0
Opcode ID: c6b2ab42564df399c0fba02afeed551737de560bbcfe527141f20bdf49b0bc43
Instruction ID: 756073fa21c93c2f83d74e3b2355431d6fdee5242aa28a47115b47e000a33480
Opcode Fuzzy Hash: c6b2ab42564df399c0fba02afeed551737de560bbcfe527141f20bdf49b0bc43
Instruction Fuzzy Hash: BE119076314611ABC714DF54E854F6B73A9AFC9B11F04482EF6059B2C0C774EC01C7A5

Function 0040F2A0 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 0040F2AD

Part of subcall function 0040F0E0: IsChild.USER32(?,?), ref: 0040F15D
Part of subcall function 0040F0E0: GetParent.USER32(?), ref: 0040F177

SendMessageA.USER32(00000000,000000F0,00000000,00000000), ref: 0040F306
SendMessageA.USER32(00000000,000000F1,00000000,00000000), ref: 0040F316
GetWindow.USER32(00000000,00000002), ref: 0040F31B

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSendWindow$ChildParent
String ID:
API String ID: 1043810220-0
Opcode ID: 3b3634540b43d770f0b95cf23f070fdacb083530da59ca20b9b77f66b6f5e77b
Instruction ID: 5965e16cd210de5d90c1ef741a238413b80a4d4c970608c3bc94cae0ce3e8807
Opcode Fuzzy Hash: 3b3634540b43d770f0b95cf23f070fdacb083530da59ca20b9b77f66b6f5e77b
Instruction Fuzzy Hash: B801713138171276E23156299C96F6F624C9F45B60F18023ABE00BB6D1DEB8ED0582AD

Function 004344B0 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004344CB
SendMessageA.USER32(?,000083EB,?,00000000), ref: 004344F5
SendMessageA.USER32(?,000083EC,?,00000000), ref: 00434509
SendMessageA.USER32(?,000083E9,?,00000000), ref: 0043452C

Part of subcall function 0047D8AD: GetDlgCtrlID.USER32(?), ref: 0047D8B7

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID:
API String ID: 1383977212-0
Opcode ID: 2ab9b3d91b3f44e724cd9d1385c78c68ac0ecf206c04657fd192ccef0e1ce265
Instruction ID: e4d2222cfe7a8402338ae5bf298b3aa684304d41a3092ea33df676a4104958a9
Opcode Fuzzy Hash: 2ab9b3d91b3f44e724cd9d1385c78c68ac0ecf206c04657fd192ccef0e1ce265
Instruction Fuzzy Hash: AE0184B57107053BD1107AA58CC1EAFB3ACAFC8B05B04851EF605C7680DE68FC02476D

Function 00479C39 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00479C6D
GetCurrentProcess.KERNEL32(?,00000000), ref: 00479C73
DuplicateHandle.KERNEL32(00000000), ref: 00479C76
GetLastError.KERNEL32(00000000), ref: 00479C90

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: aceee1e804edadb20c8d0d2f03b18847e46e1f4381aaa10ec779bb06ef183cf9
Instruction ID: 01a8815dc1ed2c3090131a86360ec56b586614d8017a62b8ac2db2b4478a9800
Opcode Fuzzy Hash: aceee1e804edadb20c8d0d2f03b18847e46e1f4381aaa10ec779bb06ef183cf9
Instruction Fuzzy Hash: 2E0188717002047FEF119BA6DD49F9A7799EF84710F14856AF60DDB291D674EC008764

Function 0047851C Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?), ref: 00478534
GetParent.USER32(00000000), ref: 00478541
ScreenToClient.USER32(00000000,?), ref: 00478562
IsWindowEnabled.USER32(00000000), ref: 0047857B

Part of subcall function 00480A42: GetWindowLongA.USER32(00000000,000000F0), ref: 00480A53

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: 45b48e1e9a71215ff0f3d2c4501365e289b1e9b8bf3bdca3948cf3991614d693
Instruction ID: 1ccb17546703ffb1ee5a1cbca6c75da934ae048777ddd0f000b3cf514583d594
Opcode Fuzzy Hash: 45b48e1e9a71215ff0f3d2c4501365e289b1e9b8bf3bdca3948cf3991614d693
Instruction Fuzzy Hash: C6017136600A05BBC7065B599C08DAF7BB9AF85B50B19852EF919D3310DF34DE058768

Function 0047C5F1 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0047C5FC
GetTopWindow.USER32(00000000), ref: 0047C60F
GetTopWindow.USER32(?), ref: 0047C63F
GetWindow.USER32(00000000,00000002), ref: 0047C65A

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: e3f8e3f5d16b39f114beffb3506afe0f5f936b0c379588e989514b9c282181ab
Instruction ID: fd954e8d855a6904b6339a27baf17e4615514f159ac6af976f5c3463fc2eaf53
Opcode Fuzzy Hash: e3f8e3f5d16b39f114beffb3506afe0f5f936b0c379588e989514b9c282181ab
Instruction Fuzzy Hash: 22014F32101626BBDB226F658C84EEF3B599F55B64F04D02EFD08A1210D739CD229A9E

Function 0047C66A Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 0047C678
SendMessageA.USER32(00000000,?,?,?), ref: 0047C6AE
GetTopWindow.USER32(00000000), ref: 0047C6BB
GetWindow.USER32(00000000,00000002), ref: 0047C6D9

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: d3a64eb8254d75f57468c01862a62c80bfa7b9f133ae69613eed2313392b4f44
Instruction ID: bf132b28e294af7c8df817bcb1ac3f8944aceff30eefceae4009622228077db8
Opcode Fuzzy Hash: d3a64eb8254d75f57468c01862a62c80bfa7b9f133ae69613eed2313392b4f44
Instruction Fuzzy Hash: 0A01E93200051ABBCF225F919C85EEF3B2ABF49755F04941AFE0951161C73AC931EBAD

Function 00404800 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000030,?,00000001), ref: 00404831
SendMessageA.USER32(?,00000030,?,00000001), ref: 00404849
GetStockObject.GDI32(00000011), ref: 00404853
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 00404873

Part of subcall function 00404640: CreateFontIndirectA.GDI32 ref: 00404689

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend$CreateFontIndirectObjectStock
String ID:
API String ID: 1613733799-0
Opcode ID: e047942b64bf79b98c7eda19d64eb6606835e1adb6944e2a5c7ef5ba02d9ec9a
Instruction ID: 62ac8df4f5cb603ed02f9ca696b4abff7fb0b5f44a076c9ec7fdee8d773dcf59
Opcode Fuzzy Hash: e047942b64bf79b98c7eda19d64eb6606835e1adb6944e2a5c7ef5ba02d9ec9a
Instruction Fuzzy Hash: 98018076A04210AFCB54EB50EC98F9B33A8AB88750F04885DFB059B2D0C775DD42C794

Function 0047E150 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 0047E178
GetFocus.USER32 ref: 0047E18B
GetParent.USER32(?), ref: 0047E199
GetNextDlgTabItem.USER32(?,?,00000000), ref: 0047E1B5

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: 40c512a683061492a237f19506b39ef47c8eef8f4eb70786194060fe617824e2
Instruction ID: ae9987442b3d6cc7edbdfdbbcdd53cc4894672eec666fbb55eb65523002352c4
Opcode Fuzzy Hash: 40c512a683061492a237f19506b39ef47c8eef8f4eb70786194060fe617824e2
Instruction Fuzzy Hash: 4111A5B12006009FDB289F21DC4AFAA77B5EF44314F148A6EF54A865A0C738EC45CB59

Function 004813C4 Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 004813F0
RegCloseKey.ADVAPI32(00000000,?,?), ref: 004813F9
wsprintfA.USER32 ref: 00481415
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0048142E

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: 72f2062a383e81ec3b224920f2351c8747a8668500aa08c005329aea103c3d4d
Instruction ID: b6bfc428374d53fc9f5bc783a8fa57e1fed9904b936455304b3c489639693843
Opcode Fuzzy Hash: 72f2062a383e81ec3b224920f2351c8747a8668500aa08c005329aea103c3d4d
Instruction Fuzzy Hash: 4B016272400615BBCF116F68DC05FEF3BACAF08B14F08482ABA15961A1E775D921CB98

Function 0047CD59 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 0047CD97
SetBkColor.GDI32(00000000,00000000), ref: 0047CDA3
GetSysColor.USER32(00000008), ref: 0047CDB3
SetTextColor.GDI32(00000000,?), ref: 0047CDBD

Part of subcall function 00480A42: GetWindowLongA.USER32(00000000,000000F0), ref: 00480A53

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 8f6ef369b361a5af89ba5e27cece5cacd1064b374b93bbc6004af2e29b9896dc
Instruction ID: bd8dd3eae74175c48f38c77f7b565453f553e27b1456f322d7c039b3890c71b6
Opcode Fuzzy Hash: 8f6ef369b361a5af89ba5e27cece5cacd1064b374b93bbc6004af2e29b9896dc
Instruction Fuzzy Hash: FA012836100609AEDF315F64DC89EEE3EA5AF05310F14893AF91AD41E0C738CC98DB99

Function 00435E90 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00435ED3
wsprintfA.USER32 ref: 00435EE9

Strings

gfff, xrefs: 00435E9B
%d.%d, xrefs: 00435EE3

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: wsprintf
String ID: %d.%d$gfff
API String ID: 2111968516-3773932281
Opcode ID: 04fafeda8b50090257bed5a4233cfc629ac9aba4a7c38a0c88417c33235d298f
Instruction ID: 4b57da618bcb66ddabdb4565cd95b7105af1c5c60c54a8d321b0a5352910d0ab
Opcode Fuzzy Hash: 04fafeda8b50090257bed5a4233cfc629ac9aba4a7c38a0c88417c33235d298f
Instruction Fuzzy Hash: D8F0507170464017CB4C961EBC05E2F1696E7ED711F09883FF445C7390C524CC11827A

Function 0047FE7B Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,?), ref: 0047FE8C
GetViewportExtEx.GDI32(?,?), ref: 0047FE99
MulDiv.KERNEL32(?,00000000,00000000), ref: 0047FEBE
MulDiv.KERNEL32(?,00000000,00000000), ref: 0047FED9

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: a4cc4d7375324ba821f02f080d42cffe2a6a8da9537fc44eeafd15aeb8ec4677
Instruction ID: dd850e7332bf959e892ce57c426087c818d2c0a7dd8dd6bafa03af18b4e9b048
Opcode Fuzzy Hash: a4cc4d7375324ba821f02f080d42cffe2a6a8da9537fc44eeafd15aeb8ec4677
Instruction Fuzzy Hash: C9F01D72400509BFEB11ABA1DC098BEBBBDEF44358710442EF89192271EB716D509B58

Function 0047FEE4 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,?), ref: 0047FEF5
GetViewportExtEx.GDI32(?,?), ref: 0047FF02
MulDiv.KERNEL32(?,00000000,00000000), ref: 0047FF27
MulDiv.KERNEL32(?,00000000,00000000), ref: 0047FF42

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: bc37fcaafb67016497535b5d59222c7ba81cc56f4c663bf679c3d3fb5755dbc4
Instruction ID: 5f0c09fc50e94a54d83870a6ab948b3c2de491f64a7b2d1801d722a528641065
Opcode Fuzzy Hash: bc37fcaafb67016497535b5d59222c7ba81cc56f4c663bf679c3d3fb5755dbc4
Instruction Fuzzy Hash: 16F01D72400509BFEB11ABA1DC098BEBBBDEF44358710442EF89192271EB716D509B58

Function 00433E20 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00433E2F
PtInRect.USER32(?,?,?), ref: 00433E44

Part of subcall function 0047D97F: IsWindowEnabled.USER32(?), ref: 0047D989

Part of subcall function 00434260: UpdateWindow.USER32(00000002), ref: 0043427D

GetCapture.USER32 ref: 00433E6C
SetCapture.USER32(00000002), ref: 00433E77

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CaptureRectWindow$ClientEnabledUpdate
String ID:
API String ID: 2789096292-0
Opcode ID: e2917cefd92ac5d125c6b677809ef206e22ba2ba5c880b3d84c08b1f1fadf283
Instruction ID: 06ef8c638b9b669afb47ff81dae018e45d1f035b7e5f4db5324e1ea991d33680
Opcode Fuzzy Hash: e2917cefd92ac5d125c6b677809ef206e22ba2ba5c880b3d84c08b1f1fadf283
Instruction Fuzzy Hash: 33F04F766046106FD325AF24D845AAF73ACBF88B01F08491EF44AD6241EB78EE01CB99

Function 0040A920 Relevance: 6.0, APIs: 4, Instructions: 35registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,00000000,00000000), ref: 0040A93A
RegQueryValueA.ADVAPI32 ref: 0040A95E
lstrcpyA.KERNEL32(?,00000000), ref: 0040A971
RegCloseKey.ADVAPI32(?), ref: 0040A97C

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CloseOpenQueryValuelstrcpy
String ID:
API String ID: 534897748-0
Opcode ID: 8e82eb0ef35f287d81de2b1ff5bdba694cba6f1f33af1eabecbf5d30c1759d8e
Instruction ID: 8df6bbe33bc3c7d11484320da9e63695cc670d3d08cd296dd2ab74f79de75847
Opcode Fuzzy Hash: 8e82eb0ef35f287d81de2b1ff5bdba694cba6f1f33af1eabecbf5d30c1759d8e
Instruction Fuzzy Hash: 12F04F75104315BFD320DB10DC88EBFBBA8EB85754F04C91DB98982290D670DC44CBE2

Function 00480B2C Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00480B39
GetWindowTextA.USER32(?,?,00000100), ref: 00480B55
lstrcmpA.KERNEL32(?,?), ref: 00480B69
SetWindowTextA.USER32(?,?), ref: 00480B79

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 4fe3a1a33f049cd5b4cbe49a518def03b683aaa6f0b7611f6d547000697a392d
Instruction ID: 81b74558a95ca4ac61120a0f3d0b53e1d858b7fbbc8819ac29e7e0df861694f3
Opcode Fuzzy Hash: 4fe3a1a33f049cd5b4cbe49a518def03b683aaa6f0b7611f6d547000697a392d
Instruction Fuzzy Hash: FDF08C32000019BBCF226F64EC08EEE3BADEB08394F088826F849D1160D774DE948B98

Function 00414210 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 0041437D
GetObjectA.GDI32(00000000), ref: 00414384

Strings

`qA, xrefs: 0041432A

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Object$Stock
String ID: `qA
API String ID: 1996491644-2154376067
Opcode ID: e74a4fa6e32cd1c12f95b62d7f49264e3323a8aaeba50b5635e7ce5cec775b6c
Instruction ID: a78eb66548af5afb578dc7314c5b1b825b0e88c0409c4af290af715e80c6efdc
Opcode Fuzzy Hash: e74a4fa6e32cd1c12f95b62d7f49264e3323a8aaeba50b5635e7ce5cec775b6c
Instruction Fuzzy Hash: DF81BB76604B41CFC314DF28C441BAAB7E1FFC8710F148A2EE89687391D778A856CB92

Function 00469212 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004692A2

Strings

pow, xrefs: 0046927A, 00469297

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4a97761275a48b4c06476d033bce840ad8db32878b69e58febfa717a57115ebe
Instruction ID: 6a7f0eea623722bbe7d974b84575d78bdf7592df9cbf1d274e516127b1c0b546
Opcode Fuzzy Hash: 4a97761275a48b4c06476d033bce840ad8db32878b69e58febfa717a57115ebe
Instruction Fuzzy Hash: CD5138A8A08201A6CB51771AC95037B3BD8DF50710F244DABE485833E9FA7D8CC9964F

Function 00416EE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 00416FE4
GlobalReAlloc.KERNEL32(00000000,00000000,00000002), ref: 00416FEE

Part of subcall function 004822BC: __EH_prolog.LIBCMT ref: 004822C1

Part of subcall function 004795AE: InterlockedDecrement.KERNEL32(-000000F4), ref: 004795C2

Strings

`qA, xrefs: 00417026, 004170FF

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Global$AllocDecrementH_prologInterlockedUnlock
String ID: `qA
API String ID: 2641609054-2154376067
Opcode ID: 55c5d319af9ae5724587e33dc50d5e0291bc6433641f2f36ea67e5e791b4fc1e
Instruction ID: 032205a2414874de7adb96030c30b5966cbb5e95d6703ba8d8ac1c36f380d694
Opcode Fuzzy Hash: 55c5d319af9ae5724587e33dc50d5e0291bc6433641f2f36ea67e5e791b4fc1e
Instruction Fuzzy Hash: 13519B31D05298EEDB11EFA4C945BEDBBB4AF55304F10819EE40A67282DB781F48DB25

Function 0046D21D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 0046D231

Strings

, xrefs: 0046D256
, xrefs: 0046D27A

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: fc2702ec3ba4f1e8d847e2009a1a87223151ebe2feb0d1da0f9e51d64859fef3
Instruction ID: 9e9dfd2092906e73f76488f906cbcc8c0e3f139bbd85c4cd2d12e3303cfe091a
Opcode Fuzzy Hash: fc2702ec3ba4f1e8d847e2009a1a87223151ebe2feb0d1da0f9e51d64859fef3
Instruction Fuzzy Hash: 17417C31E042587AE7158714DD5DFFB7FD9EB02300F0800E6D989CB252E2284D84D7AB

Function 0040C120 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040C161
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040C1BF

Strings

`qA, xrefs: 0040C289

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend
String ID: `qA
API String ID: 3850602802-2154376067
Opcode ID: e170d3b13c3aeedf1770a7aea471417cf5d2eefb89fc8d8406b421aac50812b2
Instruction ID: 1fc2554f0fff5962b84970672579c306ccfea584be5e848d0398f942c9470071
Opcode Fuzzy Hash: e170d3b13c3aeedf1770a7aea471417cf5d2eefb89fc8d8406b421aac50812b2
Instruction Fuzzy Hash: AA419E716087409FC324EF29C881A6FF7E8EFC9714F104A2EF5A6932D1DB7899058B56

Function 0040BE00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040BE41
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040BE9F

Strings

`qA, xrefs: 0040BF69

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend
String ID: `qA
API String ID: 3850602802-2154376067
Opcode ID: 59a3cf75a6c88ecd19e8e95e3ade6b2e523c27c94c847fd4e361eae23bb84843
Instruction ID: 48ed4d26b1faa71822092436989646d59307cbea3e62349d0f77c9c775328e96
Opcode Fuzzy Hash: 59a3cf75a6c88ecd19e8e95e3ade6b2e523c27c94c847fd4e361eae23bb84843
Instruction Fuzzy Hash: 924180712087419FC324EF25C881A6FF7E8EFC4714F104A2EF5A5932D1DB7899058B9A

Function 0040BF90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040BFD1
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040C02F

Strings

`qA, xrefs: 0040C0F9

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend
String ID: `qA
API String ID: 3850602802-2154376067
Opcode ID: c56a3d57d939844d30a4f0e8b5fe95d7d98fb8b3b1f00a727a2c7371f34259b8
Instruction ID: 3eefffa0a27f15ae65969d078676f5a5fdf4d00b8f37b050fb2f62e88ef3a1dd
Opcode Fuzzy Hash: c56a3d57d939844d30a4f0e8b5fe95d7d98fb8b3b1f00a727a2c7371f34259b8
Instruction Fuzzy Hash: 704172712047419BC324EF25C881A6FB7E9EFC4714F104A2EF596932D1DB749905CB56

Function 0040EE80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 0047AF15: __EH_prolog.LIBCMT ref: 0047AF1A

DestroyAcceleratorTable.USER32(?), ref: 0040EF1B
DestroyCursor.USER32(00000000), ref: 0040EF45

Strings

`qA, xrefs: 0040EF98

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: Destroy$AcceleratorCursorH_prologTable
String ID: `qA
API String ID: 1561936085-2154376067
Opcode ID: 3ca71f7c37df019bc4b93568700cffd27ed59e8e66b3273a82924a64d8b76e6b
Instruction ID: afa6ff3e7b86bcd7bdfa534620ce364344b8e75815222c9671ee5adca6fd437f
Opcode Fuzzy Hash: 3ca71f7c37df019bc4b93568700cffd27ed59e8e66b3273a82924a64d8b76e6b
Instruction Fuzzy Hash: BC3192B160471A9FC310EF2AD88056EBBE4FB84714F540E2FF455A7381D738AD158B99

Function 0041C5B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(?,00000408), ref: 0041C623
LoadCursorA.USER32(00000000,00000002), ref: 0041C652

Strings

@VJ, xrefs: 0041C638

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CursorLoad
String ID: @VJ
API String ID: 3238433803-4113761934
Opcode ID: f99b6342b9835ba4e312d25d65460d134c901a13371b513ea07d84c0d4d4e1d9
Instruction ID: 61bb68355707d191b8b61143ec6a856db30c914d4a42863706d451b5439b52dc
Opcode Fuzzy Hash: f99b6342b9835ba4e312d25d65460d134c901a13371b513ea07d84c0d4d4e1d9
Instruction Fuzzy Hash: 71118C73B8062017CA20572DEDC05EF6316DBD5336F15193BE965D7340E62CEC8282A9

Function 0047BBB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00483DD8: LeaveCriticalSection.KERNEL32(?,0048314C,00000010,00000010,?,?,00000000,?,?,00482B1C,00482B7F,00482405,004777FC), ref: 00483DF0

Part of subcall function 0046C60C: RaiseException.KERNEL32(004830EF,004C9294,00403600,?,00000000,00000000,004830EF,004C9294,00000000,?,00403600), ref: 0046C63A

wsprintfA.USER32 ref: 0047BBFE
wsprintfA.USER32 ref: 0047BC1A
GetClassInfoA.USER32(?,-00000058,?), ref: 0047BC29

Strings

Afx:%x:%x, xrefs: 0047BBF8

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: wsprintf$ClassCriticalExceptionInfoLeaveRaiseSection
String ID: Afx:%x:%x
API String ID: 2529146597-2071556601
Opcode ID: d659cc6513c2c9c5606cc0f2abc0c6e82752ca47c7fe58d67adc0a0f390aaeb3
Instruction ID: 1a9a05d70aebadd6ab698c0b4637e2f8473380f2b55b753ea65bb5ee122b65cb
Opcode Fuzzy Hash: d659cc6513c2c9c5606cc0f2abc0c6e82752ca47c7fe58d67adc0a0f390aaeb3
Instruction Fuzzy Hash: 611124709006099F8B11EF99CD81AEE7BB8EF48754B10842FF909A2201E77899418BA9

Function 00406B40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00406AE5,000000B1,00000000,000000FF), ref: 00406BCD
SendMessageA.USER32(00406AE5,000000B7,00000000,00000000), ref: 00406BDC

Strings

j@, xrefs: 00406BA4, 00406BDE, 00406B8F, 00406B93, 00406BAA

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: MessageSend
String ID: j@
API String ID: 3850602802-234837537
Opcode ID: e92c5d2e5f3d6f0e58ee0f86141a1b98651d0e65b59426ea4959f8a265b33482
Instruction ID: 259b7608108c2004d16d8dca56fcd4456fdf9cf798f16c12e8a80fc833a33597
Opcode Fuzzy Hash: e92c5d2e5f3d6f0e58ee0f86141a1b98651d0e65b59426ea4959f8a265b33482
Instruction Fuzzy Hash: F711B2B1204701ABD724EB29CC41F6BB7E5AFC4720F144B1EF46A933D0DB78A8048B66

Function 00481903 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00481908

Part of subcall function 00483114: __EH_prolog.LIBCMT ref: 00483119

Part of subcall function 0047D7F0: GetWindowLongA.USER32(?,000000F0), ref: 0047D7FC

Part of subcall function 0047FF4D: __EH_prolog.LIBCMT ref: 0047FF52
Part of subcall function 0047FF4D: GetDC.USER32(?), ref: 0047FF7B

Part of subcall function 00468DBE: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00468DC7

Part of subcall function 0047F849: SelectObject.GDI32(004050D5,00000000), ref: 0047F86B
Part of subcall function 0047F849: SelectObject.GDI32(004050D5,?), ref: 0047F881

GetTextMetricsA.GDI32(?,'H), ref: 0048195A

Strings

'H, xrefs: 00481953, 00481969, 00481956

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: H_prolog$ObjectSelect$LongMessageMetricsSendTextWindow
String ID: 'H
API String ID: 2410843227-1190391643
Opcode ID: 4c496ac62950b87da1615f6d94b94c625a29feabe3048bbf5ef06d104fd04c25
Instruction ID: 64c1b39c45845b2c004017cbfe91219e674950ab43ff33bf40944d3bce8b0639
Opcode Fuzzy Hash: 4c496ac62950b87da1615f6d94b94c625a29feabe3048bbf5ef06d104fd04c25
Instruction Fuzzy Hash: FF118273A104049BCB18BBAACC959EDB779EF84724B10852FE012A3291DF785D06CB58

Function 0047FC76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

SelectClipRgn.GDI32(?,00000000), ref: 0047FC98
SelectClipRgn.GDI32(?,?), ref: 0047FCAE

Strings

`qA, xrefs: 0047FC76

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ClipSelect
String ID: `qA
API String ID: 4060119947-2154376067
Opcode ID: af3cb7bf6822ddb1660e0a624683578118ac7366e899a38d5af6c0f3a5e4f3a8
Instruction ID: f4432d65946147183f4cee522444250b28bb6b3bb2b4a0a44e20567a84014b0e
Opcode Fuzzy Hash: af3cb7bf6822ddb1660e0a624683578118ac7366e899a38d5af6c0f3a5e4f3a8
Instruction Fuzzy Hash: 71F03977210615AF9725DE6AC9C0CA7F3ECAF94310709C87AEE09C7610C664FC088B78

Function 0047509B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,00000000,00469CB1,?,?,?,?,?,?,?,00469CB1,00000000,00413272), ref: 004750B9
GetStringTypeW.KERNEL32(00413272,?,00000000,?,?,?,?,?,?,?,?,00469CB1,00000000,00413272), ref: 004750CB

Strings

r2A, xrefs: 004750C8

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide
String ID: r2A
API String ID: 3139900361-1151287387
Opcode ID: e28ede64e927be121801b327e4d4c248cc0d847f85019ff77894af5cb406ded8
Instruction ID: 503937beba8caecc6fac430288b969b8cd1f2087fd99c8fab23d132f4f16d9bd
Opcode Fuzzy Hash: e28ede64e927be121801b327e4d4c248cc0d847f85019ff77894af5cb406ded8
Instruction Fuzzy Hash: 3DF0F832900659AFCF218F90EC859EEBF72FB04360F148529FA26665A0C3764961DB95

Function 0041B8D0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041B961
wsprintfA.USER32 ref: 0041B97B
wsprintfA.USER32 ref: 0041B996

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: bd093368c352387c84bb515075ce4c521812ca07ededd782dc3a88b3ddb1e484
Instruction ID: 842e14c5fb38c69c6f1e769128d0a3846facc87bb0e1f054b8ea13a8dd7e1636
Opcode Fuzzy Hash: bd093368c352387c84bb515075ce4c521812ca07ededd782dc3a88b3ddb1e484
Instruction Fuzzy Hash: D73190F15047045BC604EF64DD45A6FB7E8EFC8758F440A1EF94693281EB78DE08C6AA

Function 00482F8D Relevance: 5.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00482FEA
LeaveCriticalSection.KERNEL32(?,?), ref: 00482FFA
LocalFree.KERNEL32(?), ref: 00483003
TlsSetValue.KERNEL32(?,00000000), ref: 00483019

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: f7d03d40897bbe980119949ad8f2f1635df22388ef046d2d076fb59655f48fd5
Instruction ID: 6b38b5a1c3c9cd1898ad2ebfe2143ede91330c56f565fd752c4fc16620113799
Opcode Fuzzy Hash: f7d03d40897bbe980119949ad8f2f1635df22388ef046d2d076fb59655f48fd5
Instruction Fuzzy Hash: A0218931204200EFDB25AF44C944BAE77B4FF45711F04886EF6428B2A1C7B5EC80EB59

Function 00471E0A Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00471BD2,?,?,00000000,0046A983,?,?,?,00000000,?,?), ref: 00471E32
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00471BD2,?,?,00000000,0046A983,?,?,?,00000000,?,?), ref: 00471E66
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00471E80
HeapFree.KERNEL32(00000000,?), ref: 00471E97

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: ea5a8e0776f116bae4c36b9dd8cc6ae61b7ae08140651009eb70058d9e206ce4
Instruction ID: df0fe8813aaf90a1575a2cac7ad63583de3e0df75aa20c633801d4a39743410a
Opcode Fuzzy Hash: ea5a8e0776f116bae4c36b9dd8cc6ae61b7ae08140651009eb70058d9e206ce4
Instruction Fuzzy Hash: 96112570600682FFC7618F19EC89DAA7BB6FB847107104A6EE566D66B0D7729C41CB08

Function 00483D68 Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004C9418,?,00000000,?,00000000,00483135,00000010,?,?,00000000,?,?,00482B1C,00482B7F,00482405,004777FC), ref: 00483DA3
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,00483135,00000010,?,?,00000000,?,?,00482B1C,00482B7F,00482405,004777FC), ref: 00483DB5
LeaveCriticalSection.KERNEL32(004C9418,?,00000000,?,00000000,00483135,00000010,?,?,00000000,?,?,00482B1C,00482B7F,00482405,004777FC), ref: 00483DBE
EnterCriticalSection.KERNEL32(00000000,00000000,?,00000000,00483135,00000010,?,?,00000000,?,?,00482B1C,00482B7F,00482405,004777FC), ref: 00483DD0

Part of subcall function 00483CD5: GetVersion.KERNEL32(?,00483D78,00000000,00483135,00000010,?,?,00000000,?,?,00482B1C,00482B7F,00482405,004777FC), ref: 00483CE8

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 01b80557625acfe83b86df1d151ecb3b00a6942d02fec7c6a9973cc533f4f607
Instruction ID: e15bdd1d152ea751c568719d7ffd7b82d289798c5de1bd0827f12e281377e19d
Opcode Fuzzy Hash: 01b80557625acfe83b86df1d151ecb3b00a6942d02fec7c6a9973cc533f4f607
Instruction Fuzzy Hash: DBF0813600020AFFCB90AF54EC88C9AB3A8FB54717F000C3BE60192121D734B945CB6C

Function 0047045B Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,0046DB88,?,004690B3), ref: 00470468
InitializeCriticalSection.KERNEL32(?,0046DB88,?,004690B3), ref: 00470470
InitializeCriticalSection.KERNEL32(?,0046DB88,?,004690B3), ref: 00470478
InitializeCriticalSection.KERNEL32(?,0046DB88,?,004690B3), ref: 00470480

Memory Dump Source

Source File: 00000002.00000002.3360346990.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3360285860.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360509104.0000000000489000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.000000000048A000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360553333.00000000004A1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360672940.00000000004A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360730020.00000000004A5000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360789461.00000000004B0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360836090.00000000004B3000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004B4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3360894382.00000000004C7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361072041.00000000004CB000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361140127.00000000004D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3361217434.00000000004E1000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U8865#U4e01#U6253#U5305.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 1fee8266fbfd522e86bd095f956c622844222af03826e3310cf17f65b1032882
Instruction ID: 2afcd8704a622e16723e40228d07e279944bfb3a27dbe6a0df0a7f651a4db212
Opcode Fuzzy Hash: 1fee8266fbfd522e86bd095f956c622844222af03826e3310cf17f65b1032882
Instruction Fuzzy Hash: C5C00271802574ABCF126B65FD358E97F25EF842A03450673A1045303086211C10DFD8

Analysis Process: OMmJKXpD.exePID: 1012, Parent PID: 4948COMMON

Execution Graph

Execution Coverage:	30.8%
Dynamic/Decrypted Code Coverage:	6.7%
Signature Coverage:	6.3%
Total number of Nodes:	284
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00DC29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00DC2A02
wsprintfA.USER32 ref: 00DC2A1A
memset.MSVCRT ref: 00DC2A44
lstrlen.KERNEL32(?), ref: 00DC2A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00DC2A6C
strrchr.MSVCRT ref: 00DC2A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00DC2A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00DC2AAE
memset.MSVCRT ref: 00DC2AC6
memset.MSVCRT ref: 00DC2ADA
FindFirstFileA.KERNEL32(?,?), ref: 00DC2AEF
memset.MSVCRT ref: 00DC2B13
lstrcmpiA.KERNEL32(?,?), ref: 00DC2B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00DC2B67
FindClose.KERNEL32(00000000), ref: 00DC2B6E

Strings

C:\, xrefs: 00DC2A2F
Documents and Settings, xrefs: 00DC2A8D, 00DC2A92, 00DC2A9A, 00DC2AAD
%s*, xrefs: 00DC2A14

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: d339e30f411f054d70864f0d877efd835fb07535583c042f17dfe5f50b10d49f
Instruction ID: 2d3853ac71c24a341f8f3107a7df533544f5bc5c31f8bee6a362199d8bec4fc0
Opcode Fuzzy Hash: d339e30f411f054d70864f0d877efd835fb07535583c042f17dfe5f50b10d49f
Instruction Fuzzy Hash: B5410DB240434BABD7219FA0DC49EEBB7ACEB84315F04492AF545D3111E6359A489BB2

Function 00DC1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe), ref: 00DC1729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 00DC174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 00DC177C
__aulldiv.LIBCMT ref: 00DC1796
__aulldiv.LIBCMT ref: 00DC17A8

Strings

Time, xrefs: 00DC173D, 00DC1766
SOFTWARE\GTplus, xrefs: 00DC1742, 00DC176B
C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe, xrefs: 00DC1722

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-3815633126
Opcode ID: 169d1e0f38771b0975725b6efc87f2c93507f72d8c6f9c9f47afa0c44ae50635
Instruction ID: 2e3e43ff4b0843e74e6b3bd00964dd231648c6fceee64a165beacbbefb8ce330
Opcode Fuzzy Hash: 169d1e0f38771b0975725b6efc87f2c93507f72d8c6f9c9f47afa0c44ae50635
Instruction Fuzzy Hash: FA112E76A0031BFFDF109A94C989FEEBBB8EB45B54F108119F901A7281D6719A498B70

Function 00DC6076 Relevance: 11.1, APIs: 7, Instructions: 616
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 00DC60BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00DC60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00DC6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00DC61A5

Memory Dump Source

Source File: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 62e593fce36c2e0c19cd150757a43badd5f8de73589cbb4b63185abba0575d8c
Instruction ID: ec996f36af52b39974e30f53fbb00f656170957277b109b2096f1c7e06cf1a69
Opcode Fuzzy Hash: 62e593fce36c2e0c19cd150757a43badd5f8de73589cbb4b63185abba0575d8c
Instruction Fuzzy Hash: 561224B25087869FDB328F64CC45FEA7BB4EF02310F1C45AEE9898B192D674E901C765

Function 00DC2B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00DC2BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00DC2BB4
GetDriveTypeA.KERNEL32(?), ref: 00DC2BD3
CreateThread.KERNEL32(00000000,00000000,00DC2B7D,?,00000000,00000000), ref: 00DC2BEE
lstrlen.KERNEL32(?), ref: 00DC2BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00DC2C16
CreateThread.KERNEL32(00000000,00000000,00DC2845,00000000,00000000,00000000), ref: 00DC2C3A

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 1b47dcb30d748a803c3e4e6973dfef2d906af55a66f7c63688878b22dc3b358d
Instruction ID: 63ecd6a5d8964cc77c94a1bc15d04fe45ae1a117677b4cecda72acf2a1b4f413
Opcode Fuzzy Hash: 1b47dcb30d748a803c3e4e6973dfef2d906af55a66f7c63688878b22dc3b358d
Instruction Fuzzy Hash: 8D21C3B280024FAFE720AF649C84EBE7B6DFB04345B150129F842D3251D7308E06DB70

Function 00DC1E6E Relevance: 30.4, APIs: 20, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,00DC32B0,00000164,00DC2986,?), ref: 00DC1EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00DC1ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00DC1EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00DC1F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00DC1F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 00DC201E
memset.MSVCRT ref: 00DC20D8
memset.MSVCRT ref: 00DC20EA
memcpy.MSVCRT(?,?,00000028,?,?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DC222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DC2238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DC224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DC22C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DC22CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DC22DD
WriteFile.KERNEL32(000000FF,00DC4008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DC22F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DC230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DC2322
UnmapViewOfFile.KERNEL32(?,?,00DC32B0,00000164,00DC2986,?), ref: 00DC2340
CloseHandle.KERNEL32(?,?,00DC32B0,00000164,00DC2986,?), ref: 00DC234E
CloseHandle.KERNEL32(000000FF,?,00DC32B0,00000164,00DC2986,?), ref: 00DC2359

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: File$CloseHandleView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
String ID:
API String ID: 3043204753-0
Opcode ID: 80e01e214a2c23034115d4d4721926b1dfa9ce917e70ae68e438f0e62bc3d43a
Instruction ID: f2bbd6bc21b2b1bcc5043a64c553cdb6ab4ebafd1a9c26b803715074df36633f
Opcode Fuzzy Hash: 80e01e214a2c23034115d4d4721926b1dfa9ce917e70ae68e438f0e62bc3d43a
Instruction Fuzzy Hash: 40F1387590021AEFCB20DFA4D881EADBBB5FF08314F14852EE50AA7661D730AE51CF64

Function 00DC1973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(00DC4E5C,00000000,C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe), ref: 00DC1992
CreateFileA.KERNEL32(00DC4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00DC19BA
Sleep.KERNEL32(00000064), ref: 00DC19C6
wsprintfA.USER32 ref: 00DC19EC
CopyFileA.KERNEL32(00DC4E5C,?,00000000), ref: 00DC1A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DC1A1E
GetFileSize.KERNEL32(00DC4E5C,00000000), ref: 00DC1A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00DC1A46
ReadFile.KERNEL32(00DC4E5C,00DC4E60,00000000,?,00000000), ref: 00DC1A65
CloseHandle.KERNEL32(000000FF), ref: 00DC1A90
DeleteFileA.KERNEL32(?), ref: 00DC1AA7
VirtualFree.KERNEL32(00DC4E60,00000000,00008000), ref: 00DC1AC1

Strings

2, xrefs: 00DC19CF
%s%.8X.data, xrefs: 00DC19E6
C:\Users\user\AppData\Local\Temp\, xrefs: 00DC19DB
C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe, xrefs: 00DC197C

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: File$CreateVirtual$AllocCloseCopyDeleteExistsFreeHandlePathReadSizeSleepwsprintf
String ID: %s%.8X.data$2$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe
API String ID: 716042067-3484074478
Opcode ID: 0bc1633a741b6a736b74660eacbf569ed9bc9cd5e4280ab037116d2e2351c36d
Instruction ID: 12de3af020cd833284d5f7e32d82c1fe963ee74fa81bc2e0e6f8102494cfe306
Opcode Fuzzy Hash: 0bc1633a741b6a736b74660eacbf569ed9bc9cd5e4280ab037116d2e2351c36d
Instruction Fuzzy Hash: BE513A7590122BAFDB209F98CC84EAEBBB8EB06354F14456DF515E7291C3309E55CBB0

Function 00DC28B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00DC28D3
wsprintfA.USER32 ref: 00DC28F7
memset.MSVCRT ref: 00DC2925
wsprintfA.USER32 ref: 00DC2940

Part of subcall function 00DC29E2: memset.MSVCRT ref: 00DC2A02
Part of subcall function 00DC29E2: wsprintfA.USER32 ref: 00DC2A1A
Part of subcall function 00DC29E2: memset.MSVCRT ref: 00DC2A44
Part of subcall function 00DC29E2: lstrlen.KERNEL32(?), ref: 00DC2A54
Part of subcall function 00DC29E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00DC2A6C
Part of subcall function 00DC29E2: strrchr.MSVCRT ref: 00DC2A7C
Part of subcall function 00DC29E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00DC2A9F
Part of subcall function 00DC29E2: lstrlen.KERNEL32(Documents and Settings), ref: 00DC2AAE
Part of subcall function 00DC29E2: memset.MSVCRT ref: 00DC2AC6
Part of subcall function 00DC29E2: memset.MSVCRT ref: 00DC2ADA
Part of subcall function 00DC29E2: FindFirstFileA.KERNEL32(?,?), ref: 00DC2AEF
Part of subcall function 00DC29E2: memset.MSVCRT ref: 00DC2B13

strrchr.MSVCRT ref: 00DC2959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00DC2974

Strings

rar, xrefs: 00DC2988
%s%s, xrefs: 00DC28F1
C:\Users\user\AppData\Local\Temp\, xrefs: 00DC29B3
%s\, xrefs: 00DC293A
exe, xrefs: 00DC296D

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-1791786966
Opcode ID: 43817557379260733b3414a0be5867b8f85115aa4459a68e8e84316a14cd1ce6
Instruction ID: b7259f7441a2274e52b4a2549e556430b573020185408513292506738f92c5c6
Opcode Fuzzy Hash: 43817557379260733b3414a0be5867b8f85115aa4459a68e8e84316a14cd1ce6
Instruction Fuzzy Hash: 1231A47698030B6BDB20AB65DC85FEA776CEB11310F18445AF585E3581EAB4DAC48F70

Function 00DC1099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DC185B: GetSystemTimeAsFileTime.KERNEL32(00DC1F92,00000000,?,00000000,?,?,?,00DC1F92,?,00000000,00000002), ref: 00DC1867
Part of subcall function 00DC185B: srand.MSVCRT ref: 00DC1878
Part of subcall function 00DC185B: rand.MSVCRT ref: 00DC1880
Part of subcall function 00DC185B: srand.MSVCRT ref: 00DC1890
Part of subcall function 00DC185B: rand.MSVCRT ref: 00DC1894

WinExec.KERNEL32(?,00000005), ref: 00DC10F1
lstrlen.KERNEL32(00DC4748), ref: 00DC10FA
wsprintfA.USER32 ref: 00DC112A
wsprintfA.USER32 ref: 00DC1143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00DC115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00DC1169
Sleep.KERNEL32 ref: 00DC1179

Strings

%s%.8X.exe, xrefs: 00DC1124
C:\Users\user\AppData\Local\Temp\, xrefs: 00DC1119
cj/, xrefs: 00DC1135
ddos.dnsnb8.net, xrefs: 00DC10C8, 00DC10CF, 00DC1140, 00DC1168
http://%s:%d/%s/%s, xrefs: 00DC10C2, 00DC1141

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-762681358
Opcode ID: 6bc3d73798f43f1b0a82c4e523f6bf17fc2ca819c7d6658222ff374c71a282eb
Instruction ID: 60d865a821548f57b6da13170edbd5691c1ae47851490962edf44ffe96e76e90
Opcode Fuzzy Hash: 6bc3d73798f43f1b0a82c4e523f6bf17fc2ca819c7d6658222ff374c71a282eb
Instruction Fuzzy Hash: E7217F7690035BBEDB20DBA0DC54FAEBBB8EB06315F15815DE500E3251D7749A849F70

Function 00DC1638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 00DC164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00DC165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe,00000104), ref: 00DC166E
CreateThread.KERNEL32(00000000,00000000,00DC1099,00000000,00000000,00000000), ref: 00DC16AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 00DC16BD

Part of subcall function 00DC139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe), ref: 00DC13BC
Part of subcall function 00DC139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00DC13DA
Part of subcall function 00DC139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00DC1448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe), ref: 00DC16E5

Strings

Documents and Settings, xrefs: 00DC1696
C:\Users\user\AppData\Local\Temp\, xrefs: 00DC1644
C:\Windows\system32, xrefs: 00DC1656
C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe, xrefs: 00DC1662, 00DC1667, 00DC16DD

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-837708484
Opcode ID: d4160a603403a208a3aff48a208f61c702c34f9559c85520301719eabecbc06e
Instruction ID: 81607979ae669ee64165543a8b8cad654affca3a0d7172365b70d132a251f8ff
Opcode Fuzzy Hash: d4160a603403a208a3aff48a208f61c702c34f9559c85520301719eabecbc06e
Instruction Fuzzy Hash: 1111D076540337BBCB206BA0AD4EFEB3E6DEB03361F144118F209D22A2C6708940DBB1

Function 00DC2C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00DC2C57

Part of subcall function 00DC1973: PathFileExistsA.SHLWAPI(00DC4E5C,00000000,C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe), ref: 00DC1992
Part of subcall function 00DC1973: CreateFileA.KERNEL32(00DC4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00DC19BA
Part of subcall function 00DC1973: Sleep.KERNEL32(00000064), ref: 00DC19C6
Part of subcall function 00DC1973: wsprintfA.USER32 ref: 00DC19EC
Part of subcall function 00DC1973: CopyFileA.KERNEL32(00DC4E5C,?,00000000), ref: 00DC1A00
Part of subcall function 00DC1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DC1A1E
Part of subcall function 00DC1973: GetFileSize.KERNEL32(00DC4E5C,00000000), ref: 00DC1A2C
Part of subcall function 00DC1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00DC1A46
Part of subcall function 00DC1973: ReadFile.KERNEL32(00DC4E5C,00DC4E60,00000000,?,00000000), ref: 00DC1A65

CreateThread.KERNEL32(00000000,00000000,Function_00002B8C,00000000,00000000,00000000), ref: 00DC2C99
WaitForMultipleObjects.KERNEL32(00000001,00DC16BA,00000001,000000FF,?,00DC16BA,00000000), ref: 00DC2CAC
VirtualFree.KERNEL32(00770000,00000000,00008000,C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe,00DC4E5C,00DC4E60,?,00DC16BA,00000000), ref: 00DC2CC2

Strings

C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe, xrefs: 00DC2C69

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe
API String ID: 2042498389-1806799192
Opcode ID: 4916ffe1f25a0a13025c4da894e99d998a78eb49ae741495df187a9228a1a0e5
Instruction ID: 231fe6424603e279cbb2a9aa9a82fa4d12a70e46e4d7bded029ca06a5c590d97
Opcode Fuzzy Hash: 4916ffe1f25a0a13025c4da894e99d998a78eb49ae741495df187a9228a1a0e5
Instruction Fuzzy Hash: F801DF726012237ED710ABA59C1AFEF7E6CEF01B20F108118F904D72C1DAA09A04C7F0

Function 00DC14E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00DC1504
VirtualQuery.KERNEL32(00DC14E1,?,0000001C), ref: 00DC1525
ExitProcess.KERNEL32 ref: 00DC157A

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: e5ebac86ad9b20ddf57327cd93cf4ba77d6d1b8c673200d29030fdd248091437
Instruction ID: 4a0ab1e0a6be974e91fa4186b776524594a1113f30de71384ef61c3df0f2d8bc
Opcode Fuzzy Hash: e5ebac86ad9b20ddf57327cd93cf4ba77d6d1b8c673200d29030fdd248091437
Instruction Fuzzy Hash: 86115E79900327DFCB10EFA5A894F7977B8EB86711B18812EF403D3352D2308941ABB0

Function 00DC1915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00DC1933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00DC1947

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: f99db31d08f6a3c3b3a98e7504556e4ddfcb7d523f091d0bca18408830bedcbe
Instruction ID: 9e3ed202ca605956ca3c4998f763bd29beca32fc11f95b83699b63ea6ca14c17
Opcode Fuzzy Hash: f99db31d08f6a3c3b3a98e7504556e4ddfcb7d523f091d0bca18408830bedcbe
Instruction Fuzzy Hash: 63F0AF3620031BABCB209E66DC04FAB77ACAB51361F04853EF566C2091EB30E6459FB0

Non-executed Functions

Function 00DC119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe,?,?,?,?,?,?,00DC13EF), ref: 00DC11AB
OpenProcessToken.ADVAPI32(00000000,00000028,00DC13EF,?,?,?,?,?,?,00DC13EF), ref: 00DC11BB
AdjustTokenPrivileges.ADVAPI32(00DC13EF,00000000,?,00000010,00000000,00000000), ref: 00DC11EB
CloseHandle.KERNEL32(00DC13EF), ref: 00DC11FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00DC13EF), ref: 00DC1203

Strings

C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe, xrefs: 00DC11A5

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe
API String ID: 75692138-1806799192
Opcode ID: f6273f877dca7ab27f49805981dfea01c80fb089253bb7040db40138dfcd0183
Instruction ID: be2a31e4e29024dad30ac929fba35c7c76451acc61da1d1f8c438ae916c353e4
Opcode Fuzzy Hash: f6273f877dca7ab27f49805981dfea01c80fb089253bb7040db40138dfcd0183
Instruction Fuzzy Hash: 2801D67690030AEFDB00DFD4C989AAEBBB8FB04305F108469E605E2251D7719E44AB60

Function 00DC239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239
sleepfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strstr.MSVCRT ref: 00DC23CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00DC2464
GetFileSize.KERNEL32(00000000,00000000), ref: 00DC2472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 00DC24A8
memset.MSVCRT ref: 00DC24B9
strrchr.MSVCRT ref: 00DC24C9
wsprintfA.USER32 ref: 00DC24DE
strrchr.MSVCRT ref: 00DC24ED
memset.MSVCRT ref: 00DC24F2
memset.MSVCRT ref: 00DC2505
wsprintfA.USER32 ref: 00DC2524
Sleep.KERNEL32(000007D0), ref: 00DC2535
Sleep.KERNEL32(000007D0), ref: 00DC255D
memset.MSVCRT ref: 00DC256E
wsprintfA.USER32 ref: 00DC2585
memset.MSVCRT ref: 00DC25A6
wsprintfA.USER32 ref: 00DC25CA
Sleep.KERNEL32(000007D0), ref: 00DC25D0
Sleep.KERNEL32(000007D0,?,?), ref: 00DC25E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00DC25FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00DC2611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00DC2642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 00DC265B
SetEndOfFile.KERNEL32 ref: 00DC266D
CloseHandle.KERNEL32(00000000), ref: 00DC2676
RemoveDirectoryA.KERNEL32(?), ref: 00DC2681

Strings

%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 00DC25C4
%s X -ibck "%s" "%s\", xrefs: 00DC251E
-ibck, xrefs: 00DC25BA
%s%s, xrefs: 00DC24D8
C:\Users\user\AppData\Local\Temp\, xrefs: 00DC23B1, 00DC23B6, 00DC24CD
%s\, xrefs: 00DC257F

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-774930870
Opcode ID: 6637b52373ddafe26c7e7ffbad488226d91dc0e59266731141f98bb33e2ee862
Instruction ID: d888c740d83ba39e7dbb340ca3900045821ee411b5d03521c049676054ebc0ea
Opcode Fuzzy Hash: 6637b52373ddafe26c7e7ffbad488226d91dc0e59266731141f98bb33e2ee862
Instruction Fuzzy Hash: 89819DB2548346ABD7109F64DC49FABBBACFB88704F00451EF684D3290D770DA499B76

Function 00DC274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00DC2766
memset.MSVCRT ref: 00DC2774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00DC2787
wsprintfA.USER32 ref: 00DC27AB

Part of subcall function 00DC185B: GetSystemTimeAsFileTime.KERNEL32(00DC1F92,00000000,?,00000000,?,?,?,00DC1F92,?,00000000,00000002), ref: 00DC1867
Part of subcall function 00DC185B: srand.MSVCRT ref: 00DC1878
Part of subcall function 00DC185B: rand.MSVCRT ref: 00DC1880
Part of subcall function 00DC185B: srand.MSVCRT ref: 00DC1890
Part of subcall function 00DC185B: rand.MSVCRT ref: 00DC1894

wsprintfA.USER32 ref: 00DC27C6
CopyFileA.KERNEL32(?,00DC4C80,00000000), ref: 00DC27D4
wsprintfA.USER32 ref: 00DC27F4

Part of subcall function 00DC1973: PathFileExistsA.SHLWAPI(00DC4E5C,00000000,C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe), ref: 00DC1992
Part of subcall function 00DC1973: CreateFileA.KERNEL32(00DC4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00DC19BA
Part of subcall function 00DC1973: Sleep.KERNEL32(00000064), ref: 00DC19C6
Part of subcall function 00DC1973: wsprintfA.USER32 ref: 00DC19EC
Part of subcall function 00DC1973: CopyFileA.KERNEL32(00DC4E5C,?,00000000), ref: 00DC1A00
Part of subcall function 00DC1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DC1A1E
Part of subcall function 00DC1973: GetFileSize.KERNEL32(00DC4E5C,00000000), ref: 00DC1A2C
Part of subcall function 00DC1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00DC1A46
Part of subcall function 00DC1973: ReadFile.KERNEL32(00DC4E5C,00DC4E60,00000000,?,00000000), ref: 00DC1A65

DeleteFileA.KERNEL32(?,?,00DC4E54,00DC4E58), ref: 00DC281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00DC4E54,00DC4E58), ref: 00DC2832

Strings

%s%.8x.exe, xrefs: 00DC27BB
\WinRAR\Rar.exe, xrefs: 00DC2793
%s%s, xrefs: 00DC27A5
C:\Users\user\AppData\Local\Temp\, xrefs: 00DC27B6
%s\%s, xrefs: 00DC27EE
C:\Windows\system32, xrefs: 00DC27E3
c_31892.nls, xrefs: 00DC27DE

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-3099098879
Opcode ID: b53cbd65233d74ccc3d712d5c8a712bcbc487efbb7338b85122a3ba93f879cc1
Instruction ID: ce7e5e970339ed8d2850d74f3dff5784740ac2584b41802d260dca25dc4c92d5
Opcode Fuzzy Hash: b53cbd65233d74ccc3d712d5c8a712bcbc487efbb7338b85122a3ba93f879cc1
Instruction Fuzzy Hash: EE2130B694031A7FEB10EBA49C99FEB776CEB04744F0445A9B644E3142E6709F488AB4

Function 00DC120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00DC1400), ref: 00DC1226
GetProcAddress.KERNEL32(00000000), ref: 00DC122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00DC1400), ref: 00DC123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00DC1400), ref: 00DC1250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe,?,?,?,?,00DC1400), ref: 00DC129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe,?,?,?,?,00DC1400), ref: 00DC12B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe,?,?,?,?,00DC1400), ref: 00DC12F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00DC1400), ref: 00DC130A

Strings

ZwQuerySystemInformation, xrefs: 00DC1212
C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe, xrefs: 00DC1262
ntdll.dll, xrefs: 00DC1219

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-1602619876
Opcode ID: 910726e6cd01d7ec955773c0d46c2c6a1c454f86bdae36e2b5be672b74f65c14
Instruction ID: 058be95ffcc9389c3501ffc323802516de1b98ad82f99697736ffb7cd86e9240
Opcode Fuzzy Hash: 910726e6cd01d7ec955773c0d46c2c6a1c454f86bdae36e2b5be672b74f65c14
Instruction Fuzzy Hash: FC21D179605323ABD7209F65CC0AF6BBAA8FB87B00F14491CF945D7241C770DA4487B9

Function 00DC1000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,?,http://%s:%d/%s/%s,00DC10E8,?), ref: 00DC1018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,76938400,?,http://%s:%d/%s/%s,00DC10E8,?), ref: 00DC1029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00DC1038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,http://%s:%d/%s/%s,00DC10E8,?), ref: 00DC104B
UnmapViewOfFile.KERNEL32(00000000,?,http://%s:%d/%s/%s,00DC10E8,?), ref: 00DC1075
CloseHandle.KERNEL32(?,?,http://%s:%d/%s/%s,00DC10E8,?), ref: 00DC108B
CloseHandle.KERNEL32(00000000,?,http://%s:%d/%s/%s,00DC10E8,?), ref: 00DC108E

Strings

ddos.dnsnb8.net, xrefs: 00DC1026
http://%s:%d/%s/%s, xrefs: 00DC1000

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3273462101
Opcode ID: cb924a2c6d822b487b1662e7136bf9cd06e1c2a6c1efd4cc8233bcdd282e07d1
Instruction ID: 4d495d10906839f6d4e71550621dab42935290769a5c6ae8396b5322ed0864bb
Opcode Fuzzy Hash: cb924a2c6d822b487b1662e7136bf9cd06e1c2a6c1efd4cc8233bcdd282e07d1
Instruction Fuzzy Hash: 8A015E7610035EBFE6306F609C88F2BBAACEB447A9F044629B245E3191D6705E44AA70

Function 00DC2692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7622E800,?,?,00DC29DB,?,00000001), ref: 00DC26A7
WaitForSingleObject.KERNEL32(00000000,000000FF,7622E800,?,?,00DC29DB,?,00000001), ref: 00DC26B5
lstrlen.KERNEL32(?), ref: 00DC26C4
??2@YAPAXI@Z.MSVCRT(-00000005), ref: 00DC26CE
lstrcpy.KERNEL32(00000004,?), ref: 00DC26E3
lstrcpy.KERNEL32(?,00000004), ref: 00DC271F
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00DC272D
SetEvent.KERNEL32 ref: 00DC273C

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: b90295b78f6110e27be903bcfab1018866782a3db00ee9f4a81b3c89ec85c459
Instruction ID: 2343047743bd48778e419538e7c8d1bbe39de7ac3ce5b8cee2ddfc4b98c1c47f
Opcode Fuzzy Hash: b90295b78f6110e27be903bcfab1018866782a3db00ee9f4a81b3c89ec85c459
Instruction Fuzzy Hash: FA11BF36501303EFCB21AF55ED88D6A7BA9FB847217258019F859C7360D7308E85EB70

Function 00DC1B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00DC1BCD
rand.MSVCRT ref: 00DC1BD8
memset.MSVCRT ref: 00DC1C43
memcpy.MSVCRT(?,EBohdZlscpnvytZdPfXFUTgcGBZilzlWSGvOQTLJAIpByHxsbiDVEFjCWMQTLkAeLUNfkcNnCCuWwOtAugIJRjazqrrNROdhYGPMDhwYwUSubVKXqvQbHqXIEomxtjSDKKafxsyzoVgpmMkmPYnRFrJeeaHi,00000006,?,00000000,00000040,?,00000000,00000000,?,00000000,00000002), ref: 00DC1C4F
lstrcat.KERNEL32(?,.exe), ref: 00DC1C5D

Strings

EBohdZlscpnvytZdPfXFUTgcGBZilzlWSGvOQTLJAIpByHxsbiDVEFjCWMQTLkAeLUNfkcNnCCuWwOtAugIJRjazqrrNROdhYGPMDhwYwUSubVKXqvQbHqXIEomxtjSDKKafxsyzoVgpmMkmPYnRFrJeeaHi, xrefs: 00DC1B8A, 00DC1B9C, 00DC1C15, 00DC1C49
.exe, xrefs: 00DC1C57

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$EBohdZlscpnvytZdPfXFUTgcGBZilzlWSGvOQTLJAIpByHxsbiDVEFjCWMQTLkAeLUNfkcNnCCuWwOtAugIJRjazqrrNROdhYGPMDhwYwUSubVKXqvQbHqXIEomxtjSDKKafxsyzoVgpmMkmPYnRFrJeeaHi
API String ID: 122620767-4150298806
Opcode ID: cdfd32601c44e9ead84f57c41aaace7b831cd1a554f9df0a9d879a919b43444a
Instruction ID: 33b6e2780ba72dfa2c08d0ea93f82530f919fcb68742d6b84152431564cb663c
Opcode Fuzzy Hash: cdfd32601c44e9ead84f57c41aaace7b831cd1a554f9df0a9d879a919b43444a
Instruction Fuzzy Hash: 2C216B26E453A36ED31623356C60FA96B45DFA7721F2A409DF4864B293D16409C68270

Function 00DC189D Relevance: 9.1, APIs: 6, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00DC18B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,76230F00,76938400), ref: 00DC18D3
CloseHandle.KERNEL32(00DC2549), ref: 00DC18E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DC18F0
GetExitCodeProcess.KERNEL32(?,00DC2549), ref: 00DC1901
CloseHandle.KERNEL32(?), ref: 00DC190A

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID:
API String ID: 876959470-0
Opcode ID: d63ab9cbce54112a26ef762bf4117706e55f497e8dc6e908fa43518f4eb67412
Instruction ID: 520c65168dec002028dd30aa595247e573bc7e1f73736042a4d3190facc5c6c0
Opcode Fuzzy Hash: d63ab9cbce54112a26ef762bf4117706e55f497e8dc6e908fa43518f4eb67412
Instruction Fuzzy Hash: C8015E7690122ABBCB216F96DC48DDF7F3DFB85720F104125F915E61A0D6314A18DAB0

Function 00DC139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe), ref: 00DC13BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00DC13DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00DC1448

Part of subcall function 00DC119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe,?,?,?,?,?,?,00DC13EF), ref: 00DC11AB
Part of subcall function 00DC119F: OpenProcessToken.ADVAPI32(00000000,00000028,00DC13EF,?,?,?,?,?,?,00DC13EF), ref: 00DC11BB
Part of subcall function 00DC119F: AdjustTokenPrivileges.ADVAPI32(00DC13EF,00000000,?,00000010,00000000,00000000), ref: 00DC11EB
Part of subcall function 00DC119F: CloseHandle.KERNEL32(00DC13EF), ref: 00DC11FA
Part of subcall function 00DC119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,00DC13EF), ref: 00DC1203

Strings

SeDebugPrivilege, xrefs: 00DC13D3
C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe, xrefs: 00DC13A8

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\OMmJKXpD.exe$SeDebugPrivilege
API String ID: 4123949106-2496766686
Opcode ID: d45f815d1fabfd01afe2120dee1e96f5f1d3ea87c47cd3e934e2253c0de82415
Instruction ID: 6049f8216b928d86b6f949761486ba66ce9465334f3ee2147d86dd42b2de4779
Opcode Fuzzy Hash: d45f815d1fabfd01afe2120dee1e96f5f1d3ea87c47cd3e934e2253c0de82415
Instruction Fuzzy Hash: 6A313075D0026BAADF20EBA5CC45FEEBBB8EB46704F24416DE504B3242D6709E45CB70

Function 00DC1319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00DC1334
GetProcAddress.KERNEL32(00000000), ref: 00DC133B
memset.MSVCRT ref: 00DC1359

Strings

NtSystemDebugControl, xrefs: 00DC132A
ntdll.dll, xrefs: 00DC132F

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 50e567c66fd305c3f75e95b7c7203b9f2cbf6f26a30584edde986c5467c755a7
Instruction ID: 24326708961f71407dc59b48de7af40ea9abae1adb67a994d9f30582fcd84327
Opcode Fuzzy Hash: 50e567c66fd305c3f75e95b7c7203b9f2cbf6f26a30584edde986c5467c755a7
Instruction Fuzzy Hash: FA016D7560036BAFDB10DF94AC85FAFBBB8FB52318F04412EF941E2241E6708615CA71

Function 00DC1DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00DC1E0B
lstrcpy.KERNEL32(?,00000001), ref: 00DC1E1C
strrchr.MSVCRT ref: 00DC1E2B
lstrcmpiA.KERNEL32(?,00DC4488), ref: 00DC1E48
lstrlen.KERNEL32(00DC4488), ref: 00DC1E53

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: a5dedb70aaa76aa5c33c3f80f28057204db3203e500819e96e2de7ffdc6fb139
Instruction ID: d30fb04c18bbdc89d3fe86ab79e59b096c4e130aa7e28aabc6d77757ef61f86b
Opcode Fuzzy Hash: a5dedb70aaa76aa5c33c3f80f28057204db3203e500819e96e2de7ffdc6fb139
Instruction Fuzzy Hash: 7A01FE7790432B6FDB105B60DC48FD677DCEB05310F144069F945D3191D6B4DA848BB0

Function 00DC185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00DC1F92,00000000,?,00000000,?,?,?,00DC1F92,?,00000000,00000002), ref: 00DC1867
srand.MSVCRT ref: 00DC1878
rand.MSVCRT ref: 00DC1880
srand.MSVCRT ref: 00DC1890
rand.MSVCRT ref: 00DC1894

Memory Dump Source

Source File: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: 11e7ea9f05c15f41e4e2a93642590862e05f34e5abe849407a812534898d5f6a
Instruction ID: 6aa19812f0006fe6b390f30696e111eb6b62db853a005edf2fb0949884e8a876
Opcode Fuzzy Hash: 11e7ea9f05c15f41e4e2a93642590862e05f34e5abe849407a812534898d5f6a
Instruction Fuzzy Hash: 61E0D877A00319BBD700ABF9EC46C9EBBACEE84161B100527F600D3350E570FD448AB4

Function 00DC6014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00DC603C
GetProcAddress.KERNEL32(00000000,00DC6064), ref: 00DC604F

Strings

kernel32.dll, xrefs: 00DC603B

Memory Dump Source

Source File: 00000003.00000002.3361669866.0000000000DC6000.00000040.00000001.01000000.00000006.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000003.00000002.3361524913.0000000000DC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361550461.0000000000DC1000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361587050.0000000000DC3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3361629175.0000000000DC4000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dc0000_OMmJKXpD.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 900736e071f9c3340ede898d64b88080631497f25a778512c10248d3b740a252
Instruction ID: 7148b6118e865b51948cec917f460cb64dc9b9b52cad5c64323cc50185a29b4f
Opcode Fuzzy Hash: 900736e071f9c3340ede898d64b88080631497f25a778512c10248d3b740a252
Instruction Fuzzy Hash: 3EF0F0B114829A8FEF708EA4CC44FDE3BE4EF05700F50042EEA09CB282DB348605DB24

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U8865#U4e01#U6253#U5305.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files (x86)\AutoIt3\Uninstall.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Windows Analysis Report
#U8865#U4e01#U6253#U5305.exe

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre