Edit tour

Windows Analysis Report
#U65b0#U7248#U7f51#U5173.exe

Overview

General Information

Sample name:	#U65b0#U7248#U7f51#U5173.exe renamed because original name is a hash value
Original sample name:	.exe
Analysis ID:	1558250
MD5:	dc6bd8c6c6f2546decbf866c7a7df25d
SHA1:	263d0299b4e803f995480d866d8c82ef82c83023
SHA256:	08e00ccaa704c210e5841227e0db6b5c911ad675f3eaf48f5a629877c0ac3de1
Tags:	exeuser-Joker
Infos:

Detection

Bdaejec, Neshta, Ramnit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Bdaejec

Yara detected Neshta

Yara detected Ramnit

AI detected suspicious sample

Creates an undocumented autostart registry key

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Found evasive API chain (may stop execution after checking mutex)

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Sample is not signed and drops a device driver

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May infect USB drives

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential browser exploit detected (process start blacklist hit)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Classes Autorun Keys Modification

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

#U65b0#U7248#U7f51#U5173.exe (PID: 6048 cmdline: "C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe" MD5: DC6BD8C6C6F2546DECBF866C7A7DF25D)

#U65b0#U7248#U7f51#U5173.exe (PID: 1148 cmdline: "C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe" MD5: CF530E5210C08CD0A8613AE62957628E)

gXhmKFnw.exe (PID: 7060 cmdline: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)

WerFault.exe (PID: 8256 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 1384 MD5: C31336C1EFC2CCB44B4326EA793040F2)

#U65b0#U7248#U7f51#U5173Srv.exe (PID: 3988 cmdline: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe MD5: FF5E1F27193CE51EEC318714EF038BEF)

DesktopLayer.exe (PID: 5620 cmdline: "C:\Program Files (x86)\Microsoft\DesktopLayer.exe" MD5: FF5E1F27193CE51EEC318714EF038BEF)

iexplore.exe (PID: 2772 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 2616 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:17410 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

svchost.com (PID: 5904 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454 MD5: 811C79A695A4715D805A61F5EF41264D)

ie_to_edge_stub.exe (PID: 3976 cmdline: C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe --from-ie-to-edge=3 --ie-frame-hwnd=10454 MD5: 89CF8972D683795DAB6901BC9456675D)

svchost.com (PID: 5072 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454 MD5: 811C79A695A4715D805A61F5EF41264D)

msedge.exe (PID: 1456 cmdline: C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=10454 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7052 cmdline: "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=2112,i,18150823197177763783,15696018199099908702,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

svchost.com (PID: 708 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new MD5: 811C79A695A4715D805A61F5EF41264D)

ssvagent.exe (PID: 6552 cmdline: C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe -new MD5: F9A898A606E7F5A1CD7CFFA8079253A0)

svchost.com (PID: 3976 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454 --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 811C79A695A4715D805A61F5EF41264D)

msedge.exe (PID: 7300 cmdline: C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=10454 --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7576 cmdline: "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2708 --field-trial-handle=2664,i,14214771295167982172,2696686499744709149,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5836 cmdline: "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5868 --field-trial-handle=2664,i,14214771295167982172,2696686499744709149,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
neshta	Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."	No Attribution	https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html https://www.mandiant.com/resources/pe-file-infecting-malware-ot https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest https://www.virusradar.com/en/Win32_Neshta.A/description	https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

Name	Description	Attribution	Blogpost URLs	Link
Ramnit	According to Check Point, Ramnit is primarily a banking trojan, meaning that its purpose is to steal login credentials for online banking, which cybercriminals can sell or use in future attacks. For this reason, Ramnit primarily targets individuals rather than focusing on particular industries.Ramnit campaigns have been observed to target organizations in particular industries. For example, a 2019 campaign targeted financial organizations in the United Kingdom, Italy, and Canada.	No Attribution	http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html http://www.secureworks.com/research/threat-profiles/gold-fairfax http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html https://artik.blue/malware4	https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.1508242032.0000000000400000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
00000006.00000002.1513070709.0000000000400000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
00000000.00000002.2293751786.0000000000409000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
Process Memory Space: #U65b0#U7248#U7f51#U5173.exe PID: 6048	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
Process Memory Space: gXhmKFnw.exe PID: 7060	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3988	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
Process Memory Space: DesktopLayer.exe PID: 5620	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
5.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.0.raw.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
2.2.#U65b0#U7248#U7f51#U5173.exe.54b573.1.raw.unpack	MAL_Ramnit_May19_1	Detects Ramnit malware	Florian Roth
6.2.DesktopLayer.exe.400000.1.raw.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
5.0.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.unpack	MAL_Ramnit_May19_1	Detects Ramnit malware	Florian Roth
6.0.DesktopLayer.exe.400000.0.unpack	MAL_Ramnit_May19_1	Detects Ramnit malware	Florian Roth
5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.raw.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
6.2.DesktopLayer.exe.404031.0.raw.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
6.2.DesktopLayer.exe.400000.1.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Classes Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe, ProcessId: 6048, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454, CommandLine: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454, CommandLine|base64offset|contains: o{h`, Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:17410 /prefetch:2, ParentImage: C:\Program Files (x86)\Internet Explorer\iexplore.exe, ParentProcessId: 2616, ParentProcessName: iexplore.exe, ProcessCommandLine: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454, ProcessId: 5904, ProcessName: svchost.com

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files\Internet Explorer\iexplore.exe, ProcessId: 2772, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-19T09:07:17.065183+0100	2838522	1	Malware Command and Control Activity Detected	192.168.2.8	62882	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: #U65b0#U7248#U7f51#U5173.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Delf.I

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	ReversingLabs: Detection: 93%
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: #U65b0#U7248#U7f51#U5173.exe	ReversingLabs: Detection: 97%
Source: #U65b0#U7248#U7f51#U5173.exe	Virustotal: Detection: 90%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: #U65b0#U7248#U7f51#U5173.exe

Joe Sandbox ML: detected

Source: #U65b0#U7248#U7f51#U5173.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
Source:	Binary string: mpextms.pdb source: mpextms.exe0.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdbb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: IEContentService.exe.9.dr
Source:	Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController64.exe.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoev.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdbOGP source: msedge.exe.9.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.9.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb source: OLicenseHeartbeat.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\msohtmed.pdb source: MSOHTMED.EXE.9.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdb source: msedge.exe.9.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x64\ship\postc2rcross\x-none\msoxmled.pdb source: MSOXMLED.EXE.9.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController64.exe.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController64.exe.9.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenote.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: ONENOTE.EXE.9.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x64\ship\postc2rcross\x-none\msoxmled.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOXMLED.EXE.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe.0.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.9.dr
Source:	Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb source: msoev.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenote.pdb source: ONENOTE.EXE.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLicenseHeartbeat.exe.0.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdb source: IEContentService.exe.9.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr
Source:	Binary string: lper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\msohtmed.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOHTMED.EXE.9.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
Source:	Binary string: mpextms.pdbGCTL source: mpextms.exe0.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr

Spreading

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2293751786.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173.exe PID: 6048, type: MEMORYSTR

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: #U65b0#U7248#U7f51#U5173Srv.exe	Binary or memory string: [autorun] action=Open icon=%%WinDir%%\system32\shell32.dll,4 shellexecute=.\%s shell\explore\command=.\%s USEAUTOPLAY=1 shell\Open\command=.\%s
Source: #U65b0#U7248#U7f51#U5173Srv.exe	Binary or memory string: autorun.inf
Source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000005.00000002.1508242032.0000000000400000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: autorun.inf
Source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000005.00000002.1508242032.0000000000400000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: [autorun]
Source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000005.00000002.1508242032.0000000000400000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: //--></SCRIPT>RmNautorun.infRECYCLER.exe[autorun]
Source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000005.00000002.1508242032.0000000000400000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: //--></SCRIPT>RmNautorun.infRECYCLER.exe[autorun]
Source: DesktopLayer.exe	Binary or memory string: [autorun] action=Open icon=%%WinDir%%\system32\shell32.dll,4 shellexecute=.\%s shell\explore\command=.\%s USEAUTOPLAY=1 shell\Open\command=.\%s
Source: DesktopLayer.exe	Binary or memory string: autorun.inf
Source: DesktopLayer.exe, 00000006.00000002.1513070709.0000000000400000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: autorun.inf
Source: DesktopLayer.exe, 00000006.00000002.1513070709.0000000000400000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: [autorun]
Source: DesktopLayer.exe, 00000006.00000002.1513070709.0000000000400000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: //--></SCRIPT>RmNautorun.infRECYCLER.exe[autorun]
Source: DesktopLayer.exe, 00000006.00000002.1513070709.0000000000400000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: //--></SCRIPT>RmNautorun.infRECYCLER.exe[autorun]

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00420690 FindNextFileA,FindClose,FindFirstFileA,FindClose,	2_2_00420690
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00428A20 FindFirstFileA,FindClose,	2_2_00428A20
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00415190 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	2_2_00415190
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004B3B58 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	2_2_004B3B58
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Code function: 3_2_00F029E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	3_2_00F029E2
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 5_2_004011DF FindFirstFileA,FindClose,	5_2_004011DF
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_2_004011DF FindFirstFileA,FindClose,	6_2_004011DF

Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe

Code function: 3_2_00F02B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

3_2_00F02B8C

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 4x nop then push esi	2_2_0043DE31
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 4x nop then push esi	2_2_00476037
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_00476597
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000000h]	2_2_00433D42

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Process created: C:\Windows\svchost.com

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2838522 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup : 192.168.2.8:62882 -> 1.1.1.1:53

Source: global traffic

TCP traffic: 192.168.2.8:49704 -> 44.221.84.105:799

Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 44.221.84.105 44.221.84.105

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe

Code function: 2_2_00434150 ioctlsocket,recv,recv,

2_2_00434150

Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.facebook.com/favicon.ico equals www.facebook.com (Facebook)
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico equals www.myspace.com (Myspace)
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rambler.ru/ equals www.rambler.ru (Rambler)
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico equals www.rambler.ru (Rambler)

Source: global traffic	DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: gXhmKFnw.exe, 00000003.00000002.2749241662.0000000000F03000.00000002.00000001.01000000.00000006.sdmp, gXhmKFnw.exe, 00000003.00000003.1489039949.0000000001020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: integrator.exe.0.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: OLicenseHeartbeat.exe.0.dr	String found in binary or memory: http://CodeTypeIsExpectedOffice.System.ResultGlobal
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://amazon.fr/
Source: VC_redist.x64.exe.0.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://asp.usatoday.com/.
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://br.search.yahoo.com/:
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico_
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.icol~
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.orange.es/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.uol.com.br/$
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.icoe
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscador.terra.com/Z
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscador.terra.es/6
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/M
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/&
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cnet.search.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.icod
Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AdobeARMHelper.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: iexplore.exe, 00000007.00000002.2751893927.00000239FDE21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: armsvc.exe.0.dr, AdobeARMHelper.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: gXhmKFnw.exe, 00000003.00000002.2750050685.000000000121E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://de.search.yahoo.com/0
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://es.ask.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://find.joins.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://find.joins.com/i
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.altervista.org/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.altervista.org/Y
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.altervista.org/favicon.icod
Source: MSOHTMED.EXE.9.dr	String found in binary or memory: http://https://ftp://.htmlGot
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.icod
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico~
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://in.search.yahoo.com/a
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.icod
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kr.search.yahoo.com/j~
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://list.taobao.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: #U65b0#U7248#U7f51#U5173.exe, 00000000.00000002.2293676299.0000000000190000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/o
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: iexplore.exe, 00000007.00000002.2751893927.00000239FDE21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.icodz
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://price.ru/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://rover.ebay.com
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://rover.ebay.comg
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.about.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.alice.it/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico-
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.aol.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.aol.in/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.auction.co.kr/?
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.auone.jp/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.auone.jp/v
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.books.com.tw/=
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.icoo~
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.chol.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.daum.net/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico~
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.daum.net/q
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.de/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.es/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.es/-
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.in/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ebay.it/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.empas.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.empas.com/favicon.icoy
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico1
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico(
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.goo.ne.jp/p
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.hanafos.com/K
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.interpark.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&FORM=AS5
Source: iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&FORM=AS63
Source: iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&FORM=CBPW
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFF89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&FORM=IE7BOX&src=%7Breferrer:source?%7D
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFF89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&FORM=IE7RE&src=%7Breferrer:source?%7Dw
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFF89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&FORM=MSNIE7&src=%7Breferrer:source?%7D
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFF89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&Form=IE8SRC&src=%7Breferrer:source%7D
Source: iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&mkt=%7BLanguage%7D&FORM=IE8SRC&src=%7Breferr
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFF89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&src=%7Breferrer:source?%7D&Form=IE8SRC(
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFF30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&src=%7Breferrer:source?%7DuJ
Source: iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=%7BsearchTerms%7D&src=IE-SearchBox&Form=IE8SRC
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.lycos.com/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.lycos.com/favicon.icoK
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFF98000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=%7BsearchTerms%7D&FORM=AS5G
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFF98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=%7BsearchTerms%7D&FORM=AS6
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFF98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=%7BsearchTerms%7D&FORM=CBPW5
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFF98000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2751893927.00000239FDE21000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=%7BsearchTerms%7D&FORM=AS5-
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFF98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=%7BsearchTerms%7D&FORM=AS6t
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFF98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=%7BsearchTerms%7D&FORM=CBPW
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFF30000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=%7BsearchTerms%7D&FORM=AS5r
Source: iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=%7BsearchTerms%7D&FORM=AS6
Source: iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=%7BsearchTerms%7D&FORM=CBPW$
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.nate.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.naver.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.nifty.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.nifty.com/d
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.icoW
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.rediff.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.rediff.com/P
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.rediff.com/favicon.icoG
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.sify.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.sify.com/b
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.icoO
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahoo.com/n
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yam.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.yam.com/G
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://searchresults.news.com.au/0
Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://service2.bfast.com/t
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/g
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/~
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.aol.de/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.aol.de/C
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.icol
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.t-online.de/0
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.web.de/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://udn.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://udn.com/favicon.icoS
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://udn.com/g
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uk.ask.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: Amcache.hve.24.dr	String found in binary or memory: http://upx.sf.net
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://video.globo.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://video.globo.com/?
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.ask.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.icoR
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.icod
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&camp=1789&creativ
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.de/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico2
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.arrakis.com/b~
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.icom~
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ask.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: AutoIt3_x64.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.baidu.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.icom~
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.icou~
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cjmall.com/A
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.icoD
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico$
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.etmall.com.tw/e
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.excite.co.jp/z
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/5
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.co.in/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.co.in/#
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.co.jp/(
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.co.uk/s
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com.br/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com.br/k
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/9
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/favicon.ico;
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.cz/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.cz/U
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.de/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.de/_
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.es/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.fr/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.it/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.pl/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.pl/D
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.ru/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.si/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.si/x
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iask.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico7
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mtv.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.najdi.si/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.najdi.si/%~
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.neckermann.de/~
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nifty.com/favicon.icol~
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.icoy
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.orange.fr/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.otto.de/favicon.icoW
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.paginasamarillas.es/K
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.icoo
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico?
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.icod
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rtl.de/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rtl.de/;
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rtl.de/favicon.icol
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.servicios.clarin.com/=
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sogou.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.soso.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.t-online.de/favicon.icoz
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.taobao.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.target.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.target.com/l
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tchibo.de/V
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tesco.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tesco.com/H
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico;
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.icod
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.univision.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.univision.com/:
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.univision.com/favicon.icoO
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.walmart.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation=ItemSea
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: msedge.exe.9.dr	String found in binary or memory: https://crashpad.chromium.org/
Source: msedge.exe.9.dr	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: msedge.exe.9.dr	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: identity_helper.exe.0.dr, msedge.exe.9.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: identity_helper.exe.0.dr, msedge.exe.9.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: gXhmKFnw.exe, 00000003.00000002.2750050685.0000000001290000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2751893927.00000239FDEC6000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFDF000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: iexplore.exe, 00000007.00000002.2752485717.00000239FFF30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comZ
Source: OLicenseHeartbeat.exe.0.dr	String found in binary or memory: https://login.windows.net/commonhttps://login.windows.netDBSFetcher::CreateRequestHeader
Source: integrator.exe.0.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: integrator.exe.0.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ramnit

Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1508242032.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1513070709.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 5620, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe

Code function: 2_2_0043CFE0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,

2_2_0043CFE0

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0043CFE0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_0043CFE0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0040BEA0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,		2_2_0040BEA0

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe

Code function: 2_2_0043D140 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0043D140

Source: integrator.exe.0.dr

Binary or memory string: RegisterRawInputDevices

memstr_88ee5f11-a

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004B8232 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	2_2_004B8232
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004948D0 GetCursorPos,WindowFromPoint,GetTickCount,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow,GetTickCount,UpdateWindow,GetTickCount,	2_2_004948D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00428BD0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	2_2_00428BD0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004B670B GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	2_2_004B670B
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00426E50 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow,	2_2_00426E50
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0043B840 GetKeyState,GetKeyState,GetKeyState,CopyRect,	2_2_0043B840

E-Banking Fraud

Yara detected Ramnit

Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1508242032.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1513070709.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 5620, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.#U65b0#U7248#U7f51#U5173.exe.54b573.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Ramnit malware Author: Florian Roth
Source: 5.0.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Ramnit malware Author: Florian Roth
Source: 6.0.DesktopLayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Ramnit malware Author: Florian Roth

PE file contains section with special chars

Source: #U65b0#U7248#U7f51#U5173.exe.0.dr	Static PE information: section name: }uu
Source: MyProg.exe.3.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: #U65b0#U7248#U7f51#U5173.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: gXhmKFnw.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 5_3_00581457 NtFreeVirtualMemory,	5_3_00581457
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 5_3_00580814 NtProtectVirtualMemory,	5_3_00580814
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 5_3_00580335 NtAllocateVirtualMemory,	5_3_00580335
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 5_3_005804CC NtQuerySystemInformation,	5_3_005804CC
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 5_3_00583519 NtQuerySystemInformation,	5_3_00583519
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 5_3_005827A0 NtAllocateVirtualMemory,	5_3_005827A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 5_2_00582740 NtFreeVirtualMemory,	5_2_00582740
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 5_2_00583519 NtQuerySystemInformation,	5_2_00583519
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 5_2_005827A0 NtAllocateVirtualMemory,	5_2_005827A0
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_00571457 NtFreeVirtualMemory,	6_3_00571457
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_00570814 NtProtectVirtualMemory,	6_3_00570814
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_00570335 NtAllocateVirtualMemory,	6_3_00570335
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_005704CC NtQuerySystemInformation,	6_3_005704CC
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_00573519 NtQuerySystemInformation,	6_3_00573519
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_005727A0 NtAllocateVirtualMemory,	6_3_005727A0
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_2_004019D4 NtQueryInformationProcess,	6_2_004019D4
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_2_00572740 NtFreeVirtualMemory,	6_2_00572740
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_2_00573519 NtQuerySystemInformation,	6_2_00573519
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_2_005727A0 NtAllocateVirtualMemory,	6_2_005727A0

Source: C:\Windows\svchost.com

File created: C:\Windows\directx.sys

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Windows\svchost.com			Jump to behavior
Source: C:\Windows\svchost.com	File created: C:\Windows\directx.sys

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0041EB00	2_2_0041EB00
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0045C130	2_2_0045C130
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004541D0	2_2_004541D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00470260	2_2_00470260
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004682D0	2_2_004682D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00478510	2_2_00478510
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00488670	2_2_00488670
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0045C600	2_2_0045C600
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00458760	2_2_00458760
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0045C830	2_2_0045C830
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00420CA0	2_2_00420CA0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00458F50	2_2_00458F50
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0045D270	2_2_0045D270
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00429290	2_2_00429290
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0044D35D	2_2_0044D35D
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004455D0	2_2_004455D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0046D770	2_2_0046D770
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0044D8C2	2_2_0044D8C2
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004618B0	2_2_004618B0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00481940	2_2_00481940
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004B59AC	2_2_004B59AC
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00469A50	2_2_00469A50
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00461D2E	2_2_00461D2E
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0044DE20	2_2_0044DE20
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00461F7E	2_2_00461F7E
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00431FB0	2_2_00431FB0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00422180	2_2_00422180
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0045A3D0	2_2_0045A3D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004AE55A	2_2_004AE55A
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004AA7E6	2_2_004AA7E6
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0044A900	2_2_0044A900
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00462A90	2_2_00462A90
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0046EAB0	2_2_0046EAB0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0045AC10	2_2_0045AC10
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0044AC30	2_2_0044AC30
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0044ADC0	2_2_0044ADC0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00462DC0	2_2_00462DC0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0046EF50	2_2_0046EF50
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0042AFF0	2_2_0042AFF0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0047EFF0	2_2_0047EFF0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00497100	2_2_00497100
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0045B129	2_2_0045B129
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0049B220	2_2_0049B220
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0044F230	2_2_0044F230
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00447410	2_2_00447410
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00497490	2_2_00497490
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004A34B0	2_2_004A34B0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0045B5E6	2_2_0045B5E6
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0046F680	2_2_0046F680
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0046B740	2_2_0046B740
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00457760	2_2_00457760
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00497800	2_2_00497800
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00467830	2_2_00467830
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0045B8D1	2_2_0045B8D1
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0046F900	2_2_0046F900
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0045BA84	2_2_0045BA84
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00437C40	2_2_00437C40
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0046BCC0	2_2_0046BCC0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0045BCFE	2_2_0045BCFE
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00457CA0	2_2_00457CA0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00453EC0	2_2_00453EC0
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Code function: 3_2_00F06076	3_2_00F06076
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Code function: 3_2_00F06D00	3_2_00F06D00

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe A3C4641D4CB4608AF18CD06E4C01339C65C25B9289F0AA01CABE0E5C250A0E15

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: String function: 004A4DF8 appears 137 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: String function: 00453680 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: String function: 004B36EC appears 36 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: String function: 0047E290 appears 141 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: String function: 004B4A6C appears 59 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: String function: 004A2014 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: String function: 004A2E8B appears 46 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: String function: 00453900 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: String function: 004534F0 appears 79 times

Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 1384

Source: MyProg.exe.3.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: #U65b0#U7248#U7f51#U5173.exe	Binary or memory string: OriginalFilename vs #U65b0#U7248#U7f51#U5173.exe
Source: #U65b0#U7248#U7f51#U5173.exe, 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamenedwp.exe0 vs #U65b0#U7248#U7f51#U5173.exe

Source: #U65b0#U7248#U7f51#U5173.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 2.2.#U65b0#U7248#U7f51#U5173.exe.54b573.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Ramnit_May19_1 date = 2019-05-31, hash1 = d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3, author = Florian Roth, description = Detects Ramnit malware, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 5.0.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Ramnit_May19_1 date = 2019-05-31, hash1 = d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3, author = Florian Roth, description = Detects Ramnit malware, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 6.0.DesktopLayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Ramnit_May19_1 date = 2019-05-31, hash1 = d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3, author = Florian Roth, description = Detects Ramnit malware, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Source: gXhmKFnw.exe.2.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: gXhmKFnw.exe.2.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: gXhmKFnw.exe.2.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: MpCmdRun.exe2.0.dr	Binary string: IdImageFileNameFirst Resource TypeTypeScan SourceFirst Resource PathEngineIdResource CountReasonProcessMessagePIDStartStopDataIsSignedFile\Device\\\?\\FI_UNKNOWN\drivers\error: invalid data: System Windows path changed during the trace from "%ls" to "%ls"
Source: msedge.exe.9.dr	Binary string: @g_interceptionsntdll.dllg_originals\Device\\/?/?\\??\ntdll.dllRtlInitUnicodeStringntdll.dll\KnownDllsDeriveRestrictedAppContainerSidFromAppContainerSidAndRestrictedNameuserenvchromeInstallFileslpacChromeInstallFilesmediaFoundationCdmFileslpacMediaFoundationCdmDatalpacEdgeWdagCommslpacChromeNetworkSandboxKeyg_handles_to_close
Source: msedge.exe.9.dr	Binary string: \\.\\Device\DeviceApi\Device\DeviceApi\CMApintdll.dllHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_CURRENT_CONFIGHKEY_DYN_DATA\Device\\Device\HarddiskVolume

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@55/271@11/4

Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe

Code function: 3_2_00F0119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

3_2_00F0119F

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe

Code function: 5_2_004027E0 GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

5_2_004027E0

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe

Code function: 2_2_004B41E0 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,

2_2_004B41E0

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe

File created: C:\Program Files (x86)\Microsoft\pxF5CF.tmp

Jump to behavior

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7060
Source: C:\Windows\svchost.com	Mutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush. svchost.com n X . t N t h ` T 5 @
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Mutant created: \Sessions\1\BaseNamedObjects\KyUffThOkYwRRtgPP

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe

File created: C:\Users\user\AppData\Local\Temp\3582-490

Jump to behavior

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: integrator.exe.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: integrator.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: #U65b0#U7248#U7f51#U5173.exe	ReversingLabs: Detection: 97%
Source: #U65b0#U7248#U7f51#U5173.exe	Virustotal: Detection: 90%

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe

File read: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe "C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe"
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe "C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe"
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Process created: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Process created: C:\Program Files (x86)\Microsoft\DesktopLayer.exe "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe --from-ie-to-edge=3 --ie-frame-hwnd=10454
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe -new
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=10454
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=2112,i,18150823197177763783,15696018199099908702,262144 /prefetch:3
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454 --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=10454 --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2708 --field-trial-handle=2664,i,14214771295167982172,2696686499744709149,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5868 --field-trial-handle=2664,i,14214771295167982172,2696686499744709149,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 1384
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe "C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Process created: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Process created: C:\Program Files (x86)\Microsoft\DesktopLayer.exe "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe --from-ie-to-edge=3 --ie-frame-hwnd=10454
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe -new
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=10454
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=2112,i,18150823197177763783,15696018199099908702,262144 /prefetch:3
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=10454 --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2708 --field-trial-handle=2664,i,14214771295167982172,2696686499744709149,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5868 --field-trial-handle=2664,i,14214771295167982172,2696686499744709149,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\svchost.com	Section loaded: apphelp.dll
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: uxtheme.dll
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: #U65b0#U7248#U7f51#U5173.exe

Static file information: File size 1254400 > 1048576

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
Source:	Binary string: mpextms.pdb source: mpextms.exe0.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdbb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: IEContentService.exe.9.dr
Source:	Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController64.exe.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoev.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdbOGP source: msedge.exe.9.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.9.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb source: OLicenseHeartbeat.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\msohtmed.pdb source: MSOHTMED.EXE.9.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdb source: msedge.exe.9.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x64\ship\postc2rcross\x-none\msoxmled.pdb source: MSOXMLED.EXE.9.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController64.exe.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController64.exe.9.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenote.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: ONENOTE.EXE.9.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x64\ship\postc2rcross\x-none\msoxmled.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOXMLED.EXE.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe.0.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.9.dr
Source:	Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb source: msoev.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenote.pdb source: ONENOTE.EXE.9.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLicenseHeartbeat.exe.0.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr, MpCmdRun.exe2.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdb source: IEContentService.exe.9.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr
Source:	Binary string: lper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\msohtmed.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOHTMED.EXE.9.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
Source:	Binary string: mpextms.pdbGCTL source: mpextms.exe0.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe

Unpacked PE file: 3.2.gXhmKFnw.exe.f00000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe

Code function: 2_2_0054B006 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateMutexA,GetLastError,ReleaseMutex,CloseHandle,GetModuleFileNameA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,FreeLibrary,

2_2_0054B006

Source: initial sample

Static PE information: section where entry point is pointing to: }uu

Source: #U65b0#U7248#U7f51#U5173.exe.0.dr	Static PE information: section name: .rmnet
Source: #U65b0#U7248#U7f51#U5173.exe.0.dr	Static PE information: section name: }uu
Source: gXhmKFnw.exe.2.dr	Static PE information: section name: .aspack
Source: gXhmKFnw.exe.2.dr	Static PE information: section name: .adata
Source: Uninstall.exe.3.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.3.dr	Static PE information: section name: PELIB
Source: MyProg.exe.3.dr	Static PE information: section name: Y\|uR

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004A4DF8 push eax; ret	2_2_004A4E16
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004A2830 push eax; ret	2_2_004A285E
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Code function: 3_2_00F01638 push dword ptr [00F03084h]; ret	3_2_00F0170E
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Code function: 3_2_00F06014 push 00F014E1h; ret	3_2_00F06425
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Code function: 3_2_00F02D9B push ecx; ret	3_2_00F02DAB
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Code function: 3_2_00F0600A push ebp; ret	3_2_00F0600D
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 5_3_0058067A push eax; ret	5_3_005822AF
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 5_3_0058178F push eax; ret	5_3_005822AF
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 5_2_0058178F push eax; ret	5_2_005822AF
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_0057067A push eax; ret	6_3_005722AF
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_3_0057178F push eax; ret	6_3_005722AF
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_2_0057178F push eax; ret	6_2_005722AF

Source: #U65b0#U7248#U7f51#U5173.exe.0.dr	Static PE information: section name: .rmnet entropy: 7.772389879460622
Source: gXhmKFnw.exe.2.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.3.dr	Static PE information: section name: EpNuZ entropy: 6.93520302699766
Source: MyProg.exe.3.dr	Static PE information: section name: Y\|uR entropy: 6.935341914898183

Persistence and Installation Behavior

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2293751786.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173.exe PID: 6048, type: MEMORYSTR

Yara detected Ramnit

Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1508242032.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1513070709.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 5620, type: MEMORYSTR

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Executable created and started: C:\Windows\svchost.com

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Windows\svchost.com

File created: C:\Windows\directx.sys

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to dropped file

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Boot Survival

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2293751786.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173.exe PID: 6048, type: MEMORYSTR

Yara detected Ramnit

Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1508242032.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1513070709.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 5620, type: MEMORYSTR

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Yara detected Ramnit

Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1508242032.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1513070709.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 5620, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0041EB00 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,KiUserCallbackDispatcher,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus,	2_2_0041EB00
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00428040 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,	2_2_00428040
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_0049C340 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_0049C340
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00424360 IsIconic,IsZoomed,	2_2_00424360
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00423C90 DestroyIcon,IsWindowVisible,IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMenu,DeleteMenu,GetSystemMenu,	2_2_00423C90

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe

Code function: 5_2_00401848 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00401848

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe

API coverage: 4.3 %

Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe

Code function: 3_2_00F01718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00F01754h

3_2_00F01718

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00420690 FindNextFileA,FindClose,FindFirstFileA,FindClose,	2_2_00420690
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00428A20 FindFirstFileA,FindClose,	2_2_00428A20
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_00415190 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	2_2_00415190
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004B3B58 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	2_2_004B3B58
Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	Code function: 3_2_00F029E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	3_2_00F029E2
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 5_2_004011DF FindFirstFileA,FindClose,	5_2_004011DF
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 6_2_004011DF FindFirstFileA,FindClose,	6_2_004011DF

Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe

Code function: 3_2_00F02B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

3_2_00F02B8C

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior

Source: Amcache.hve.24.dr	Binary or memory string: VMware
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.24.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.24.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.24.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.24.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.24.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.24.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: gXhmKFnw.exe, 00000003.00000002.2750050685.000000000123B000.00000004.00000020.00020000.00000000.sdmp, gXhmKFnw.exe, 00000003.00000002.2750050685.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, gXhmKFnw.exe, 00000003.00000002.2750050685.0000000001262000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2750571012.0000023982637000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2751893927.00000239FDE21000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFDF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.24.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.24.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.24.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.24.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.24.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.24.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.24.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.24.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.24.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.24.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.24.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.24.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.24.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.24.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: #U65b0#U7248#U7f51#U5173.exe, 00000002.00000002.2750251357.000000000066E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
Source: Amcache.hve.24.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	API call chain: ExitProcess graph end node

Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe

2_2_0054B006

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe

Code function: 2_2_0055A044 mov eax, dword ptr fs:[00000030h]

2_2_0055A044

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe

Code function: 2_2_004463B0 GetProcessHeap,OleInitialize,GetModuleFileNameA,SetCurrentDirectoryA,LoadCursorA,GetStockObject,GetCurrentThreadId,

2_2_004463B0

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004AD202 SetUnhandledExceptionFilter,		2_2_004AD202
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe	Code function: 2_2_004AD214 SetUnhandledExceptionFilter,		2_2_004AD214

HIPS / PFW / Operating System Protection Evasion

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe			Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe			Jump to dropped file

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe "C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe"			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454

Source: AutoIt3_x64.exe.0.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe

Code function: 2_2_004A3F30 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

2_2_004A3F30

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe

Code function: 2_2_004AD44C GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

2_2_004AD44C

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe

Code function: 2_2_004BDB9F GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

2_2_004BDB9F

Source: Amcache.hve.24.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.com, 00000009.00000002.2293736056.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|sers\All Users\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: Amcache.hve.24.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: gXhmKFnw.exe PID: 7060, type: MEMORYSTR

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2293751786.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173.exe PID: 6048, type: MEMORYSTR

Yara detected Ramnit

Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1508242032.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1513070709.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 5620, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: gXhmKFnw.exe PID: 7060, type: MEMORYSTR

Yara detected Ramnit

Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.404031.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.DesktopLayer.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1508242032.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1513070709.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 5620, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe

Code function: 2_2_00433F50 socket,htonl,htons,bind,listen,WSAAsyncSelect,

2_2_00433F50

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	13 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	21 Input Capture	12 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 Windows Service	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Windows Service	4 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	12 Process Injection	12 Software Packing	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	322 Masquerading	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U65b0#U7248#U7f51#U5173.exe	97%	ReversingLabs	Win32.Virus.Neshuta
#U65b0#U7248#U7f51#U5173.exe	90%	Virustotal		Browse
#U65b0#U7248#U7f51#U5173.exe	100%	Avira	W32/Delf.I
#U65b0#U7248#U7f51#U5173.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	97%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	94%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Uninstall.exe	97%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	100%	ReversingLabs	Win32.Virus.Neshuta

Source	Detection	Scanner	Label
http://openimage.interpark.com/interpark.icodz	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=%7BsearchTerms%7D&FORM=AS6	0%	Avira URL Cloud	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://suche.aol.de/C	0%	Avira URL Cloud	safe
http://search.chol.com/favicon.ico	0%	Avira URL Cloud	safe
http://search.nifty.com/d	0%	Avira URL Cloud	safe
http://msk.afisha.ru/	0%	Avira URL Cloud	safe
http://img.shopzilla.com/shopzilla/shopzilla.ico~	0%	Avira URL Cloud	safe
http://www.ya.com/favicon.ico	0%	Avira URL Cloud	safe
http://suche.freenet.de/favicon.icol	0%	Avira URL Cloud	safe
http://www.pchome.com.tw/favicon.ico	0%	Avira URL Cloud	safe
http://browse.guardian.co.uk/favicon.ico	0%	Avira URL Cloud	safe
http://www.paginasamarillas.es/favicon.icoo	0%	Avira URL Cloud	safe
http://search.rediff.com/favicon.icoG	0%	Avira URL Cloud	safe
http://google.pchome.com.tw/	0%	Avira URL Cloud	safe
http://search.sify.com/	0%	Avira URL Cloud	safe
http://home.altervista.org/favicon.icod	0%	Avira URL Cloud	safe
http://search.lycos.com/favicon.icoK	0%	Avira URL Cloud	safe
http://search.auction.co.kr/?	0%	Avira URL Cloud	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://www.servicios.clarin.com/	0%	Avira URL Cloud	safe
http://search.orange.co.uk/favicon.ico	0%	Avira URL Cloud	safe
http://service2.bfast.com/	0%	Avira URL Cloud	safe
http://ariadna.elmundo.es/	0%	Avira URL Cloud	safe
http://search.goo.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://search.gismeteo.ru/	0%	Avira URL Cloud	safe
http://search.gamer.com.tw/favicon.ico1	0%	Avira URL Cloud	safe
http://search.goo.ne.jp/p	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chrome.cloudflare-dns.com	162.159.61.3	true	false		high
ddos.dnsnb8.net	44.221.84.105	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mercadolivre.com.br/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.merlin.com.pl/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://openimage.interpark.com/interpark.icodz	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://img.shopzilla.com/shopzilla/shopzilla.ico~	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dailymail.co.uk/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.books.com.tw/=	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.nifty.com/d	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	msedge.exe.9.dr	false		high
http://fr.search.yahoo.com/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://in.search.yahoo.com/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation=ItemSea	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=%7BsearchTerms%7D&FORM=AS6	iexplore.exe, 00000007.00000002.2752485717.00000239FFF98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://msk.afisha.ru/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://busca.igbusca.com.br//app/static/images/favicon.ico	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://suche.freenet.de/favicon.icol	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://suche.aol.de/C	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	AutoIt3_x64.exe.0.dr	false		high
http://www.ya.com/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.etmall.com.tw/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://it.search.dada.net/favicon.ico	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.hanafos.com/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cgi.search.biglobe.ne.jp/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.msn.co.jp/results.aspx?q=	iexplore.exe, 00000007.00000002.2752485717.00000239FFF98000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	false		high
http://buscar.ozu.es/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ask.com/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.live.com/results.aspx?FORM=SOLTDF&q=	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.it/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.auction.co.kr/	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.amazon.de/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.paginasamarillas.es/favicon.icoo	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sads.myspace.com/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://list.taobao.com/browse/search_visual.htm?n=15&q=	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.pchome.com.tw/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://browse.guardian.co.uk/favicon.ico	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rakuten.co.jp/favicon.icod	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.pchome.com.tw/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.de/_	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rambler.ru/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://uk.search.yahoo.com/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.rediff.com/favicon.icoG	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.univision.com/favicon.icoO	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ozu.es/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://openimage.interpark.com/interpark.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.gmarket.co.kr/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.nifty.com/	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.si/	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.soso.com/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.lycos.com/favicon.icoK	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.altervista.org/favicon.icod	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.auction.co.kr/?	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://busca.orange.es/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.target.com/	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.co.in/#	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.orange.co.uk/favicon.ico	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iask.com/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.centrum.cz/favicon.ico	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://service2.bfast.com/	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/8	Aut2exe.exe.0.dr	false		high
http://ariadna.elmundo.es/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.news.com.au/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cdiscount.com/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.tiscali.it/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://it.search.yahoo.com/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ceneo.pl/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.servicios.clarin.com/	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.daum.net/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.kkbox.com.tw/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.goo.ne.jp/favicon.ico	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.msn.com/results.aspx?q=	iexplore.exe, 00000007.00000002.2752485717.00000239FFF30000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2751893927.00000239FDE96000.00000004.00000020.00020000.00000000.sdmp	false		high
http://list.taobao.com/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.goo.ne.jp/p	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.taobao.com/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.etmall.com.tw/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ie.search.yahoo.com/os?command=	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cnet.com/favicon.ico	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.linternaute.com/favicon.ico	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.amazon.co.uk/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cdiscount.com/favicon.ico	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.asharqalawsat.com/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.fr/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.live.com/results.aspx?FORM=IEFM1&q=	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.gismeteo.ru/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://busca.uol.com.br/$	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rtl.de/	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.soso.com/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.univision.com/favicon.ico	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.ipop.co.kr/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.auction.co.kr/auction.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.orange.fr/	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/commonhttps://login.windows.netDBSFetcher::CreateRequestHeader	OLicenseHeartbeat.exe.0.dr	false		high
http://video.globo.com/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.co.uk/	iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://search.gamer.com.tw/favicon.ico1	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://buscador.terra.com/favicon.ico	iexplore.exe, 00000007.00000002.2750401782.0000023980A80000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000007.00000002.2752485717.00000239FFFB2000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
44.221.84.105	ddos.dnsnb8.net	United States	14618	AMAZON-AESUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558250
Start date and time:	2024-11-19 09:06:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#U65b0#U7248#U7f51#U5173.exe renamed because original name is a hash value
Original Sample Name:	.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@55/271@11/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 46 Number of non-executed functions: 254
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.89.167, 2.23.209.187, 2.23.209.133, 2.23.209.185, 2.23.209.132, 2.23.209.135, 2.23.209.189, 2.23.209.193, 2.23.209.130, 2.23.209.186, 13.107.42.16, 204.79.197.239, 13.107.21.239, 142.250.186.174, 204.79.197.200, 20.42.65.92
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, e11290.dspg.akamaiedge.net, go.microsoft.com, e86303.dscx.akamaiedge.net, clients2.google.com, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, l-0007.l-msedge.net, ieonline.microsoft.com, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, edge.microsoft.com, any.edge.bing.com, onedsblobprdeus17.eastus.cloudapp.azure.com, l-0007.config.skype.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, clients.l.google.com, dual-a-0036.a-msedge.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.61.3	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	FRSSDE.exe	Get hash	malicious	Remcos	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	Unlock_Tool_v2.6.5.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
239.255.255.250	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	https://192381.clicks.goto-9.net/track/click?u=3634028&p=3139323338313a323a323a303a303a30&s=9805e720a8572b6bbbb06f2979714af5&m=5819	Get hash	malicious	Unknown	Browse
	https://blacksaltys.com	Get hash	malicious	Unknown	Browse
	https://packedbrick.com	Get hash	malicious	Unknown	Browse
	https://recociese.za.com/wpcones/excel.html	Get hash	malicious	Unknown	Browse
	https://sp792669.sitebeat.crazydomains.com	Get hash	malicious	Unknown	Browse
	NTS_eTaxInvoice.html	Get hash	malicious	Unknown	Browse
	https://gmailnliz19.ebtrk3.com/openurl?lid=5808098873966592&nid=4863316211269632&c=&s=&ci=&e_id=	Get hash	malicious	Unknown	Browse
	https://fixedzip.oss-ap-southeast-5.aliyuncs.com/replace.txt	Get hash	malicious	Unknown	Browse
	http://178.215.224.252/v10/ukyh.php	Get hash	malicious	Unknown	Browse
44.221.84.105	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	hehckyov.biz/of
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	hehckyov.biz/sdgvcmfo
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	gahyhiz.com/login.php
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	gadyciz.com/login.php
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php
	Z8eHwAvqAh.exe	Get hash	malicious	Simda Stealer	Browse	gahyhiz.com/login.php
	WlCVLbzNph.exe	Get hash	malicious	Simda Stealer	Browse	gadyciz.com/login.php
	Bpfz752pYZ.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	FRSSDE.exe	Get hash	malicious	Remcos	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	Unlock_Tool_v2.6.5.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	162.159.61.3
ddos.dnsnb8.net	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse	44.221.84.105
	ib.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	1hdqYXYJkr.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(193).exe	Get hash	malicious	Bdaejec, Stealc	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(212).exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(216).exe.dll	Get hash	malicious	Bdaejec, Sality	Browse	44.221.84.105
	A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.81.208
	https://gmailnliz19.ebtrk3.com/openurl?lid=5808098873966592&nid=4863316211269632&c=&s=&ci=&e_id=	Get hash	malicious	Unknown	Browse	104.21.92.214
	Swift copy.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.188.199
	https://fixedzip.oss-ap-southeast-5.aliyuncs.com/replace.txt	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	104.21.85.146
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.188.199
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
CLOUDFLARENETUS	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.81.208
	https://gmailnliz19.ebtrk3.com/openurl?lid=5808098873966592&nid=4863316211269632&c=&s=&ci=&e_id=	Get hash	malicious	Unknown	Browse	104.21.92.214
	Swift copy.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.188.199
	https://fixedzip.oss-ap-southeast-5.aliyuncs.com/replace.txt	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	104.21.85.146
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.188.199
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
AMAZON-AESUS	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	owari.mips.elf	Get hash	malicious	Unknown	Browse	44.194.145.154
	owari.sh4.elf	Get hash	malicious	Unknown	Browse	34.234.216.71
	owari.mpsl.elf	Get hash	malicious	Unknown	Browse	54.139.242.167
	owari.x86.elf	Get hash	malicious	Unknown	Browse	18.232.119.218
	mips.elf	Get hash	malicious	Mirai	Browse	54.10.208.229
	https://uymtnxoiutrbebdxcfngvhbjnklijuygtfbrdxevfcgvhbjn.b-cdn.net/updatinggeneral004/index.html?b=Y3VzdG9tZXJzZXJ2aWNldGVhbUB3YWl0cm9zZS5jby51aw==	Get hash	malicious	Unknown	Browse	54.221.78.146
	https://uymtnxoiutrbebdxcfngvhbjnklijuygtfbrdxevfcgvhbjn.b-cdn.net/updatinggeneral004/index.html?b=Y3VzdG9tZXJzZXJ2aWNldGVhbUB3YWl0cm9zZS5jby51aw==	Get hash	malicious	Unknown	Browse	54.221.78.146
	phish_alert_sp1_1.0.0.0(1).eml	Get hash	malicious	KnowBe4	Browse	3.221.71.218
	phish_alert_sp1_1.0.0.0.eml	Get hash	malicious	Unknown	Browse	52.6.56.188

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\AutoIt3\Au3Check.exe	OXrZ6fj4Hq.exe	Get hash	malicious	Neshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWorm	Browse
	svchost.exe	Get hash	malicious	Neshta, XWorm	Browse
	Botkiller.exe	Get hash	malicious	Neshta, Njrat	Browse
	dump.exe	Get hash	malicious	Neshta	Browse
	ORDER_SL.EXE.exe	Get hash	malicious	AgentTesla, Neshta	Browse
	Build.exe	Get hash	malicious	DBatLoader, Neshta	Browse
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse
	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	275560
Entropy (8bit):	6.292868175467042
Encrypted:	false
SSDEEP:	3072:zr8WDrCoP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwOvO9:Puo4VQjVsxyItKQNhigibKCM
MD5:	5BFFBD5E0AC5D8C8E8F7257912599415
SHA1:	5A9F6AB857410BB9F3108A5A6ACF8A7EBA58361F
SHA-256:	A3C4641D4CB4608AF18CD06E4C01339C65C25B9289F0AA01CABE0E5C250A0E15
SHA-512:	D576DEE2BF7C66293758F07B2A19B8659BA5A65D2FA9C05BA254008F30B46447871FC66B7DED6AD6796B34FB91406F17536DF6E8E2465723138A31A9C8DA5B36
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Joe Sandbox View:	Filename: OXrZ6fj4Hq.exe, Detection: malicious, Browse Filename: svchost.exe, Detection: malicious, Browse Filename: Botkiller.exe, Detection: malicious, Browse Filename: dump.exe, Detection: malicious, Browse Filename: ORDER_SL.EXE.exe, Detection: malicious, Browse Filename: Build.exe, Detection: malicious, Browse Filename: F.exe, Detection: malicious, Browse Filename: x.exe, Detection: malicious, Browse Filename: java_update.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	217704
Entropy (8bit):	6.601006983838455
Encrypted:	false
SSDEEP:	3072:zr8WDrC7xFVaK4T6fWSlXe0lJQafeyrR0kr/yh5DEU/Pk13TfwqiTP0McBUNnUxW:PuV2K4TSFo5Y683TdiQMcGNUl4N
MD5:	633E57697FE20B13A19E565EFB15550B
SHA1:	4D789F99FD6D9E3024E2E1A35922E875E5F3F113
SHA-256:	55075BDACF914AF03AD6CD417AFFC3A604A73AFD3D06A2256A1835CBF0F39B5E
SHA-512:	8C49A2C57A51C209E1B032C554AB2251F3DB6FA8FE0609B9EFE9A60412C9018A90B22F61D9027895432FC3615DB54A25DCD55CF5210BFAD7C73B3CF5906A15DB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	237160
Entropy (8bit):	6.436536629191244
Encrypted:	false
SSDEEP:	3072:zr8WDrCIyRnuBGwl/1Gc9QnvGqyWQ93kr/yh5DEU/P5kP0zU35iuvQBUeGMLu:Pu7l3wdYtcH9b5Y651zU77Ea
MD5:	80D5957764641A059A246ACC3B876FD8
SHA1:	379F4A825CF3B9EA2CBF96D0AFAA6F5192BE25A0
SHA-256:	B904C8888CD019FAD590E1135E917D944BC16340757BC90DDD3511359766B8BB
SHA-512:	4FE0AECD7F5B44FA5AC52165C566EEE57145AAA2AF59FBB449B7629511C3A727F09E3A91082DE7845490329619C90CA4ACAF4094CFD7888A97B7FBE1F70A7EAB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1675872
Entropy (8bit):	7.454506618256521
Encrypted:	false
SSDEEP:	24576:PC51xB6B9YNgqe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+l:YK0eqkSR7Xgo4TiRPnLWvJY
MD5:	14FA88A275AB539403725314719128FA
SHA1:	2008F40C314CAE10B55206801AA1B1610F0A872F
SHA-256:	15D3823B1CB8C10E2F0A0882BC273093742E957F0E7DB05B98B8FF020897559D
SHA-512:	61CB80AD2D4D2E7AC85AADA0E97C5E9596F9AB26473EBDBB911D139BCD7E5EFA60F67B0D7EDAD98E9BBAD9C3E460082D06EBFBC045F536C786F3E98E53C28E23
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1841760
Entropy (8bit):	7.347582112627405
Encrypted:	false
SSDEEP:	24576:tEeK2NocwiN/jc41p3qp11JsqbhOUe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+i:PfYP1JsEDkSR7Xgo4TiRPnLWvJD
MD5:	B7EAC627FCC70BC9F0368BA3D63DCCFC
SHA1:	553FEDAA430E83E64650D0BEE5062D4DA2CBF07D
SHA-256:	1DC472EF534923F12EFCA5AE928CC3E8545D1E468F905E693DF88D241C614A46
SHA-512:	1556951F835F60830738084CB17639BAC7F1E9DF6592F0F4D3D66365924C0395164CA76DC8F8D8E1AE0847E316D702D96D2D6152B62B69D29ADE3681566102D7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346624
Entropy (8bit):	7.902529878602557
Encrypted:	false
SSDEEP:	6144:PuEpXDXz7yIrozs0WuNd3ojusBdgnNW6r4F53ttuGENGFdVCLEYnPO1D7YYoSyZV:59zGImAjJdcH4j3ttzFdVCLNSfHoSWCG
MD5:	49D006F81FC856B0ED3A6744396C6E82
SHA1:	9285A78391AA44520B5134F5EA46BD7FC4E01A2E
SHA-256:	FE301BD4EE2124BA25B1CE60C9BC9A7604089514C8A5CFE72F6E1AB2A17A8F1D
SHA-512:	3EB2D67DD36230C6468D2810E13EE7FCF25D84E5D099612F803C4F2AF309724FCC1896034A124DDFDA35FBB401DBC5D1030D87F4BF4F08FFDCD1682F0BA1A634
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 94%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	165976
Entropy (8bit):	6.135299341821214
Encrypted:	false
SSDEEP:	3072:zr8WDrCovkvQ4gXIRSG+7IJqC3CJyoDjpBnjkP0XGx2SYg+b/Q+y1s3:PugnGZLknnj1X62SYdb4I
MD5:	BA8EA53268BDE311893484210DB5D175
SHA1:	CED5F2D8D56A2E35FC12722ADA4B6F89D2D18987
SHA-256:	11B0A81DF6BB3DF63262042E1D7ACC55B057B44C9264B60F5F145A98E0FB966D
SHA-512:	B8708FB369CAD49A0B1A804C3D0E098CBD1E3B67A37D5249D84F95A29CD07381BEBEE5E81D6AC9E3B4125A784550DBE2292540CD8561321D70B3C5514AEF87C3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1113176
Entropy (8bit):	6.446467711397749
Encrypted:	false
SSDEEP:	24576:kTC6Rb6qu1PyC+NRLtpScpzbtT7pyOolKL8Sq/jrc5xaNIBg:k+6AqSPyC+NltpScpzbtvpJoMQSq/jrL
MD5:	7EED01A3E7667D1DC5E9A8F19C31A4D3
SHA1:	ABD806F0580C5B56BE794BFE44650D7641A6D71A
SHA-256:	31F7CDBC86FF5CBB03CB43D30F13DC8280997AB285BDACA68BE731BC82C5C1FC
SHA-512:	00949C67DA8561B33FD6D7B83FDDAB5B2340604FDA26737F9F24858A29D1DD54984B67EE4F25505477C4E30150EF62192515656EB70F4430E9B82E08358CFBE8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.591499141463276
Encrypted:	false
SSDEEP:	384:1F/S8XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:ycQGPL4vzZq2o9W7GsxBbPr
MD5:	D20B5434747971AECCE9CA685535A49F
SHA1:	A9408282061C7CCD9AD140CFA517DE5A5C86BA01
SHA-256:	051B0E2C088BAA1A696D2FEE8F00E25A946AEAF056B19D2702273270FEF86DA6
SHA-512:	50CD869ED5CB5E99106C48E1416A23811A0FF5B3BC300A433287EA63F70AF2FC147C55E2441E8DE77CFF39845A27EB97A8BA9BAA30A503A652FF996DF6E98382
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2430976
Entropy (8bit):	6.732827253070246
Encrypted:	false
SSDEEP:	49152:G1GSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxLQ:s4OEtwiICvYMpfw
MD5:	7506C94009134945846329F148DD038A
SHA1:	40C6D4BA38DCDAE2508F16630D1BFF4FE6786267
SHA-256:	1361DAA9F7CF74601E42D09448A6CE35660E1270D018D2A5D7E4CCD56B121358
SHA-512:	2BECBB1E3703A5535BACEAD0F601AD01FA72AFEC04332A9E7150B7476AACDBA0F7C31A809B3D5F26F67D2A4BAAC1050362EB6F8FA024E5CA4948B3E75886CB34
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Uninstall.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	113233
Entropy (8bit):	6.7789810493984115
Encrypted:	false
SSDEEP:	3072:zr8WDrCFCrMGEtajbefY/TU9fE9PEtuGCrK:PuFCrfEt+cYa6YCrK
MD5:	0FF71A744E70F7F7E1CE56FC4298E688
SHA1:	939DEB068D6BCB5BAB11AF96CF6040F26B5EDB8B
SHA-256:	3214538D265FB6BFB3A0620229FCD979A0225C0477F0FE0578FB443AE7EC4FDA
SHA-512:	0037311257AFC9CFC0E6C1439AFC8E9B9BC83CF19D7E9FF7D24292A37917F56CC95071ACF4909D4FD869C2FB4D596FBABB9CF97C7591DB079549A401132372DB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	409608
Entropy (8bit):	6.460025563791325
Encrypted:	false
SSDEEP:	6144:PuTvqF1Ged2RYbguEuFuTkdj+zRGa7JkjrXyPyMMWvpBVOaqahUqjAGT:TbgvuFuQdj+zRTJkX8yMhB3jhBAi
MD5:	83769C80EE264331DD46FBBBDB682CC9
SHA1:	F3921FFA18C7B93A262A79C1C7A1A60A88D0CBC1
SHA-256:	4D81853DFC97E32B2F03E4C1F75F41C91FD3DF73FB80B23A59484E2EEB9C264F
SHA-512:	BADED7629C0D0C40AA785AE0FFCD8D0D7037B050199B517F5BC230C6954FE7ED52E911414CB829A509966AB82CC2CD5DD8868449D2EC9E567141E9A3138C3AF4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	214512
Entropy (8bit):	6.488889881948425
Encrypted:	false
SSDEEP:	3072:zr8WDrCDGnUI/9FXK4+PoSZSb5qURwubvvnzdl1CkTlxAenDl3SoxceC76JNKjzc:PuDGUcsvZZvUmubv7hTHA8l3yROJyDI5
MD5:	F085722D23BDED9EB6D55AE1232725CC
SHA1:	19C09DFC582FE436B06B536DAC110E26F596FCC2
SHA-256:	60EAEFFA9F5182AAFAD9D945DC601590A92782AA102AEF9AE10E19088E7C6179
SHA-512:	5BDDCC02CB2D9B0B7270D3D1F1387F94A14047CCAC7810CEEBDE8357A7B2C4D5F79BDA3902CDA2BB5E25558D0D0FA44AFF3DD5846D45AD380FC58CAB364DDDD1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	568400
Entropy (8bit):	6.67219335276453
Encrypted:	false
SSDEEP:	12288:lyvTCXdXikLj2jR7trg6Qi3vYsKTU00vq:lyyLj8trn3wsq0vq
MD5:	B41B153CA4DFE9D557899142C6FDD767
SHA1:	D7310F560839E21A7968DA46E27231290B25A312
SHA-256:	FC1577451D4743DBE1B27A1828EA536522CF5C9CBE952A48F58345F53A85D72A
SHA-512:	8CE84911CA279CCB86E8D4398CEC16B00E9E29FDF25F766FC0792E71154B2A8FBC22CC8F69387A6F5EC5992AC264556A39C1B9AD940F2AA674538DC4F50502D6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1252432
Entropy (8bit):	6.763252873451025
Encrypted:	false
SSDEEP:	24576:d0n7Ubxk/uRvJqLGJLQ4a56duA/85RkV4l7/ZeoMOp:m4iwwGJra0uAUfkVy7/ZX
MD5:	9F7E59075683E964E4D6DF66A92AAF0B
SHA1:	60EE788C42034ECE4FDB47C325E4EC2BC9DF67AA
SHA-256:	D5759CFE49A74CAA1A6A7FA8DB17DE9D570F1BE8DA9FE75AB48E67076ECFF8E1
SHA-512:	077D5D9FE8102144D458283ED099DC5C2F51F90B0ECE7DABB0BDA66E9B97F6D12A83527067877A802C0AD46DA974C494DD5EF954AC494D0838DAC87ACF06BADD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	790096
Entropy (8bit):	6.745221507787877
Encrypted:	false
SSDEEP:	12288:bMvcR0D0B6PyxoxIlZwM+R6R4uFjs1Z7FMN0TzJqccvbXkN58AuimIh:/R0gB6axoCfyR6RLQRF/TzJqe58BimIh
MD5:	ECF5236F6653F2D0F55FB26B2ABE3D4F
SHA1:	60AC40919543275E088CE78F063DBA998964DFF7
SHA-256:	273F4F789C6DAB5593C5273845020DC3E172C98833E38729C9DA159C53AE5623
SHA-512:	06F844A46C9AE9B4588C167F809A1023DC88CE7853C61D1DE92841ADC7128C91CB0EC5B5F32E7E6E86C5B81D3161915767F98CF090AF19F6BE680FC1347255DC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	562776
Entropy (8bit):	6.433164069541556
Encrypted:	false
SSDEEP:	6144:PuJ0dzerObMhDGJ9UM3sunrXj9BMHmD1tYFLqY/W5R02qO7VKCy7KCzDSEBPj:BeqbWqB3sunrT9+aYFLq3ny7JSEBPj
MD5:	8DA8BD2BDE4B0EEAA83DD9B17289F169
SHA1:	284502E7ABD3A84AF988CC6D2F4EA87D08D027B6
SHA-256:	794C922912321E663916EBF1B11646CE10DBC0842E0FF68571770672FCFAB214
SHA-512:	63EEE0EEFC46141F7B94DA48F420326630C9182E4C9CEB44104CE7302832A7219D361F2F61D52CD83B9E1E81CAC1ED86C8C44C8CE805299ABA74A7FA81D235D9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	127512
Entropy (8bit):	6.330981765539028
Encrypted:	false
SSDEEP:	3072:zr8WDrCsPo10JOSdnvEhEyr1hg9uCRFRzsxeZ:Pusg1MOc81hmRFJs0Z
MD5:	A70C749F32B95B9C01A9919E8F96205D
SHA1:	7A43A28D2FCDBF663B4D61E969CD6160F1A444AC
SHA-256:	39C83EC2727FFCC589106D1AD4C7BE154C7752382C958252FF510A61F65E24C2
SHA-512:	1341ADCD4FEDA85A9425348310A2FA86A1D9AFA705ABFF7FCA2C39FDDFA9C3176239BB87553216743DCBB662211DB0E3C90B644A3CC8DEBE80CD38BBE7ACBAE7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299136
Entropy (8bit):	6.7881128883409
Encrypted:	false
SSDEEP:	6144:PuGXLYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:xXEbH0j4x7R6SvyCMqn
MD5:	BB745A9E59BFDC3FED3D6ACC5EB1969E
SHA1:	B569EF5567BF533C49F4C59441D1881726DEA540
SHA-256:	5C257F423AFD510D6EE9EAB80273CC673995F966932466C9AD74EB2AA613A892
SHA-512:	B43198FC36F9DECB3767E6888B632093550394DF5D5826540A0BBDAE711931F595B398CE59C5F4676C1FDA7953C0702D57CC98D3E18309DEA517C536AB63CCCD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299136
Entropy (8bit):	6.790537251287294
Encrypted:	false
SSDEEP:	6144:PuGkXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:xkXCs/YAh/elvhI7Wd
MD5:	57150329C07A1CCA1C715687BBD681A0
SHA1:	EA1805323441B728107A98C5C88EB1609116F70E
SHA-256:	AFB4A253B3CFEFB7FA8C8AAB7FE10060AF5A33C10147EDBA4501C5089F407023
SHA-512:	2BD0008D28BDBBBDB0F6A8D01121FFCF9A6AD18147110F100D1EB3CD7B93EC3481F8D0358E427F94D53F01764B246C54FC49F57CFDBAB1831672218197DFC444
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	437888
Entropy (8bit):	6.42435194722595
Encrypted:	false
SSDEEP:	12288:xXNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:hKiBLZ05jNTmJWExixM
MD5:	E96B5A5F7432CF95AC667CC32CAB7CE1
SHA1:	F5729409A0AD909360DD9938FE05681E8C98BEA7
SHA-256:	22345B680E235E582820160A73A5221A98550D7947DC1F22FE768C51788B3614
SHA-512:	BF03F48889EA86C4C39B32B32760FE57293D85C5E6A88D3695CF4D7F7AB23B3F4ED07588987619B084AFFB51A61B3C7404E2D8177A29EC4AF343FCBD66F7C560
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	343328
Entropy (8bit):	6.643174471027498
Encrypted:	false
SSDEEP:	6144:PutkTpB8HHvBjruphfgesnAhAOQp2EwckjQx+m8zhPLlZp3:GklinJruphfg26p2Ewix+m8Nln3
MD5:	C6DCB652B36FD0F69EF1C6C28C3F3D3E
SHA1:	B9FA38B704D6BDDA1E203422207E09D2FB49C216
SHA-256:	A2D68D17A3E61E41CD6E9389058D6A36036BEC91AFD4CF6A2F587FAF0CDCDD5B
SHA-512:	1B184AC17FDD6F28956F619CD772697EEA6684C70B4E74222BD75C58ACFF62C1BF66D9AFB840A9735A0BACD3792405E063701AA29C909EFB5F3B6DF5AF284FB3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	443680
Entropy (8bit):	6.396943856678141
Encrypted:	false
SSDEEP:	12288:z3gaHC2zUM2WJoROZVXk8hbodzbaw8x0Cx+wnx:zx5k8hb0Haw+x5x
MD5:	689EC8C9ABDBA5399058B31A494353E7
SHA1:	2940C3D9852341884ED269B06804C0383F9A6056
SHA-256:	B168963DD38A08EE00E540180FF0BB2480E72D6439C6F3E386BFDEACCC725F95
SHA-512:	AE28934023D46D5D36A894F31A0A2232DF9D968B20D7176BCD37058C13FE9B1BA41387CEBBE824BC6FAFF0ECB35354C1A69C585BC39A4468B713B9F458CCB107
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	203552
Entropy (8bit):	6.1311659126541285
Encrypted:	false
SSDEEP:	3072:zr8WDrC6aKavT/DvbEvK9aobNI2B+Nl4jz+b0atWH1TmFtotpcat8iKdlVST31Oa:Pu6aK2h9H/B+rEtiPC
MD5:	5C85C6CF32D2443AE5A7E4FAD8CB7CCF
SHA1:	D23CB4A5961CD7B7C4DA100EBE98E5A4CB8B2FCF
SHA-256:	4EBA2A6D96466D63B206E0760B4E9319D26B4458A8F030460DDE896AAF227682
SHA-512:	FBC3D48FCF80DBAA328DCDF326638C57CEF445A31FA269AF6D47BFC03E112BCD0143721C78F041A3D1C7AEAF44BE135484B33D170AA1EA550CFE5AB15242F694
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	149792
Entropy (8bit):	6.503976503009816
Encrypted:	false
SSDEEP:	3072:zr8WDrC/4vzT+PjZpsB+2h+EOXkMxJ7Rfp8K172YPrp:PulpsB+09zMH7cCxPd
MD5:	EAAD727FE492030433EBADE57325EA69
SHA1:	6008DE3C0DD2203E737A68ADB562A81DE1BD4349
SHA-256:	8294521F6F0C2936F76C92743BF193937619C13FC0CFCBE2DA1238605D07F79B
SHA-512:	803E85A412536591F05DC3C6065B84919B11460AD08DD8F5833E47C9FFA00E1D33DE6092658D219C819220B867CEFFFBED8BAF822E372E95CBD8D48AD9351DE7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	227104
Entropy (8bit):	6.2330769171298925
Encrypted:	false
SSDEEP:	6144:PuKWt9h8QlLISZWVRohcq7dvni3F8QrBA/:by9hdFIdRoGUxi35rBU
MD5:	19E917EB830D0429C0E2E8F64114212B
SHA1:	5351AA18D019E6ED9123460431B4B28A0187A065
SHA-256:	6133D3AF6F4C30C1337C63B71947056FB3A46E2A269EB4F2E996E53DD8E95754
SHA-512:	A5CFFE837ADAC6B05C3D4F413C9461BD368A7CAFC3142DD5472BE292F1D17FB74571BC05FC8204F0781138016D76085DB843EEFC787033984FB42546F8DF24D3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	264480
Entropy (8bit):	6.638998317491867
Encrypted:	false
SSDEEP:	6144:PumwCtJmRqyFmB6AOKmiMGwIAfx+iQ+FfFyLgG1da6edo:tw6JmRI6Bitwpx+iQafFykG1da6edo
MD5:	CC6410226CC9A5A311864C905A41F69D
SHA1:	C2E9C75DC6382238B2D7697576C5BB47A09AA1EF
SHA-256:	6118343C2990A8414501F08A6FC70E2888E8CDC193054E0410D5B5FF3EF63898
SHA-512:	DAE7626F1BFADCE4E9108CC20FBF84D5F86D1E9EBF7AA58B6386613C52718AF2C91ABFDD539F87297DBC2A5FB486619F4048FC831B96DC4AD924C61785AFA6AB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	149792
Entropy (8bit):	6.504334063798769
Encrypted:	false
SSDEEP:	3072:zr8WDrCz4qR8vSZksB+2hdqecER5AhC48S1m2YPrZ:Pu5ksB+0YlEXAe6QPt
MD5:	3782AA85B64BBBFD331D8170B86BCB0A
SHA1:	2FE109D8CDDC028910DC40DF789B90D8997B1557
SHA-256:	390F98A5B31D514641DFB13DDBCA0C071F4D8FD4F094C25859C98A672572B0C1
SHA-512:	D1DEBFF36BB931F544B48D611E0D513FFE7BA5A36650932F007B2C6198BDF8E4E1F253D0CCF24A25AF9066C5278EEEDA568EBA6FEE20B404377D4BB1A68253DF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299136
Entropy (8bit):	6.7881128883409
Encrypted:	false
SSDEEP:	6144:PuGXLYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:xXEbH0j4x7R6SvyCMqn
MD5:	BB745A9E59BFDC3FED3D6ACC5EB1969E
SHA1:	B569EF5567BF533C49F4C59441D1881726DEA540
SHA-256:	5C257F423AFD510D6EE9EAB80273CC673995F966932466C9AD74EB2AA613A892
SHA-512:	B43198FC36F9DECB3767E6888B632093550394DF5D5826540A0BBDAE711931F595B398CE59C5F4676C1FDA7953C0702D57CC98D3E18309DEA517C536AB63CCCD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	135808
Entropy (8bit):	6.38873877226639
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCGrmKJGyeVK7qjh3rmKPNbS7cZPxyqPEoCW/ids8nBs+s8nK:zr8WDrCGqzyutjZqMNbSgxbFrj8m
MD5:	3DFB05D09AB50A01B467398603BEADB5
SHA1:	D8A8AD789717B3E83608AE510FBFF096861DC271
SHA-256:	A4844081CA91828B55104253A954E3B073D6E762D66A4EFA8F22AF9C4D995833
SHA-512:	D6FD943FA97432F80CD81621D5186D7D6CB8F7622604278BE31CFEEBF98A46A9007E3C71F6E392B9B41563CA5BC6BD9B86AAA3D6A4CF1B148179D7692F7A9A99
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299136
Entropy (8bit):	6.790537251287294
Encrypted:	false
SSDEEP:	6144:PuGkXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:xkXCs/YAh/elvhI7Wd
MD5:	57150329C07A1CCA1C715687BBD681A0
SHA1:	EA1805323441B728107A98C5C88EB1609116F70E
SHA-256:	AFB4A253B3CFEFB7FA8C8AAB7FE10060AF5A33C10147EDBA4501C5089F407023
SHA-512:	2BD0008D28BDBBBDB0F6A8D01121FFCF9A6AD18147110F100D1EB3CD7B93EC3481F8D0358E427F94D53F01764B246C54FC49F57CFDBAB1831672218197DFC444
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	437888
Entropy (8bit):	6.42435194722595
Encrypted:	false
SSDEEP:	12288:xXNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:hKiBLZ05jNTmJWExixM
MD5:	E96B5A5F7432CF95AC667CC32CAB7CE1
SHA1:	F5729409A0AD909360DD9938FE05681E8C98BEA7
SHA-256:	22345B680E235E582820160A73A5221A98550D7947DC1F22FE768C51788B3614
SHA-512:	BF03F48889EA86C4C39B32B32760FE57293D85C5E6A88D3695CF4D7F7AB23B3F4ED07588987619B084AFFB51A61B3C7404E2D8177A29EC4AF343FCBD66F7C560
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	163456
Entropy (8bit):	6.2758220261788
Encrypted:	false
SSDEEP:	3072:zr8WDrCm446dewltB2mNd/HOrveW1dexk834fRZ5Nyc:Pum446d7T/H4X
MD5:	51117D59430CF4C0EA72319AD8930BED
SHA1:	0A7AB6E54B1F62D9FEE7F48A594AFD0E3F7ED846
SHA-256:	CE688EDA6A1F081C10E862422F2C13F24797F21D2DA248E85C0CC81D96BF3010
SHA-512:	E05E6DA3D9728F5E04F5F4D2BF9B875BEA8CCD287BA207B2469D83F49BB6AA759C608B29A107D33BF8460F71840EADAB34CB1924DA3EE8F9E5DE741FB45045BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	127104
Entropy (8bit):	6.059161475634893
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCds8nBs5s8nBskEsz2zy77hPxIAbBsnzA3QDkrDW8Kq5ns8w:zr8WDrCwUkEsqzy7pxI8BszFJqkb
MD5:	EF3C7B1D99C49F679F1DE40119454E82
SHA1:	E3869B9D17411A1DFB49630E8E9D0A379CCA1599
SHA-256:	4ECF5FCDD95ABA50DF6137D45EDB89467D33A31347525B422AA2A9B36809233B
SHA-512:	71D00F7B07E909CE5C54FBD85DDAAC2752B6B2AE2ED76EDADB4AA07AB1F7BDF25ECD77CB1742EEBAFBFA98087A4582879D4A2D277965D3D39F9E6ADEBA9170F5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	223360
Entropy (8bit):	6.084515656741608
Encrypted:	false
SSDEEP:	3072:zr8WDrC+ySSyyXC2BZC5vHa2L8jv+UII6qS2AroAxYN35gwxcPXtxdTsVcCXFzlb:PuuSyMZOy406qS2AroAxnw6f9JCXN1
MD5:	278E935C540125EB737FF60459E06954
SHA1:	3F2F868109AB1BE159D75FE1FCB78D5AB0F39A29
SHA-256:	7DD8239708026320DC7B738BF5B1F90117475EBF88BE8DA06B99E6A3E860596F
SHA-512:	21E3181E34FCC0D304F5A8EEFA0B92B676DF815BE984792D034FEB61E3189D73020AD5B6D82A5DF2434CD97AB2D1F48AD223B7007695F0673A2ECA8803D2C825
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	203264
Entropy (8bit):	6.625450286768847
Encrypted:	false
SSDEEP:	3072:zr8WDrC6wl0hzyfN7T34oshWGrAUdaz2w9Lf0M/RHym:Pu3iFIf34hcUsz225/
MD5:	241380ED43DD374CF6415E50B83CD0BD
SHA1:	5F4F79F4DBEB1201DFC3D3A83BB1D5400D11F045
SHA-256:	D3CA30B886E1F07EC6AC3989C091EBD5E97F1196D9BD554A2546EF3B4DF61EA4
SHA-512:	D4BF86E17996171B67900847372EFECDC41E7F87621F831FD882E8DEAE49F5A45B218E375AE2347E862C438C11906E2CC67E062A0BC2D1265C968789FA8F68E4
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	209912
Entropy (8bit):	6.335658991643739
Encrypted:	false
SSDEEP:	3072:zr8WDrCUfSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:PuUfSoD7q/fji2SUKz7VHwmmtj
MD5:	0DB388DA73178AB846638C787D1DD91E
SHA1:	64D79EC424EF95DE05D484C3BDC446642552879B
SHA-256:	E71DDCCD4996D121D5C7901A367E024266727C4C713635A25B74EB0C132CD59F
SHA-512:	94288DB9B2615FDA0BD27A46EEDBDB3F8FE3E8C2B2985D2B69244B47A7369AD5F357D060DE52FD4C5E9746CF7A3343417A77476A153F49058D8F8C2E61EBFB11
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	209912
Entropy (8bit):	6.335658991643739
Encrypted:	false
SSDEEP:	3072:zr8WDrCUfSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:PuUfSoD7q/fji2SUKz7VHwmmtj
MD5:	0DB388DA73178AB846638C787D1DD91E
SHA1:	64D79EC424EF95DE05D484C3BDC446642552879B
SHA-256:	E71DDCCD4996D121D5C7901A367E024266727C4C713635A25B74EB0C132CD59F
SHA-512:	94288DB9B2615FDA0BD27A46EEDBDB3F8FE3E8C2B2985D2B69244B47A7369AD5F357D060DE52FD4C5E9746CF7A3343417A77476A153F49058D8F8C2E61EBFB11
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	264144
Entropy (8bit):	5.859978790158535
Encrypted:	false
SSDEEP:	3072:zr8WDrC2PEGT3EB2e1aWGNU6ITL85x0HRerzJ0YF6OYLy0PPDq29BA+7891:Pu2PEC0QjWGNU6ITL1H0zvjkBA+7891
MD5:	B2A0013F6770F98CD5D22419C506CD32
SHA1:	D1B9E2EBBE6255A386AFE69A9523B7D2BE1E05EA
SHA-256:	87C62BFBF6609662EE24C1B9FD1AB2CF261F68E5F1402CB7E2F6755023A29841
SHA-512:	3302A6D3AB1DC7CB725F4E0DA1A82ECEC7207C7CDF2050410625AFF4E51C17B3A38DB8630ED34E111344C66BC603C3939A46E52A3EE6E1EF282DB1E93E61036F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	472152
Entropy (8bit):	6.600268634978226
Encrypted:	false
SSDEEP:	6144:Puvmmt0fSoD7ZAOhPiURg/4KAaxZTTlvIfaUcuI4hWxBP9SGO0zyqEcu:Pmt0LDdOUO42ZdocuI4kxBgGONqE
MD5:	EA6FE0AD80B989BB3C77BC888FAB47E3
SHA1:	7249E33F90E0BFE07C1E655B547BE50C19FF26F9
SHA-256:	785DBB4ABAA69EC197BF21647CBF1A4CC02CD8451F7907285FDF828596D54BF7
SHA-512:	1D3B4411DC2C19C7D5F4B5D2E98D6FF0E0EEF8D00FC0C9662E5DD71DC0D2E1B522BA47167F26FD52A5647C1A3E4B08A88437BA1BB5535DF3B8E862DF98E21BBB
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4473576
Entropy (8bit):	6.5697251244545924
Encrypted:	false
SSDEEP:	98304:9kkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:9kkCqaE68eV+0y8E6L1
MD5:	A0E84CEDA4163F189BE5349FD432B1CB
SHA1:	204335080CD8BA8D46E52DFB29F1461D7BF84CA1
SHA-256:	9A8C97840B4745ABA6BE44CAE7DE9EC0E7960AE31E52DFDE4ACCB1C24B6C4DA7
SHA-512:	BE941C507F9A607087E96CDBA94358F4882BA231CC08E6AAE8480301A5FF82940630134F9DB780B9527F43DD83ABE5D4868759854D2517A6D6A87A26903FCC9F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4316096
Entropy (8bit):	3.9254629343592016
Encrypted:	false
SSDEEP:	98304:jPNLniBaEJhRELqS/rhwov59SRZ5Vb9sybbsK+0rnsQ:TNLniBPJhRELqS/rhb59SRZ5Vb9sybb9
MD5:	AB9C308CB62C689AEC4171AF74B99607
SHA1:	2AFBE3B52505B17653C30E8C51A8A434BB83433D
SHA-256:	5B23BCB1EB5124A1FA7160014A7BE5A546CAFE00AE7FFFCFB19C237552281499
SHA-512:	688D62C8CC8B7E699D379FE5FDA6DC808787E11C369C5CBDFA3559E2B61B607C0AF252232775BA04C2AD082C21DBA2224E6C34E131381EDD52EF0C2539C70484
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	94600
Entropy (8bit):	6.430762305801649
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCuELjOzHKd1XI/etzCJQx0cxnIO/IOmOe:zr8WDrCuE/OTKXI/etG8ICILJ
MD5:	29065F4177E1DFFC20CF409E15644D07
SHA1:	2A506101526624DF3C693E3F9501E7FD0332A5F3
SHA-256:	A572BFF875EA91F7324C87C4966ED38AE29C87A3B999E9EEDCF82730921F1AEA
SHA-512:	611B4D7DF2C4D2B37E6C152B0416A047166B78C999B1C7A6B39D11FE73CB80BA55F4822B9503642CB289730D90A608FA08DC909A845F77A8A13C967689A3C00B
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	101496
Entropy (8bit):	6.2393274170193935
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCcvpz3ktxGvpzvy5ZWGalHFmMTK0KRTS8bOzc:zr8WDrCKToATzvmN0KRm8bOzc
MD5:	16918B2CAE1E6169BB9725597CB7383D
SHA1:	F7539B44190222E9917B3D404A1BBAE7D32D9925
SHA-256:	CB2DFD05D0EFDBEE9DA0E844020762C3124C9BDEEE868534F5E6A383FE312DD1
SHA-512:	A4DF06513B73244A4F04B1F9F38DABB1045B7D4539B0E3D7AE88304EB0554BCC7F38A4B93CDA67C538D49242AA7F3B0524A39B395DBA74E372A754DFB26E803D
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	455760
Entropy (8bit):	5.9316971297219085
Encrypted:	false
SSDEEP:	6144:Pu5wACThwS0vn9IdRsLGEJTdPA6lDfZNAGVx:SwACThwSSn2dRANtlF3j
MD5:	EE123EC97226518C7A526A514A7EA08D
SHA1:	8D53600BF398A582227F4B1B1DF6F815CC5CA046
SHA-256:	767FE1BDB52D43DB570CA6AFD1E86FA00868FE36C8B4BD69A7BEF79876D7D04E
SHA-512:	4B6E4B0EE7E22276CC638531A4151717E965E10B54874B499026383F290B4D66C48E7761C94E336B62A53972E148CD22B4AAC04B6F265BA7889EF52137CA4A7F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	225704
Entropy (8bit):	6.245888252421863
Encrypted:	false
SSDEEP:	3072:zr8WDrCNLqB8edYkIrv6TXRw9xwqazULDjkAJZo0RAjUIqXfkRC:PuRjilq8OPwRzso6AQ5yC
MD5:	58FCC2021F6669D332B12379F34E6ABA
SHA1:	C261CF77942748482EA6423B2816071BAC404855
SHA-256:	099D81B808C4A1507092974E4C79187470FC4D5BC1049DE99B7D87D68FFD8A8D
SHA-512:	2637E583059CA760EACB66649519751191FC96FD3589DE8E17D0AC73C957D9256A50105D03727D19A1193DFB61FF1450AD65DEEA8692EF2D947051D85062E8C1
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	84928
Entropy (8bit):	6.484542699354416
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCh67wZClMML07MiapFmPRHyzMwzobtM+zf:zr8WDrCh67wZClMMQ7MiawHyzMwsL
MD5:	6E3355F8734F6DA5FAC15DF47A197B0F
SHA1:	C933D5E414F6594D61E56FEC641373E33AD3C3ED
SHA-256:	052C62D09235DDD70A3C52C7071D20711F2D4F1F7F653AEA54FB023EC2626B12
SHA-512:	1B108643E2DF6476B167E233B7A3E249A2BCB89006B3C87FEEB90FC96214B52E0BC466C010AE03ED6BECF18864F96B0D5EED6F4720A1CDA70829B4631D3917FD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83816
Entropy (8bit):	6.536836051910162
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrC+0s7wZClMML072apFmPcnGzLHyxz5pOEtmwxz5E:zr8WDrC+t7wZClMMQ72ahnGzextQyxtE
MD5:	D713C72B72F2554BC5F57573AD79C596
SHA1:	82F518A57C167F1CFE80D7D43ED28084C2D57933
SHA-256:	22CC2A1543DC27CC8F1925ACB173E34141C4FF9E1A012C572E932BB6FD91B4C1
SHA-512:	D0DCB842E46D1F372DBFF6CF1D3DEF6BA5461770400DE2BB7DFD9CB0DB35E80DC721C779E2CF8F852BA9B9EA9E5937D6C4DA31989D399107B6075C6771928486
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	233832
Entropy (8bit):	6.440520521123031
Encrypted:	false
SSDEEP:	3072:zr8WDrCqW32GhNvMQ/58sl2U2Gszlz4SNBZCgMWku:Puf2GhN0lsdspzPgg1
MD5:	605C2C89F9F2A47F991EF737877F2FB6
SHA1:	14E316AFBCA1D6590C6105B7BF76A72339C3ADEF
SHA-256:	E96F113D251169D2B4DB5F51BFBF5F20609702F7B0BEA5FEA55CD4DF71A70682
SHA-512:	506E962224D44478E14FDA6A093E861E225745E36A3B32B7BC98E337F1B492A3664AD84497ECBFB427A967D3CA0390CED92D11FD9E8EF3D7887D2D9415243D5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	502632
Entropy (8bit):	6.717621615137878
Encrypted:	false
SSDEEP:	6144:PuyWDxGH79J2VX5gEpvm7JA8I6BHAlSpFG/+Ls3ze30xB7zq2zs:0MxCvm7JK6JAB/6N30xpI
MD5:	A18560DD287C61996F6C3498FF2B6F8F
SHA1:	B81EF528445CCE2BA94A933385FAF56DA526CC25
SHA-256:	551C24CB52C55EB77300FAE5F77A9EE565848DA83A5CEBC4587C5912C94C0A92
SHA-512:	2B94CA43D2F41EE88A81121889DBCFF7B014622FFA2B3048DB7CCA1C6FB7CB3D18CCCB9F4791002E166040A658FA317E42B520D44929973E034B56B7ED9C62C9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	352704
Entropy (8bit):	6.382223038880705
Encrypted:	false
SSDEEP:	6144:PuoEshacHeGXduZtZ9zHVcI3uv7FgR3FTzWQ/ZZyp1:6sHHrtuZtPvh3FuQ/jyp1
MD5:	E517FFDADC37CBB8E4DF9D8C4595BAEB
SHA1:	CAC4F749D83EFAE571B6A581F0579F5EF0F5CFA1
SHA-256:	6B837B2B22A40521E234CE3B11A961C631927951B443DD47EF5E37E54390D907
SHA-512:	500B9C4AABEDAA1D430AE07651C65CABB226B482426960307F457B665686FB846C740B7F26EDE1C4607D8F294467547DAB8590E3C017EDDE4855F3C4934914F7
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4395184
Entropy (8bit):	5.936769631564012
Encrypted:	false
SSDEEP:	98304:eXuo5RMru45b5dZlAj0sqW7YDKMzVwgBWMTwLe7G:gR345NRAgsr7QH6h93
MD5:	79B2B70DAC7CA2C9EB315575E068755C
SHA1:	CF384F4ED6E51DC0C61853DF080F4CB38738FEA5
SHA-256:	76E95029FD569C640C864AF19AE98DFA5DEA2C6162B0BDA0137EB283A3DFA496
SHA-512:	4EEE60388342062701C05C633C1820E8A46836DFAEAEB5EEEBFC4B4104885D3A9219DFDD7012B815F66A45DF6BBE8C3EC9C1AC27E7EE56B1EFE08A6D9149DD8E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	603928
Entropy (8bit):	6.5283708663431606
Encrypted:	false
SSDEEP:	12288:/zKRgqBDxoiPCLXHLuk/Wg4Reh2mbeF+IGboJdx:rKgMxoiPoXruPi/++IvJdx
MD5:	C05D4CEB93DF5A97C92332C30BFBBEFE
SHA1:	756FE7D0F337C9434F289D4210C1FDD8AEFE3D5D
SHA-256:	C896D6442442C7A1254A64A9C1934CCD4D26A2776E8B89231F22B0E09D086A40
SHA-512:	06ED302B61C0DA6C490ADFB097A25F4C6F9D03085828CDEAE8A7AEB69769B3A41149A7645C9D198BEF862B18047B99606B5891064A0BD09C36178AFB3017EC7A
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	507024
Entropy (8bit):	6.142966147544941
Encrypted:	false
SSDEEP:	6144:Pu3yrmBq0RYSv3A5DhW15yChMFt2XTNJWLgCWzzYhPRt+:BrmBjYuALWJMn2XTmL7hPH+
MD5:	28AD0BC8CBF0F937FA0793A069EEE72C
SHA1:	190CEF5090018E9BE02DCB8D80193323449BD938
SHA-256:	2A9FBCE0BF953A54CFA2124AE4E699B981D4CB9485543F40B28CD952C65D8744
SHA-512:	478EFDF0D097B6977495FFBA953D7494FD72E98DFBFF4C70808378F2EE3FD90C79722E70698081E20540242FA005DF756857BE18BDA3EBEE5BE952BBC61A3254
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	251560
Entropy (8bit):	6.617081143188022
Encrypted:	false
SSDEEP:	6144:PuDomAAOwPcPIqk4Vsvt0uews+qZP9zOPBxGiryKI:0sAETlVsKzZPixGBKI
MD5:	6ED3FDB228C401F308ADA52D82C6A2AC
SHA1:	D5AFF2386B2708D10F68515D0D010E83CABA20E6
SHA-256:	D5A201D9C7373DD91395EA5B24985E9984F3ADA0CBAD869248EC975B80707184
SHA-512:	5431E81924400874EA1173F02B2404BB7C43E8BC158E092C43F4FA071810472E845AC76DEB7716A265A79F357BB07106D2574E3E6F5D2448761BE74F8A694493
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	751720
Entropy (8bit):	6.630099780481392
Encrypted:	false
SSDEEP:	12288:vdI8PdgELg6eaBlnjlZcTerWv+xdeFhvCs9TukINOW:va8PWELTBlZ+erw+xdeFUsUkEh
MD5:	7503967B649C070ECF4324AD7B82C67D
SHA1:	BA5AA539F9AFF806A5B83417290BF1251D24490A
SHA-256:	2C336BF005CD201043984D768114341FB8B0E8C626A11465A60DF854EF0B2984
SHA-512:	EEABBA2E510054D3A93E9EAE0563CAF46474757E9AD72F79D2D254C783345067D6D0FB46E85A631030A0242789FA3F3B918EDECC8DCC953EDF0283447C19565B
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	161968
Entropy (8bit):	6.521602439211849
Encrypted:	false
SSDEEP:	3072:zr8WDrCmNDS5lSkjITI1FeBT77NDS5lS3j+Wzy6oUSA7hZ:PumNDS5lSyFeBTfNDS5lS7zUrsZ
MD5:	B3E7C226A4A331C7E684E40A5EA2F167
SHA1:	A2DAF5332D21746897EEC7B131374026FC0A6F4E
SHA-256:	8D819080F7EF8DCD45E539C64026D93F09C51C80DBC86BE86843D09A6B5FAFA5
SHA-512:	2D2DE9E732D6E63BFB666BA7B80F6A36BF85FC56E43F6064C62BCC557D1372F29C97510304201BC3AEBF6B6FF821F3226BFFA11457D868D5430566CE260499D5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	159560
Entropy (8bit):	6.570907498262082
Encrypted:	false
SSDEEP:	3072:zr8WDrCGklWPsom9TiWWWWWWWQM+FtWAzhIwaeENinkf8xw3xUFv2tGPrtPmF:Pukb5zPaNQnBxw34Oita
MD5:	C59DC4806618B251A7D2DF183DC2F424
SHA1:	F1DC673B63BAA54B719167BAFDB33FF6C31BA67C
SHA-256:	A4817EA9A097D7F66D25BE68972A63E0C5BA7B6FF75FEA4A962C848CAFAB35B8
SHA-512:	71E9945E2E097640D4143198C13C5DBEC8340F8278306A34E017C3DE4A9BD0E88FB2C8DCF3A074935ACA32F329C440760980D1E8D47612F77958B108AE5581D0
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2233240
Entropy (8bit):	6.296579565439519
Encrypted:	false
SSDEEP:	24576:HDZgOA74U4o//sbtwvZTqFDk9sg71SmY90gh/G7QJoma+9duNGeVG29H:jqHVhTr5UmY90sGE5dIDG29H
MD5:	F1DE18FEED22A8E7630AEC79D099A8D4
SHA1:	7F500779BD5900802BE6378DDC6914D865823614
SHA-256:	34A7FBF7E86EED217C78BEB3D623DA57628EBFA8C5BC9EE2565BDAA51538A696
SHA-512:	C1EF91874D23626BAD6BB799ED2F1ED238429FA147F5EAEB955EDC51CAAD7F6325CEB6C554E3D15D598E4A54C77EF077D903FCC3DA093F0375765E68E6B40A75
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	214432
Entropy (8bit):	5.989123271366133
Encrypted:	false
SSDEEP:	3072:zr8WDrCeVFptXofXXXXXXuh9gLzltw6Q1hqOJHrtTh:PuytXofXXXXXXASLzb9uhqK
MD5:	9F2A347123D639951FEE07457AAF9843
SHA1:	7519B79067F897D426E58DB4904F02ACEF2593A8
SHA-256:	C3AA5CFB1C2128BDD9A182170F993EA252CC57A69F2568B9BE61107AFD5CB512
SHA-512:	0402D3741F1C4A22835C59CD5A944D7762C0568E836CBDE8BC7BC389C7CF784D0A0C9F8A03B44A4241F6CE2545334222046B847A2B56AD5E4E182C959AA0A090
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	620840
Entropy (8bit):	6.5831228635669286
Encrypted:	false
SSDEEP:	12288:moBdI/BUQtsfBCegl2eccL1q/xRyye7BfcwqEhDe:moM/BB0Bml2m1q/xRPCcwFC
MD5:	6892F37A015DB48C0CA5FA54DF6D7CB2
SHA1:	65B2ABD3F0868D94F913387DD198336E9EAA2B57
SHA-256:	9E7D2DCF0E2B775911356828FCD8A6DC3217031ED3E746D31DE5855238D7289B
SHA-512:	6A7222CECE8289A43290E90F118CFD452F81023420491933FEDEA439D3D6AB7FF7488F41FE99F339B51A775AA27F1A717FBBAF08FCF29DDECE0CCA459139BC6E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1568248
Entropy (8bit):	5.675085165215227
Encrypted:	false
SSDEEP:	12288:uwF+k53zCG2tIuQ6DtJQSZDhLOhkZzV5i9w/lmd+jrcUiACW:rFXG6uQ6D9L2uV50AlmsjYUiAB
MD5:	F2FEC0ED0FCF36092C073FC597FD1C55
SHA1:	42C48161899442B2DB934156B56F971ABF1E2038
SHA-256:	9A3AEEE8B7D73C4F99C36B0039840B748F0AC01B9A4A3C4B5FA2B092636C0B88
SHA-512:	A7FBA18577A07B30F7E1417B318A5904CA355F2D126A8120E22466B4FA9D028E24E03B79D661D361B6DD38DFABA1A5096634E0E36E63A7D27C396D3625A22FA0
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	634800
Entropy (8bit):	6.707249248874713
Encrypted:	false
SSDEEP:	12288:ff/4sOdw+RfEB6tuAlnWhGZco6ijmn5jFTSt7yCPUkazi7JThVoSZeR6aQTJ:X/4Vdw+Ra6V6g2kazidN6SoEVF
MD5:	566DCF1D1A91B81E2353CAD864F7C959
SHA1:	A8A04AD99971D86C04C154B62AB309DD114FDC3E
SHA-256:	B1C16EA839550EAE959FDECA318372B0FE11613F581445BB4CFB0AEA77D0FADC
SHA-512:	3D233B07750A27792370E553B03A9479390A589942FAE8A0447A2CA08C27EFC719DFC4BF51051531C605F7E247430471F38C2FB2F603C4299494136EFF0C8A82
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	748192
Entropy (8bit):	6.7117628320084215
Encrypted:	false
SSDEEP:	12288:mKxLM1deLycUTc1kZi7zb1QRHhhj7WGvF5PYcdTFtZ3G97aSDGGHrbTwqFwydBf6:myY14evTc1kZi7zb1KHL8vbTlwOBC
MD5:	A51DD395B5FF4E05F08B338BBDFAF609
SHA1:	660F1465BB464AEC6C3E6D7D1D3336DB6D5D9CF3
SHA-256:	EB23B91782FCFEB4CE7032F285E6DA040C68000CA460A7FBBE161978125EC349
SHA-512:	2370CAA42CB55AE3414ED2CC5ED8AD47BB077A581055891836C74A237FE467960AFDB78DC21B0B9461D6FAA1E27EF6F584886113D5D6CDD188B41266E47D54B5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1917048
Entropy (8bit):	3.839578576312592
Encrypted:	false
SSDEEP:	6144:PuoBeXsm81c57ZXFzY5Ucyw4TapP25xxlq4cUcMeTOMzwMwZ:TKs78A5UcyOPexxPcUcMeyvZ
MD5:	451A02B8E292FBD664B654C28C31F8B9
SHA1:	7FFA3FE4C28716A3BC2D80779BDD7F23C54F5327
SHA-256:	0C7DECF13C25A15488EF9E271A1181BBE8A36A183250997ABB1BD21D7BF097F4
SHA-512:	DB59EEFBEFD8734F2B80E314B0F4DE21EBDAA23042226FDEE4671B04A7292F0ABFD6A8E20BDFF977C39EA6FDE37FA02BE69EB2342D65A335E53748314374CDE2
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4099520
Entropy (8bit):	3.7214924488610253
Encrypted:	false
SSDEEP:	12288:jyKs7cvZIFpCYVIUN2mGsb8HtkLaHLH04cLbUBRjLmP29DyZbT9oc/m06aCzE6hE:jyKsY+dy0ZScIBqBT11S0
MD5:	2D199B2128DB10FAB5D5B9E42012C0C3
SHA1:	B62D19530CE4FE15B51617B1E3A2B7049BFB0A6F
SHA-256:	A121D7A3A63D19B05BE33BA7C2391F206E47681FA284E7CA291A5431661B67FB
SHA-512:	022EF54CDCF41E1C8FF0511D9E5AF928394213321571B1C9BF1E6B3AA1D5FB1E29061E5C191B7669F7E2A739B9746312C091D7DDD7F8882145F09FD8B346F4B3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	452120
Entropy (8bit):	6.064959023307563
Encrypted:	false
SSDEEP:	6144:Pu7vhCpFviM0OKAOVf3m+2fCz29fx8/eAeTu:CEpFVKj3mFn9q
MD5:	34D25D2E6B58568411FAD456684772FD
SHA1:	5D9146208EBD9CD2AB1A7B83D90A60205AA2EE9E
SHA-256:	1273B781FF6EE61A3C58A43AF145B03E36274A6B16297BB8A2E13164349242B2
SHA-512:	87DCB3986A415E45C274F2855EB7DA68AA3C36D7A71AC77DAE3E027018003D47BC330B2587AEE4DF7F62BEAE7B4ABB0BA5F0A672D8E0DA23CB6B066AF75BA234
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	116664
Entropy (8bit):	6.585821757768255
Encrypted:	false
SSDEEP:	3072:zr8WDrCtuGaz7jFQ68ICP5q0WISDr34W+wst:PutRazrA5q0WISDrZS
MD5:	40A8D5EE6521EA8FC13C48C47C9B57B6
SHA1:	5FB8A2379097B79DBB9B165F7C487D20DC1625F2
SHA-256:	AC909FA0CFE8E16CB2A414A4B0F0B44E0D10085ECAE1D9F53A8C202DC054154C
SHA-512:	333184A3A961A38C6F09B279B7BF1A31FA4FBB0405CD4D39075A52554ECB8A1C23454D02CA63698327C70C5AE1C32340561C0C6F33A88ABDEF544F65AD42F35E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	167392
Entropy (8bit):	6.5469411407981974
Encrypted:	false
SSDEEP:	3072:zr8WDrCcWKZbTKeR3Tzp+8IxR8jYYrjHaVLIPSL1CgNX:PucWK11Rp+8II5SLUgp
MD5:	67496215F23C3D121C3716927553975E
SHA1:	3FB19B3855F6FEDCFCEAE694DC5C28683E3653F4
SHA-256:	D0C2DF02E3DED17200DC56B693F52B47E7D960D05C6B6B5F7716997419303ECB
SHA-512:	0EB0D378F109604C568C732A197D9412A65221A4AD36889873EA3652D5D0382D40C9D5B38BD51F501E4BD55BFE2A326AE4D06F485D3129C9A2AC1C11CAFC0567
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	670928
Entropy (8bit):	6.023912988523441
Encrypted:	false
SSDEEP:	12288:+wbRB+ZRhFfGNpzX5PtiPWRnTLtx5eq4/RnYRoS2Ds+2EYR1XLlShtg7ksyST2Rz:+wbT+ZR3fGrzX5PtiPWRnTLtx5eq4/R9
MD5:	2B5B1A87C47D9C38BFA8D1F52BACF31E
SHA1:	A995A7645E47DE7EE659286613BAA71B531BB7AD
SHA-256:	2AF58E681F49488E146E626D3D94F366C5A58D0B78729D491D2688D214264A4D
SHA-512:	78F8F078E2924E7CD977F068533E98AB80AC8DBA11960BC2A5D9AB4ADC93A0A72D62A9F2D920EDA5F1D5E4C18085E6171AA9AF075C3872AFCC06B06077EF1A96
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	115920
Entropy (8bit):	6.214080793399046
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCiwyK75Rp1Ukkz2zct/rzdaBotnMuvWM6TUaE:zr8WDrCiwyK1Fiz2ir+o5vWM6TUaE
MD5:	851430DBF73C5925ED0C0AB46B4704FF
SHA1:	794C0FF390BE93A23BF28DDBE9DD26B81604BF5E
SHA-256:	F6F47F6D0027988B9DD6171C72257050C195ABDA9CE45346C01D000AD35998B1
SHA-512:	A8A081DFEB1D4491392013A1C14F95A40AB8DEF526294DD47B5F289ECC5C232D7437E4E0AA0E21A817F049F5FCD9EC7859E8A32FECE58749F89A34F6FCF83882
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	137776
Entropy (8bit):	6.525052332322423
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrC1LS+I1HtQdiHN4zbyezltnzGd1XuDxhkrTJwNZ5wmW1aHba:zr8WDrC2Mi+zWeXdswvqiHm
MD5:	27361BE6CB3788839CD6DF5A0A636A6E
SHA1:	A8D3D9E774B7D76F00D10AB28DE26BBCCBC676DB
SHA-256:	A92037FDB4FE25E454D66D24177DD12FE89FAA6F11D0CEEADC687EF824CC3DE1
SHA-512:	3E8E821A4419C45FFA5F15AE574673684B25BDF310D48ED143D2EE6DE19F32F75C7DA0B9AFAFD3C4B27136E0C8632C092E365101E31E559AF731802D38B180F9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1206680
Entropy (8bit):	4.882283973567494
Encrypted:	false
SSDEEP:	12288:Y61ZFViRpx5tuwZl4asd/arEISgX0IkEMhTy:Y61jViRTfVINdCr6gX0hEl
MD5:	F0692573BEC940B10989FB076CF592CF
SHA1:	767783B45CB33834116997839FD3FE8CC197A906
SHA-256:	5ACCAE35532575F704C11E35DE05F5EC6C3A30D56AF91C2D22510157FC131607
SHA-512:	8F0F2881459C49C2F4F2A2E74D463871C157610ACF4FDBBE48FBD14B1798FEE8820822B4A5ED32F7FE871429E91A94859EAA7FD2798062723E594CDBA1364644
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	400336
Entropy (8bit):	6.659452867927771
Encrypted:	false
SSDEEP:	12288:w1rOCPapfd5bhooUBuFiExw/LXa20Dj6EzfJ:8rfIbbhooUBu3wzXa/Dj64
MD5:	3F124E3F206A45B5250F2C1F482B2352
SHA1:	2F23D83DC65BDEE9E726FB20052F01AA53D693F0
SHA-256:	D9D8BDCD8F5BBC87F755DBD7D8D0C7EF52C98A0E3539C8D27C08D3C45888C2C0
SHA-512:	C186E181EEAB666FA4E97FA5B750394421832221B5DF740BA6985AE8EBC49EF67969FD6F429C8F6094CC94EC548CBB3E10A473EE8A2FD52FA00110B6DA44B214
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1703816
Entropy (8bit):	4.352463648958278
Encrypted:	false
SSDEEP:	6144:PubztkAzkAZqrEdrEAZUCwFjNNYEzccu:CNPqrEdrEA
MD5:	D1A7CF94234D2437F3B9FFE424CBD98E
SHA1:	6E782F7C8008DCE463F7BB51A11758E900C21D45
SHA-256:	C674C0E3F05636911C1C165175F770B192399BA70500A6D442E8E6C8A693003D
SHA-512:	8F0A6C07F09926A85F18221549AF422E3B6609967D4A46C8F412A0C180818129169B7E6AD01EE6C11CA5E096643A77842FDA80A459EB1FA16DEAB6CAEECD5A7B
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3531712
Entropy (8bit):	3.7839855914258114
Encrypted:	false
SSDEEP:	6144:Pu/gSRJQYKV++VYwjatvsDVpDsehRAKzYM:yQYZTWbDj5
MD5:	ACFE1EB24D010D197779C47023305858
SHA1:	5EF31BA99319ED468EC9DCB8BF43C888B5A8B48F
SHA-256:	D937B616BB6403C2D0AA39C3BDEFC7A07023C18B2FE1F4AFBB9400AFF2CBEB1F
SHA-512:	048FEEE926AD593265180CE8E07858E28BDB2876A6A41250B9AEDA024429CA89D9A17C1C7FFA2ED73E0349B3F681A92F22730CEE69F411D3698FD5557A5CD027
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83880
Entropy (8bit):	6.544402115664437
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCSKfEBr3fHT4nAzHGkYJ+ziw6+zb:zr8WDrCSPh3IAzHGEJn
MD5:	9A1EAF11C3B1BEE44C0D97E873DB00C9
SHA1:	BD3A58C465171616D344DA00D97D5D49D4097FDC
SHA-256:	A1C8367E088D3CC9FD2D7428A2A220AA76E64096155932A6622023DE677CF804
SHA-512:	6A4A27DFF5939A527C9BE720FDEB7F65558D1A948AF175CD3244E87D9EFCA085B6A51D93E09D5178F05B29DC1334644E9532066C5A47F5C65BC60D27509C14D2
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4319112
Entropy (8bit):	3.816408890865793
Encrypted:	false
SSDEEP:	6144:PuXUh82lTMY/C3uuQyMyquNlBXYJ7M444IB:okyIgG47B
MD5:	0DF102A9ED5DDD0C490485998934BED6
SHA1:	B973807A3692668055A35A29C53C7F38669C8856
SHA-256:	9B42DD935106C8B407E7C607D3CD0AF533DFA3076576AC7EA2D838901CC6B4E2
SHA-512:	497E2C814A5B8B412540018D9BB5B3A47E0545FC7C280DB710052C8F77FF593E58881348B237FA892F7E208B632921D0962266E60CC5797389DA0122525AD496
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	785448
Entropy (8bit):	3.938581251810774
Encrypted:	false
SSDEEP:	6144:PurWSXeSC+hBMdNRneNMToeGYeneqjpGtBlmF:2LevUEcLe9l2
MD5:	B3C5F9613FB03A2AA578C29371295F77
SHA1:	32F9D3D1BF7BA8F34742900B9DA4A0FCF0F975CF
SHA-256:	08320B97919246079B98A5BFD40A67B5DA1452B166F2B9859E21D339998162D1
SHA-512:	5037960BC459159BA3D534B7585D6CD172A5563E075FE98EF1932EBA2BD65BCA37B99D782B1EAB5C33ADBA30DC63E8627140D60BD9028112D01BB9EE5A02EF15
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1081280
Entropy (8bit):	3.77728660153312
Encrypted:	false
SSDEEP:	3072:zr8WDrCqyTUawK12P04ti0o5gmQNJDJnJG20FxPlJPJSS12Zzwww6G:Puqs4wqmQN59wtSS2zwmG
MD5:	1D272485264476CF04C454866CFB49BA
SHA1:	9D13F47B98D36D3A64AFF45A9A04B17925898F5C
SHA-256:	F66B02E79D6DE29DBA8C76616B3F47DF597B386AB58DB30FA7E805E36FA7982E
SHA-512:	797B422388439BC78DA413ECC6749945ED4EA94D354ECEB21C1BEC10C5FA9A955DD02EC79626EB8996CEB36A82FD9D0EBB2F43EA1DF7CE94E8B0CD2D75A1A69C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1722808
Entropy (8bit):	6.4866587360850705
Encrypted:	false
SSDEEP:	49152:Ruoh1EWXRkd+h9y6NsRZ9MtL4kD5G5LVuhqITJemL9SQM3:RuohO2km9PNsRZ9MtL4ktG5LV93
MD5:	17B2C86B269267F4B810DBC51E6D793A
SHA1:	C14E9803B1D7DFBE027BE258957E23D7240C1625
SHA-256:	1EFA16D52D508905C4DBBDE4F450AE4511572E20DFC2AC930623C307410CB735
SHA-512:	B57B92283117554D2F7EF7E85613501F8EB3619980260CE427EAF443729417409BF8C6FA6FB4E1599BFD6EF0B3AC51955CA5CDCB63E9A7B9D680C960FE6545EC
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	307784
Entropy (8bit):	6.541340621340083
Encrypted:	false
SSDEEP:	6144:Pue+OpwoajoJ/cLr6eNI0A2kg79zge/ceeE1+v:3DWhS5g72veeU+v
MD5:	84FFBDBA0110417D41CECC2E90471C0B
SHA1:	3BD410023FAAB616BD19316FC7DA4CF8061843E0
SHA-256:	4C46A3280A95DA909745B05317CC39ABF3C631F79F127F191F1E5AE202A636C9
SHA-512:	FA4B33C8848F4A31D8ABF850997C2311B246EE0103A28A23A688F8FD8DBB2621AB7272DA1CE0C8447F6E8BF4ED97A007599CCBA36A431E5E0CD2BB4E5768FEF7
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	97920
Entropy (8bit):	6.434533395747017
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrC8zKAtCz72I/Q/RPTO5piDDFwzS:zr8WDrC8uFvgy5piDD6zS
MD5:	B35E1DBEB6DE3D98F0D02D5FE062688A
SHA1:	F4C8399B000865937C933ED4D3F7443A6395136A
SHA-256:	BD9D62FD719401FAE645118FBB811EEFA626A2E796FAAF41FF43AE971C46F9C2
SHA-512:	D61B9DE832AD9E160B108640E372DB887D32A4B6CA62652E04410BE0DA0859B79E76FA48B5DB95FFD4A8FFC786D7BC3AC1ECC1964CB3D03385BB2A2AFD923818
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1994448
Entropy (8bit):	6.5494262482330186
Encrypted:	false
SSDEEP:	49152:7l8U9+tiqfG7C+5I6ZOX0Bh4MdDHc/EBRXXZUABfmcQ:7l8+++7hOXODHc/EdQ
MD5:	611A0196619175CA423FC87C3C2B0D17
SHA1:	426524B4E733928688F2CA5E61E110D9BA5E98EA
SHA-256:	EA42CCC4A3105C8D1081D6803C17D7F898F8AE86AFAE34BB3718B15CE1087D55
SHA-512:	6C130A7C935B867353F7E77D0C84BC3F3EE0176ED2327D60969838C409ADC51B2C3B00AC449EFED7327DCFB07007C3D02ED708D2D37837BCB754F25CC60CE7B4
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	275872
Entropy (8bit):	4.230454715080273
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCj6gJJRaCAd1uhNRu7z3zHt4s+zbCtbCc0xXNmi9RHYOqEWu:zr8WDrCj6gxe7z3OzY+9jTYbE+la
MD5:	22141258122C8809D46DA57222A24EEE
SHA1:	CC72AAA1EA2A67D33DA8538B31089041F666B8AF
SHA-256:	7259EFF7EA95C215CEFE5961BD9F4B7387836AE18722ADC9E075552AC20CD23F
SHA-512:	33BE388FFD3654417966295BF29141550D23DFC1A9832565AE50D488C2C0FD0078E69862CBB2B105A491EED02009B40FEC16EE498BADD06F4D2BB5B18D2CEA5B
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	751520
Entropy (8bit):	6.5225913014857735
Encrypted:	false
SSDEEP:	12288:DccV8BFJ0kz4uP9V6wY2M48aVNfffNfYRweSat8UVNfffNfRtAUUn4lDW7f5sBzl:DOFJbl/6r2M48aVNfffNfWVNfffNfDw+
MD5:	5FB2510E2322EB38DBE1414EB158EF02
SHA1:	974C5E74E4D9CBEB1A1BFBA2348E13659578BC38
SHA-256:	7BEA8CDAEEEAB13F9E3C82D520AFD1C8F33A34B519D1FF6B62628DD5C3D9974C
SHA-512:	066195CBFFE4C2EE4D8E39D0C1D7F58A8E54388F22BFF619CCC0E1CD2BCF350A8D81D254C6045F6506EC33F3CB7ACE2C3CA7E77DD05DD05AD6B18F87BB457359
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	182712
Entropy (8bit):	6.321044292407141
Encrypted:	false
SSDEEP:	3072:zr8WDrC3DbGpEPwVH+lMCNy0GEVVS1ikLrDdevXqHai8MBEL4:Pu3XSSwVgvfkhvzHcWEM
MD5:	D6A43031983F75E73D90D8F8F6EE65F3
SHA1:	891DE44CFCE6AC6BC790C766971D94872E8A5073
SHA-256:	28BDD891C54357A87F38A2BF6705BC1B2B6989B5BD3BF4CA750829FBD7FA2B51
SHA-512:	0A96059DE916DC162D297D78AC26B8FAB136E475E2A622CF736E84FCEFAE57C2861D24121E6B87FA70F25401BC8870BB9F2434DFFF77B70E396AE3775DDB2416
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5174360
Entropy (8bit):	7.263145839410475
Encrypted:	false
SSDEEP:	49152:v/xFnOvtaWIDn0apLKkLJU9nU2foKhA4vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPp:RtLK3BDhtvS0Hpe4zbpaAKQkroGIz
MD5:	24FC272DC719890D04C1E6804B0E3D70
SHA1:	8806FFAF77CC4AC229326C83A05472FD7CBB422D
SHA-256:	4400C0D026FD13A51AE0CF1154B2A165BD488EBBC7B1FE8BE9649D72D13DA4AB
SHA-512:	F0D1B9E257B95883AE5F259D749CCAD6B1CF51DD229F602731F377786E161A62784D4F6B96C6535E412761E8D1154B8449A77D05DF8890F2561FBDE5A9D62F38
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	139712
Entropy (8bit):	6.519874180004667
Encrypted:	false
SSDEEP:	3072:zr8WDrCGU5adWAKmzUccnzkVBgEuKjj0WWtPPoI:Put+EjzCg+j6P3
MD5:	7939D58529E97846AD3CE93D63C2778B
SHA1:	36E2D3DAF36C2D0208971A66DAA273B627D43D9E
SHA-256:	131DB672352CDE0AB0154F4E5EE0FD28F93494F5D35FE9572BE2C6BE29467838
SHA-512:	05D79A0F03D4087C970B5E4EA7B08AFAA3C86EB8B8CB4E5F3658DB71CC2DAD969351A1B37FF5384513132846B7B9F022AA5863D02245FBDBE32E4609E3729C9E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	380368
Entropy (8bit):	6.674833575620702
Encrypted:	false
SSDEEP:	6144:PulzgSb/029S2P/7nzGxFrRN0r0ivCZci1FXiO8DaS4wwE0CBlFJmcx:Xw/2q/roN7ivCZci1FC74wdBlFYU
MD5:	10DAF38B33648DB8EC4CAF569EFB8325
SHA1:	D226C4CB3EAC2BBB40C7070DF3360DA6087EF85D
SHA-256:	3ED456CAFC1F681A4823411C4F931DB89A14DD1F4C439814E3C69780F489FB33
SHA-512:	8D0975F6C992DEA085532A41B8542D44CBA540DF7BABF1F81E1EF5A5CFA2CCBA010264B2E96F92CFBFF0A8EEEF18BA90CEC3A0639999FBEBF98EFC4188BD24DC
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1269696
Entropy (8bit):	3.7496395278811394
Encrypted:	false
SSDEEP:	6144:PuTvk8/0NhFYAddenZhUhTNnLUrh+9nTGLljX4wuSzVF:C4wXF
MD5:	622DF9CBD4454B7D31D93A8FF26986A7
SHA1:	D9B343BDE5D6038757BD9D3FC3A1DB5D44FCC406
SHA-256:	1BC8B5224D1EC7C1A84FE6BE3D1FC2584C4407F4776BE701311B5F59CC6B2F72
SHA-512:	CB62A86DF9A944F1BA87FEB86CCBB4C8FE34518F5701B513FC0C837E37E9E0F3D2BCB392FAC866C30D6AED8DFF4B65789134FDFA21B62A049FA701C2BBD86272
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	266648
Entropy (8bit):	4.185481008908313
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCyRaCAd1uhNRuiazvhzpwtWhz7I3EWwwrwYx6RPWdn6ysl4a:zr8WDrCgezzvhF1h3wEWwwbx6ksl4D
MD5:	63852098CCC25D5425C739E6CAD65F4E
SHA1:	DE0C1A4DCA860867D769B155909B5B26323FE00E
SHA-256:	1DF1BE777988330F8D3E437175CA8B9D1CF4AB2C6328EA700013A5A0D766715A
SHA-512:	E6893FD4B8D212754383C86CF493242C8A15408742FF6DBD01A8B6B056EE6F6C359E6E87ABD63628FB54D3719B4C0C9731CA7712C7C78D0CDE7E1231BF814081
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	715760
Entropy (8bit):	6.522162821709477
Encrypted:	false
SSDEEP:	12288:U4tuuLntIMDXw5vde5EFf1Pmbd3lSz3dfp1Swf5M0blmFKuJOJZM30j3:7tFDKMg4iX3djfy0blmFlme303
MD5:	6F1E23677F89E09E3B4D7CBBFAA8E9D6
SHA1:	3BFA1C0F2AF97A85C282E141DD9E7D36D2466211
SHA-256:	CCACC1332115B620976CDB004CF6CFE426AD8CD008F8F0DED6D6F5CB71D8D8F1
SHA-512:	D7E6E401DECBF9989C51EE3F4BEE09F696BF25F13FD723AE7BFDDBFD7B7C2C21367D91289AFC4571B6EF34E541920A307F1F4A09F1680A97A2970E7D3412426A
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	619944
Entropy (8bit):	6.637875601699727
Encrypted:	false
SSDEEP:	12288:NM/Of/Bboj+clWnIKgrP6TFPLNWuX4Pemn3oi8ky9Q8WSe/aSqizuO1qukdQAPnQ:u8JgryFPLNWuX40RulAPn1OcnGVNfffl
MD5:	7A16124F85B72495EE1FE9F639B9231C
SHA1:	6BEC7715F9FBA90EA72176E9211A7D2B66CD2711
SHA-256:	6EC71D7BD6697603174EF482893A6AB891B7C056F407AB7071C4C05B905D3360
SHA-512:	55B7DE7FF27C529E2A13E37C8A5973592865D19FF493F01C6413F6D2921EB08A6225614A9B1A0CF9701397EFF8917C1DB84C3789A915FBDBDC0ACF9BC63ABA17
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	150416
Entropy (8bit):	6.494866167569868
Encrypted:	false
SSDEEP:	3072:zr8WDrCsQPtLW7twRxI5mc5TNN3AsdVgNwihwT3RqEM6ZOfHXb42:PusQMzhdV0nh4Hof7
MD5:	B09DEFF61F6F9FE863E15CCEDDC41BD3
SHA1:	A0E6EF8B3C816C2D588E9E77D08B96D3D0CB097D
SHA-256:	2009879148C3ED6E84842B5B6FADE5C90796432F9661AEAB1F984707131A8421
SHA-512:	08009C92E6B4E652CD6516DCE9A4E88329A7A95C8F423C224FB15B983F1F3E8B239C7FDCAF0A567DE409756B1F813099DF1F5EA26B1B1D6B66D852A2716DE79E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	264576
Entropy (8bit):	6.638841934755568
Encrypted:	false
SSDEEP:	6144:Pug872jsLuLnPo2TTHswP2TGz3FUCHySYI:/+2jsLuT3MfTGW5I
MD5:	E62A03187D8ED6B506E1D2B2273F2E0A
SHA1:	4579EAD2B0EF021621D994D6CF7CEB0FB1C4D03B
SHA-256:	B23D2592ECF09B750E142995632EA34F39F835664B728EA5A719C4734403A6FD
SHA-512:	0EF9AF76CA2A09FB8DF0C709881E496D19A35767DBA00817F9190FFCA263591462ABB3CAFF0DDC5AF4578344E0DF10DCF3910CA7CAC8F5E360B556F0CC6EF414
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	108448
Entropy (8bit):	6.041379910770017
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCWweqz1lezmtJwzojsKyyJFGgHZ//rHzb:zr8WDrCSqzXe0wSyyJFD//Hb
MD5:	F8D9ABB1B7F268C598623F479012D0DD
SHA1:	E79F3937B827EAB37E03C3D6083541641491E701
SHA-256:	FD6A12A515BC65DD8D8E133E4FAF4E60A4BF4F0ADC27E7CC200A200206FA7603
SHA-512:	0E7F482B286860CC322E8E9ABB8BFAA6C9A4C335D443F7EF0349EAF8696514CBE06D0743FBC1181FB45E6FB07E23647DD95B7362829E76DE97BF6071DE12EE31
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	662600
Entropy (8bit):	5.99949921629127
Encrypted:	false
SSDEEP:	12288:hpo/FEVciSJJtH4PoR6moWEBfQLxZPhEx7xgtV2hv4tkYUK2tlIqR7lmNK/IKrtK:UFEWi4JtH4PoRfoFIxZPk0NKbB0R
MD5:	972F426D9B56B37005FDABC7D334747B
SHA1:	140458C19EDCD7C4B75586BB4DBA5930D5693DC5
SHA-256:	5052A0F40917AF50A319DD1BC4C39A62289A0723645AEF4A0DC8DBA0DF0391D9
SHA-512:	A4D3E9EC84C8111423CCD978081A2E95C268A177801F6B3E8F81965BE709F1F062C035A774BF9C7A706FAB67F988D3E88FC87E233C449D0179545A569EAC9DA8
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	260560
Entropy (8bit):	5.442716114061443
Encrypted:	false
SSDEEP:	3072:zr8WDrCl4ZAh7ULoQdHBjw8Q2pFj4+W1ISYpksZmRohnonRBfTjzJEthEWV:PulPfQdhMuj4VM8imPjGthEWV
MD5:	1C9E01BBA5F422C56C9F336EB663411A
SHA1:	51AF077DD40C9407BBF10ECF3C8CBF438A0FE69F
SHA-256:	64397891801142AE1DADB7B7E7C9D72624BCE616EA76E21938ABFD415CF2BB54
SHA-512:	F1B54EFC6744DE37E2849B0B9E69551ADFA42E8E10B73FAA0409619BBC03C0D48077C103D055CB78EB8744EC2D621EA216BEA7E8376CC36C123954BB8A00573F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4357672
Entropy (8bit):	3.9560374353507584
Encrypted:	false
SSDEEP:	98304:2YN3nsBQ5ghvEyqf/whWovz9hRJ5RbisrbdsPO9jXs:nN3nsBcghvEyqf/whxz9hRJ5Rbisrbdg
MD5:	62A647E67A2FA62FE3BD23B8C05AD5B6
SHA1:	49B76A71C794AA8CC03265715F58175E37926D05
SHA-256:	BF783C50B010FCD4353FB2F5C1BC9F25A8D1B5BAFF015A22431D64E0106F6387
SHA-512:	A91A3D1E9847D2FC1EE85B58685E33CDA4E3C743F38FEA146E5A714C1C937D3508D185626131553D94B6ACCD00A7FFADC2F7D70B00568969F3815E725C429107
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	124056
Entropy (8bit):	5.717272734704383
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCCwu7mzj9zNtP9zNps8Q:zr8WDrCCLmzj9P95psb
MD5:	69A2BD4BD404C78D413DAD66D32597C3
SHA1:	7663FEFC203E918AA0A6618A4548B273E4AA2893
SHA-256:	5AEAF364B4159E6603DCC5AC220765A83033E62679405C8141A4C209F89BDF6F
SHA-512:	913C45F67F749ECAC269FBCEBDDAB2A274F274DC7FE0376FEB92C8438493FC9B8B528C48962C27B05710C8D1B48E22300002A9D7075D8FD3DEA1680C0772E9B9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	358336
Entropy (8bit):	4.510772603696019
Encrypted:	false
SSDEEP:	6144:PuEyUkKOEEIK128d2VKjw0EYsfZJnPmTuJjac2a51lHpLszc/kzY56Y:Rx/B/kib
MD5:	827D7E2C0648A1E8647744C90DDC13B1
SHA1:	94CF03EBCDEAECECF5A4438471AD452C8FBD1699
SHA-256:	AD4CE68BE5E3737235F7A3D3F6516B6EBF04209AA5BF2A1E929FA7FAB5F78460
SHA-512:	41C3A9FD99483B67E99E53BA7A706B6AD3F95268F09CE15932DB08CD42ECA01AFD6D05B5FBF2947A3BAE2D01EC9D629B9C269A5B67B34853FDB83FA40FC84581
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	763032
Entropy (8bit):	4.114589316949574
Encrypted:	false
SSDEEP:	3072:zr8WDrCcwRnjnzhCiXXXXXX1AzZwAazTwdOLxN1IHO:PucwRnj7XXXXXXSzuz8OZ
MD5:	F898708BB5A98C216A5BDC4D8AB55F31
SHA1:	22F8606DFCC66EAA9348FCBE454AD077C1D6BD48
SHA-256:	9660432E007E774265D438B48100B8D6F0A98DC028D0208720FF7A76C72EA115
SHA-512:	2518C501205897BF611DD43A462AE4F689E1C1587BD2F5F15B33CDB63CFB367A402FB4BB61FFE7A7EC23AC564DA601060011AE6B82CDB8D2E565D14F7C72505F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	895120
Entropy (8bit):	2.964304827256967
Encrypted:	false
SSDEEP:	3072:zr8WDrCgfCEq7tOxIfMFzCEpAm/4rx7z1arf+9:PuJz8w
MD5:	02B9A3A76F77E057424B70187B54E8BE
SHA1:	3A659E76872EE3E20BA10F11D291D0BAC6EE0F66
SHA-256:	7B044969828A96DC142FFEDEB7922A876C4CC5CB4DC073C5CA47B868D7315C4B
SHA-512:	26D9CC3CA41BF1AA592A914DB7BDC82D7761962D7AECA6BDFC38047B39D6E1081484B5A90C009DE01D41F9CA45E54570B15AF6F10BD7E9CFD985F42B3ACF6E6E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.7732979147875136
Encrypted:	false
SSDEEP:	3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
MD5:	9139C2A0B4A37763278B42FA33970AD6
SHA1:	4667B3983C739687FC50DF651F1633E1EC2DBCFF
SHA-256:	EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
SHA-512:	E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	105440
Entropy (8bit):	6.077342901333925
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCqjhzxwKehzgt5t1D:zr8WDrCMhLehEthD
MD5:	3041D08F176DA6C15446B54A11BA7772
SHA1:	474A99A64B75751BBD04B10E7F7F2D9D43F12E6E
SHA-256:	3E6EB6EE327A6054BA3BE5F55F3481FE3436AB3CF0F0D6FE99976472CDD02631
SHA-512:	216E38ACBCAC94F24144566415DFB6EBC94A16E93B44E1F45B79D982523B8F4A6A2FC1AD5843C336998D30F2EBD39ACE559F93EAD1AEE696A81032CB5641202D
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	537536
Entropy (8bit):	4.966282092151679
Encrypted:	false
SSDEEP:	3072:zr8WDrCXPMMRMMMmMMMvMMMwMMMNMMMWMMM3MMsewVOOMzMMvMMOMMMJMM2MMQMe:PuGwVR6V7byjUWAZyVVdz8eEdGo
MD5:	565FEA50A9BDB9B4C1A88FB65316D097
SHA1:	D98406308D5B48AB1AC35E2E866D0F1A30E37442
SHA-256:	93A7BDC3118E56C0F2EA0CDD7718D4A7F7165B6FF6A1A4EC7912946B35DA1DB8
SHA-512:	7C0DBBC3880E747EF11EEF454173A959F98045110BC0A851DDF1405B8DFC18A1B6F1D2321271C67B8815647698AB8754EB9C0DF226ABA598060B78580A1BE299
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1271952
Entropy (8bit):	4.08276153361242
Encrypted:	false
SSDEEP:	3072:zr8WDrCf3ppPpNpDpspp/pCp0pmppdpspppRppMpLp0ppppbpQp2pphpSpXpQppt:PuIKQSNdhnSzv
MD5:	4F7B544E82176A6591B213634C9DCBBC
SHA1:	EAB0382F33BD32FBF05351F750014EB814CDFC07
SHA-256:	3E8E1E8C74AC39D6663C089A3FADE84F9852F70325981F037E9CA111036448CA
SHA-512:	C339CC8DA7001494E3D2855632837408784412412630507E52A165AB42FCE29CF0D0115D3C3475ED231B2E4A14025464FC6DA85F4AD3227822B6855117D7C604
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4099760
Entropy (8bit):	3.71770959793901
Encrypted:	false
SSDEEP:	12288:+BKs7fvZIFpCYVIVN2mGsb8HtVLaHw3j4cLbUBRjLFP29DyZbT9gb/m06aCzE6h9:+BKszX0FjOeblHiled/k
MD5:	44D035172880CB494A431B5151307A85
SHA1:	F754A916F702B3A4AE738978E6CAF9ED103977F7
SHA-256:	60DBDA9BFE2A3A683DE925697F23962303AADA724144B70C50D5D4D915A73EDA
SHA-512:	1916ED72E59480F3585160231E3DCC459DCBFB3BBF126C7456A3135B9A08150A3B5512F5469CE7B60E2CFEAFD52B06157DA821367E83184CB2D54FE1BAF1D52C
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1273488
Entropy (8bit):	4.318016696735314
Encrypted:	false
SSDEEP:	3072:zr8WDrC56bZt+ATS583ONo4aezJ8ZfqiA:Pu56bZtazB
MD5:	8014D7B281477BA8D20CF01253894A75
SHA1:	847240AFA115E972C2115BF02965C89013BFEB8D
SHA-256:	D78C4FE0CB9E9552A8073F6F60F5CE2D1BC9306855FF52788B8DC542C62C56B0
SHA-512:	F66439985974204855DC81E3E43C9CECD19914DE11C72BB6EFD5CB0BC824198F0904ED5CC33975C45A02BDF0EABB979594B1A0CD793EF77A99C507CDB4F423F9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	124056
Entropy (8bit):	5.717272734704383
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrCCwu7mzj9zNtP9zNps8Q:zr8WDrCCLmzj9P95psb
MD5:	69A2BD4BD404C78D413DAD66D32597C3
SHA1:	7663FEFC203E918AA0A6618A4548B273E4AA2893
SHA-256:	5AEAF364B4159E6603DCC5AC220765A83033E62679405C8141A4C209F89BDF6F
SHA-512:	913C45F67F749ECAC269FBCEBDDAB2A274F274DC7FE0376FEB92C8438493FC9B8B528C48962C27B05710C8D1B48E22300002A9D7075D8FD3DEA1680C0772E9B9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3012136
Entropy (8bit):	3.906262161438606
Encrypted:	false
SSDEEP:	3072:zr8WDrCdd0qVmvzC1SvXKo3NzbsZ6DdIAZcbEcofUnpfRII8Lp9qgN3WJp0Rf5Nb:Pud/V/CfDhNG5sMXjjzmEPocu
MD5:	0E9889A432E6C320EC58E71B4B497324
SHA1:	7D8B680AEDAE2B18557D291C1503739BC0506555
SHA-256:	5D8DD3FFECA4CA6D40803B0DAB087E654265030C3AA9F2F90BC2B53E5EBCD660
SHA-512:	A5B157FB6CF5F5B000502E099C0508513FBA2B93CABF765BBECF21527B17D6F83EDCF86DA1BECF2B170227694CCAB49D0F55DD2946FD832186E4EA786EA24927
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3531712
Entropy (8bit):	3.7796637413670093
Encrypted:	false
SSDEEP:	6144:Pu8sSR7PYKzz38YwZItvsDu7DbDhRAUzHW:5PYmLWSDBy
MD5:	6DC25D566989B3C8B314D0A51CE264BB
SHA1:	91A91837034A68BC5327132381D4A060B96B80AC
SHA-256:	7B0D191A69BA4A30A5F9BA4914F61B4514B30507467858E595353E158E20B62C
SHA-512:	213F26AC7407CDC444968465B5F2153DBF4D0B1113ECFFC7CBD936BCD4D0F1B024C5EB294EB1630D986BC022726F622950B8187304385FB81CA234E0E6D6D9A4
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4319272
Entropy (8bit):	3.812301874725472
Encrypted:	false
SSDEEP:	6144:PuEmRfvlTZY/C3ul0ywb/uXMo+YJ7M41zXLWIB:3+6M+595B
MD5:	FB10E76D72E74609F207999494FFEEC1
SHA1:	9AE189189878E6B4E84FC1EA6BD6CC861E25BD68
SHA-256:	1594E068581C29E6422B82053DC5D2F1E805E190E7B12F9EFE8BE6C2D6E8E4DA
SHA-512:	78F4F601BB7E5B5696B615B66F701DAF6DE2E984C19D502207A786D5E6784E5D3C7474D05EE282227EB19EDA91A5BCEF3698B0F02FB0630003BAF88AE75C2136
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.7732979147875136
Encrypted:	false
SSDEEP:	3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
MD5:	9139C2A0B4A37763278B42FA33970AD6
SHA1:	4667B3983C739687FC50DF651F1633E1EC2DBCFF
SHA-256:	EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
SHA-512:	E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.7732979147875136
Encrypted:	false
SSDEEP:	3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
MD5:	9139C2A0B4A37763278B42FA33970AD6
SHA1:	4667B3983C739687FC50DF651F1633E1EC2DBCFF
SHA-256:	EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
SHA-512:	E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.7732979147875136
Encrypted:	false
SSDEEP:	3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
MD5:	9139C2A0B4A37763278B42FA33970AD6
SHA1:	4667B3983C739687FC50DF651F1633E1EC2DBCFF
SHA-256:	EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
SHA-512:	E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.7732979147875136
Encrypted:	false
SSDEEP:	3072:zr8WDrCyo4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:Puv243xmQm59UtUSfz3
MD5:	9139C2A0B4A37763278B42FA33970AD6
SHA1:	4667B3983C739687FC50DF651F1633E1EC2DBCFF
SHA-256:	EF91D1E371D92DBCAA676684653EE1892F901D4365F922BD6BD5833B5CD0488F
SHA-512:	E5CE975D51D56CD5A2E4707E9E739CC68C1E297CFB030AADEB114FB61D57BC515759E3CFE89332C91F326E23EC49BE5453DDF9F6EDE550F55DCE3F8D3BF53BC5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	97792
Entropy (8bit):	7.345675805687577
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrC5MXL5uXZnzEPf+hzRsibKplyXTq8OGRnsPFG+RODTbN:zr8WDrCawnYPmROzoTq0+RO7N
MD5:	91F8C5655E265566963C8110F8A9DE7B
SHA1:	B96F17997E415AEB3CDF82A68927AEAE232FEBAC
SHA-256:	CB9E615DCAF44187AD82F13EE4B711C38696C33E0FC25AA44309937BD571811F
SHA-512:	7E9B9612E3B4868AFB70C9DD6A94715FD0511043949A89CACEAD24E2369744525D0A411D92C6CC81F24F7E222E1BE37A0BA790DCB9ED7E8AB289E0D4F504F7D1
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	582184
Entropy (8bit):	6.398834596152969
Encrypted:	false
SSDEEP:	6144:Pu0LWET8DS698nGX2OduCwUJWh/JmmS3DAjqnkrzFoEh+vMKC239YUFgBdQ/:PLxT8DhyiLduCe/lSpn6zOvYUFg4/
MD5:	897450E53986279D2B04BA53B52BDDD8
SHA1:	94C242D856D91F902792EF4B390A65847321632F
SHA-256:	07648CB2CA34B1C0F75971AE97F941AB50AE25F76429AFD4CBF1895B0269D24E
SHA-512:	72A40CC08748BBAEE3E5B06EFA0F123F2C20A793B5862473EB972CA68F39474A89D4BF9DD0250321DC32D80AD8ADE6A0D52CCE978B5DC0AD1421E6213DA42C98
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3837992
Entropy (8bit):	6.444733046079261
Encrypted:	false
SSDEEP:	49152:BB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EK:NHzorVmr2FkRpdJYolA
MD5:	32890A1EABD25D9DAFC948F5146EE430
SHA1:	228A82E420134C823B26445D3124DEA5575E68B4
SHA-256:	3701476504BE77805D33A9E809A5D42C10170D5342C9D6DD2B546EB8D44F9005
SHA-512:	9B1B651AFB2C5DAFA5D3A0D48ADE18F90BC370F183C0884F21C1EC2454F015DEEFF627F091AD1C73341EEDD2F5C7D291DF2CAB0E6B23A8C5F52E2DE2DD3E0C6A
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	161832
Entropy (8bit):	6.14756500825813
Encrypted:	false
SSDEEP:	3072:zr8WDrCJ2VSd2ga8KActASiZAkXS1xU5M3XgcoT0cs4qIm6Y6:PuYVSktVjv3Xg5T0FIY6
MD5:	04EF9F4C747D7E6688BA9F35B8E3D8BA
SHA1:	24E64BAC23BC510711460C2B33130FF4C1CDCE05
SHA-256:	3D1421240FCFD07D5084ED9D4B33A5DFFADE81CE7912EE0BE4A2E4437857B642
SHA-512:	BA8C839D6CA820B5DA5E1864564355EDB1628811B34FDFAAF54C0505D2971892C6CE3783FF4F2DA8BEC0A346BE733570BF50CD86B2726249AAF3DA611470B993
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1827880
Entropy (8bit):	6.540156971587151
Encrypted:	false
SSDEEP:	24576:nhDdVrQwm5ztlU0A7fMAHmpmZ3QXE/0/lVaLpmasGvP0:nhDdVrQ95RW0Y9HyWQXE/09Val0GE
MD5:	879742EC86106257BEA934DBE9B820B4
SHA1:	2D0D374FE06464FE3DEF4C6025BF2C5246572C03
SHA-256:	8AFF66C49C009D187109D8B38F826731B88C832B976767C41F73EA4C7972CF2C
SHA-512:	B7DD56A683CFB81DE96408F4D973EF9EB8201E5A2C574954487E152945D87CBCD5CF81D9567B09378E7737FA47B31AB29DCD03BE846DABAF164E3530639FCE36
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297448
Entropy (8bit):	6.513926743108373
Encrypted:	false
SSDEEP:	12288:3doA0Eh2XptoQZRuefMYR6RrAJU9CsxmMocSipEylqFfouDMA+nkSddSDBDIq:370E0ZCQZMip6Rrt9RoctGfmdd0
MD5:	C46EECCF6FAE76F11358D0E43965681C
SHA1:	9ED2788370B6F5B476C7E6000058BE7D5EBEDA6E
SHA-256:	5804894F3F60DA262589131E6B7A1CEA7D5B1023993ABBAD2253C12526914D8E
SHA-512:	C36F36F16CFE7AA0A39353F45931B3B64D7E1168C8DCF61FB7A116612CB24A54E281D4D616EC21D6117118B03A0F03AEF8EFD91CFD5483EB6B6776C7A50EFED9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4251688
Entropy (8bit):	6.506317829104403
Encrypted:	false
SSDEEP:	49152:bpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:QehFLvTQDpB5oSOmlBl
MD5:	6D080AAFAA8CE83776195B5B124103FF
SHA1:	8C8809935FA73EB7A18FBD8023B0636765DA9C09
SHA-256:	6AF714C0C52FE584E9B4E9EF39D4DE723C509BF9082476BA3C5B97DCB2D3E4F3
SHA-512:	F7C81889032AFFD9BF288A4B34ECD026B9EC6E5BF74D3D4EFF229029D63B33B26CD0B178AD95FD6BE728414882678F8E36C0C1373D21A32367E9508CCCE7EB25
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1319976
Entropy (8bit):	6.503786677710061
Encrypted:	false
SSDEEP:	12288:Uyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:UiD2VmA1YXQHwlklb8boUuWPg2gX
MD5:	9CF33C2C22730E0C3C7F65154ABFD0A7
SHA1:	7ED4EB14D0A8174B75E4C5F0B06B4DB54F53429F
SHA-256:	FA5E80F107D15EA38675A3A544DA56AA245DB5421D64A162ECB4C159A6CBE229
SHA-512:	CD21A5AB79A0DDCE0F88C57D3E8E4B56C093B12E6CD74DF3AA234D1EB2C8C1D7E4412083836D102B5E4BB545177EC58D5E8FC21216DAB8AEC92D0D3F02026FAC
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2327080
Entropy (8bit):	6.530984368082779
Encrypted:	false
SSDEEP:	24576:yfD3zcv9ZhsSGSQoryOzozU63IqRNhB0kDKPHkkkkkkkBoIeAz:yfD3zO9ZhBGlopzM3HRNr00z
MD5:	3332CF2E4E55A3382BC000AD04399C84
SHA1:	88E1C5B851AB8F57E50EE2F9AFEDF3CE828FA19E
SHA-256:	780A8D096F70BC6FDEEEF05A22C1C943E64C2A3CBE33C6F3600504606D4FCBBB
SHA-512:	1CE56E69DB2CA020CCCC036B5F0FC93156F2352420B5F7E3F551230D478AF5470657F81617B45CB32DF98EF9DCBF5254BEB16DC75F43186ECFF2D71740A772B4
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3790800
Entropy (8bit):	6.537629939786787
Encrypted:	false
SSDEEP:	49152:GTaRe7mkn5KLvD5qGVC008Jpb4tgLUgGEsLABD5wTQh07yrLMLl9YPhe:ZI72LvkrCpbxJRoIMx
MD5:	391A248273BFC2C0361AE5DFE61F6D1B
SHA1:	0BD38C25FE4CC60BCB67ABC8E7407F0135E61FD1
SHA-256:	AEF2E2B2AE1722A9D53DF0A40DD3B126AE40DEBB5176C150DA67AA72392AD6DE
SHA-512:	B5F345FE14835806C1273DFC6C9C1E993D9EF469E8D146BB466816748A8F432362734B72D9BB79848C2C50AE103273FF723E865C649A53D6D1130A8DEB2003DA
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1535528
Entropy (8bit):	6.517119310826715
Encrypted:	false
SSDEEP:	12288:+406WoyJHeFOqDRA7uKk+TjnkgiMnQq+UI7MBImQWkv7yfOYIXbwohMA+nkXZnHC:HW9Jml9mmijZiMnF+ZxmQWcbLw8Vi
MD5:	20628DE11335D9E9C180E82B8DA8C6F4
SHA1:	3214ED9228E71E72D86A3F9ECFB0F3B7A8AEAE8B
SHA-256:	1A1CC93F0239D3A342B27EF97020EF7DCC522BE9A8EEC0220C52B69E098EACCD
SHA-512:	138B4E13BFDC8ED20854432609FFC90852DF667507D7C0DA77D4F817A32A55D084CEEA30184D9DE444DA5A949665532F021E01BF30D261803DBF31E18BA6A8FE
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1273384
Entropy (8bit):	6.515185633103735
Encrypted:	false
SSDEEP:	12288:u5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:uwNHwoYhua6MtERO4qbBJTY6mY1uIgp
MD5:	DA3D6D82C0A5DAB32AD539A41B2292C9
SHA1:	69A16AE6620EBC4E3AB589A77C3875332CD9EFDD
SHA-256:	B68881B7F63772E7D7002EF6ADFE43870760808167260F1FE2578808F47F67ED
SHA-512:	E75F6C20E0BE447C014874769E9037946DFBD602602AE6A1D5D197504FF5F13D5C6FABA3A93E0658E8B70A66B37790D500DF03D8FA6CA01A21FB08F461F1E74E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1319976
Entropy (8bit):	6.503786677710061
Encrypted:	false
SSDEEP:	12288:Uyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:UiD2VmA1YXQHwlklb8boUuWPg2gX
MD5:	9CF33C2C22730E0C3C7F65154ABFD0A7
SHA1:	7ED4EB14D0A8174B75E4C5F0B06B4DB54F53429F
SHA-256:	FA5E80F107D15EA38675A3A544DA56AA245DB5421D64A162ECB4C159A6CBE229
SHA-512:	CD21A5AB79A0DDCE0F88C57D3E8E4B56C093B12E6CD74DF3AA234D1EB2C8C1D7E4412083836D102B5E4BB545177EC58D5E8FC21216DAB8AEC92D0D3F02026FAC
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1273384
Entropy (8bit):	6.515185633103735
Encrypted:	false
SSDEEP:	12288:u5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:uwNHwoYhua6MtERO4qbBJTY6mY1uIgp
MD5:	DA3D6D82C0A5DAB32AD539A41B2292C9
SHA1:	69A16AE6620EBC4E3AB589A77C3875332CD9EFDD
SHA-256:	B68881B7F63772E7D7002EF6ADFE43870760808167260F1FE2578808F47F67ED
SHA-512:	E75F6C20E0BE447C014874769E9037946DFBD602602AE6A1D5D197504FF5F13D5C6FABA3A93E0658E8B70A66B37790D500DF03D8FA6CA01A21FB08F461F1E74E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	225232
Entropy (8bit):	5.9169842072110015
Encrypted:	false
SSDEEP:	3072:zr8WDrCFcxiNNpCPPQPg2cluc/Xswbz8cz3quKoNX1gd:PuFcwVz4B8c37KoNX1q
MD5:	B50DDBDB05BF0BB57476EA6C5A032B2D
SHA1:	75D97A80167D3AB18ECA1B1A990B894F691584B2
SHA-256:	5074A5357D42806C87926B169CD558E653349DF7E44354EC85460C0A2C95C50B
SHA-512:	FA6DBD13E3E85C5098B6A866E7F399AECDCD4FDD53ED3F60F9EE20F8ABC156F2F272B155B5BCD79F4424E89C8045094560575CBA622327D6661A4947D7D35D46
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	247760
Entropy (8bit):	5.766587112108476
Encrypted:	false
SSDEEP:	3072:zr8WDrCQW4l/DReos0gXf+EvC6C36eCWdMuoB+ISzBqUGxNtvKAbFP3cSEt0phcf:Puml/DRfkTC3dM7B+mCivAT
MD5:	886E05881670C2B29D17DF6823B38A66
SHA1:	4CB79B5F1DA8FE8079518B65FFFDB99EB0A3D76F
SHA-256:	AEEB4BAAD144DB01611C82FA0D8F0029F3EF777101740829E7F6D8D453E31D6D
SHA-512:	9FFF6FA38B694ABC945F515A78CFA793D6AB8E7977A2973A5B69265A965DFC76C6A77D48366D5A98EB4D4460A878BE02C95C828066E42FB3F4F64CCD30D93987
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	142288
Entropy (8bit):	6.418539700023223
Encrypted:	false
SSDEEP:	3072:zr8WDrCs684ePKoTB+IvoAewtxUff8aohGme+YDfYz8FrR7:PuQrTB+AleYIkifYUF
MD5:	3856508A91D399E375B350B0C1423FFD
SHA1:	9747673D2FAF4EC499A05B3DFB80431029C17507
SHA-256:	B7E5B278ECB57EDBF3C121517B5CBE0B37C29D7A1F9BE1E121776C59B39F3E37
SHA-512:	77037E2A7F8A466D85F3A5CD2C19DA8D9795297BACA6477D8B39C29D7CBAE8641D6CE300F59035A674F749002B79199211C2955936AEB4DA0C7C6CDAB8636A1D
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	259024
Entropy (8bit):	6.086004749509324
Encrypted:	false
SSDEEP:	3072:zr8WDrCTXEV0tle+5IbvBCMmNginHy8lZoY46Mu/rLogrlKq9YXI35EvMl:PuTUVwleMITTmNv1ohWsqYI354I
MD5:	C37E3B17146D3DF38E578862AEA8C6AC
SHA1:	4587242D000A11BF98779F074BB15989A9E57AC2
SHA-256:	FE9F873C55826F1C1CA88289966923B9B6FB330C2B46261B682584711B0A35D8
SHA-512:	D28917D093AF944094FF56D5712CC0AC9BBCE3337A524E9B95487510CF5ACD2608EA7914CCA920CA9BE5AA7F6CA808B920AEE6D596ECD74DB3B2551BC77047D2
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305120
Entropy (8bit):	6.411066493542914
Encrypted:	false
SSDEEP:	6144:PumFKucTm3RhMfoSG5dCd7hjAOe9UmXY2Gh++CgBlPMoX:vKucTm3RhMfoSBjA9U2Yxh+Zgb7X
MD5:	A44E4ED52DB101B90FC40FBD77EE5813
SHA1:	E1EA013D66084E842EE75CDF1A20F2C5C7C1D920
SHA-256:	A107A456D15142E351FA622010D0F75EDD8E331C147DF974A5EF1D8889700749
SHA-512:	30EBA6D8ECA2E67D40DA256558E758EE5A457E40E2D4A1CA1FFA175E063B6983F23210E35F7BA857E0F87A550511C8C5AE7F748D90B37F847432DC60B6916C0F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	142288
Entropy (8bit):	6.419211340608754
Encrypted:	false
SSDEEP:	3072:zr8WDrCDaivqozB+IvcZ4wrZU+l/8xoAm2+YDfYz8GrR/:PujzB+Aw4CZNr2fYLl
MD5:	66668951BA49BF63140B9DC5384B12FF
SHA1:	864CF0FC89B1EC2FC0F7F86231001C606D95C626
SHA-256:	316FB2C43692DD48BF49D92F62393E1FEF23A024776398E25B5B08F2CB7601F0
SHA-512:	523138612680231D11AAC37F70C649334D8070D263DFA87A6DE9863C5C0A4E0AD6805F02EA29ABB99645CF55A3312B9101C0B06935F416BA5F33BFD8BC42E930
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1681888
Entropy (8bit):	7.889923575579936
Encrypted:	false
SSDEEP:	24576:hwy53G70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzU:Wy53w24gQu3TPZ2psFkiSqwoz
MD5:	B49570FCFEDFF59819EBF3805D356A71
SHA1:	9D9E68E0D79AE3D3D44378A343C3A97E06368EF2
SHA-256:	915B395BCAD1870C9F672A9C8912F9530FDBAC068EAB40E91690D06429ADB68F
SHA-512:	1926DB61AE4E7490BBA88B51E4B12B65855839DDC6F8F620B4CE5A701A770C9636F8B043B51048389FB09E3B42E4BB44C04BCAA482077C6BE79AC1DD498638C0
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144866
Entropy (8bit):	6.2324558335577
Encrypted:	false
SSDEEP:	3072:zr8WDrCkRD5b0qZ7y4jem7y6tkNRCywDw1DiJkuKUY:PuGD5lZ7y4j9KT4DteUY
MD5:	D709786C68534D0465D77BDE302F7065
SHA1:	6E113BCB0876FDDDC39B31D1F364AC1C3B0F9B40
SHA-256:	8F98C63531C25555C4ED421DC87B670C763690A82E9B2D76A59D2233AC500636
SHA-512:	47295791D6181ABB9F777E85ADE7425A34C497A5E4E5B483104DE6105D9CE49D9FD7A342BE5B469528176DB4E63D0A5117F9E6C969B999B7F87FE1076DB14B86
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Download File

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	280480
Entropy (8bit):	6.382752729567392
Encrypted:	false
SSDEEP:	6144:Pu6Pr2vXzrEbslNp/JNsJKQl0GkRAqVNf0O3:7DQXRVTZu0GP+ZR
MD5:	25156B6B2ACFE0D4284F3842C0F1FD9F
SHA1:	C3C3387E29A3C045104FBA65357B73D36CB72F96
SHA-256:	1F32EEC314E0AEE4B61FAEE41B8D2D882AA49E3D49906E2F91FD842C574D2E17
SHA-512:	77B19A7D771681CC8AF1456013761626620EBCA8B336BD728ACE88B67E7E8D20812918BB588B5D06EF1E722607442ACECAF0BCD2274C912520F3125517157ECC
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366983293113298
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdP/QGPL4vzZq2o9W7GsxBbPr:uHqaNrFdPYGCq2iW7z
MD5:	E877EA3C1C882BC9438E4352D8742542
SHA1:	FE3988F10061964A144CE203FDACD0A9C3920D03
SHA-256:	798246C67C63D336A5F97DE2A08835B181B888AD46ED2F40AE57D6D0C2B63837
SHA-512:	7C03CC342417A03EA887057E68B92D114BC899936F858DFC55BD97F3A7EA358B3175BDBBC4EB4F4B278621B1597B546675855FD3E114C8F7BD26AAC705B8D29D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4473576
Entropy (8bit):	6.5697251244545924
Encrypted:	false
SSDEEP:	98304:9kkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:9kkCqaE68eV+0y8E6L1
MD5:	A0E84CEDA4163F189BE5349FD432B1CB
SHA1:	204335080CD8BA8D46E52DFB29F1461D7BF84CA1
SHA-256:	9A8C97840B4745ABA6BE44CAE7DE9EC0E7960AE31E52DFDE4ACCB1C24B6C4DA7
SHA-512:	BE941C507F9A607087E96CDBA94358F4882BA231CC08E6AAE8480301A5FF82940630134F9DB780B9527F43DD83ABE5D4868759854D2517A6D6A87A26903FCC9F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	501656
Entropy (8bit):	6.316687804131066
Encrypted:	false
SSDEEP:	12288:mLH18t6x1hjaNHBlfBVDZS82JninSFVlDW:mLOwxyNHBVEHRiSFVlDW
MD5:	EE696711CF9AC80FC9EFBB26B76ABCFE
SHA1:	A2E66B1A8970B93B055B783F1FE600A5EA861690
SHA-256:	9DA9F59CB0DF8F42679E524FDF590843F68D1413BB1F36335B361245F5FD7170
SHA-512:	5A6E226B94364E8F0312D8DE64192A5343EB5E370BC5E10F373458C871A25ABE7520E55AD68279FD215820CABEDADDE4ACA9A01071370B980B62A0126AAB2A94
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1637776
Entropy (8bit):	6.316076233282021
Encrypted:	false
SSDEEP:	24576:z7Z1jyzcKSmKsvwMZJ1XBsn/gu2bRC6dulyyn2WdXM6cWlLIJ:/Z1tKTwMZJ1XBsn/UC6dugWA
MD5:	2E0AE929AA0C46D1850BD2064954D911
SHA1:	C27307CF87ABAA9CB17C869583BEC5DBB57A3C41
SHA-256:	BB21F5661BC8569FBAD37E05E000529EA09A93DF9CE906AC798B6FF87C39DB52
SHA-512:	6F79861A391A35B7634EA05FD37B28ECEA234FE91AC44B3F2DD365F49C9338AA43D5EF40B80588343E7C1B05D2B358F9516F2696F6DB1E4D9D8EA87CBFADB1E1
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	224632
Entropy (8bit):	5.620193770987743
Encrypted:	false
SSDEEP:	3072:zr8WDrCvFtCsHjgU7HOg6KTe/+EypudsD22QnSUEhydebz41:Pu9tx0SA+EySaQKeUz41
MD5:	96A64BD0E265640FFAFD214049708702
SHA1:	DA525339352A6F40A51DD61FE17149EC37E69C61
SHA-256:	4E88BCEBE61AFD28AD1EC55523F1656CA98F02806531CEFFCA55F2598674CFFA
SHA-512:	EA63C18E5AB547A7F76C6BD2F721296B400E2D6FE89C45DFD8DFAB86A794D171A44487CAB0C8DC2328F9DC92C239BB1E2BF55D7C903791EF341BD88FEAE28FB0
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	431336
Entropy (8bit):	5.901379876199201
Encrypted:	false
SSDEEP:	6144:PuYzBRUKCBTwZVr2miTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVV+:jzBRnCBOrsBOBf
MD5:	E7C3CF515AE2F8559EB6E76D748D667F
SHA1:	265615DC51ACBDE842A9A012D03732AA4BF9DDE9
SHA-256:	A2CAC1656374C752299952716F9021B3E15497166FA936A1BAD6AB7C39FE7F8A
SHA-512:	9034265306CF0A5D467C652FEAE1AD6FB4798B527A8C58EED576137582EBF6F24DD25D9EC9D977C93A489E749F1F1A20503B508C168CC9C54419AEDA9B044458
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175160
Entropy (8bit):	5.99132731187077
Encrypted:	false
SSDEEP:	3072:zr8WDrC2/VpSIcnsHKTe8LnZCA5OfkQAm95kQOJeqx6u:Pu2tkIpdA5OfzDUeqx6u
MD5:	C41D1423579C9814533D2E30DA685786
SHA1:	B8AE1B9A8EA125CFA003E1404F44F825F3EFA4AE
SHA-256:	BEE3417F4A10BA18D5DDF56EF7D3AF8597164CE62C74D4E979E09BAD6C7D6509
SHA-512:	52DC28327704F55153CB10ADB7686D5469698D07ECF6E03B223F8DE2C32DF5296BA7E0190E37A58ECCA264C1B045CF7CA1F2AE35F15BA4F43B51D92961F7F90E
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3162480
Entropy (8bit):	6.468488558909844
Encrypted:	false
SSDEEP:	49152:vnW4jqFRZega3xejvY7GQOx4K1fm15FKqO7t78Ity6fod76lmlW8U:ms3OBj4UmOH
MD5:	3A5E520F6C98AFDEA3D5D2D92483C739
SHA1:	A578D0612B92D4E3D3C913B06BE977EDFA7ACC20
SHA-256:	BE77D2388C60AB0610D2B49BF1883F24B40C33C767160FBF178F2EF3EA3834AE
SHA-512:	A3451E0C8CAF184343F68D29406D95BFBDE38F03C8AD0FFC4EDED0B3F4942ACE98D17189C574364730A7BF0F249808371175063312A00F9D85EABB61A5657673
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1309408
Entropy (8bit):	6.49550103750245
Encrypted:	false
SSDEEP:	24576:9+sGOL9NLM3r4Viwj6KLqGua43loEeUFmwv:94AA4eGua43lgUFrv
MD5:	EAD6386843778A730062C698AA030740
SHA1:	F24C8F0717004F67681BC64DACD4187A98D596B2
SHA-256:	D932B4622D4D9A52924CB1540B483EF7163D67263A0E0EBA11504B73295B8D80
SHA-512:	0E7641E940526213DFD1627CC80852FE8DC6D9ED3582E30FF355DD56978794B850081082FE7B798152D8AE0E437212471C3C615714FF9CE1DC87434235716516
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	922944
Entropy (8bit):	6.460885615415187
Encrypted:	false
SSDEEP:	12288:R9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+poPCcqyt4:n/BrnYuqFcL3pQ+pDX
MD5:	F0BF9ADF513239520A14EB785BDD5886
SHA1:	F1915F5400458CA477B5E90DE9A2C5C4DDC132CB
SHA-256:	AC67389D5DA5FC3A99576D5832BEC09D66B41E751A15B1B53349A3003EF14DFE
SHA-512:	13CC35E7344418CF48E95525F351585652B9A499FF674DE766AED5D7B35F93F60FA9639AF011E0FCEB5F63AD895EDDBE0054EFE98922811BBE6206E52197AF82
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	501544
Entropy (8bit):	6.316070563003216
Encrypted:	false
SSDEEP:	12288:mLH18t6x1hjaNHBlfBVDZS82Jn8YSFVhwDW:mLOwxyNHBVEHR8xFVhwDW
MD5:	E7018A93116CD346F9F8A0CC2243295E
SHA1:	89155DDC39A59182E5CD870C4D16688AEB2E30FC
SHA-256:	A09544750353F4CD7DE1630460B6CD65F42524A51886FFA20857A220C5190211
SHA-512:	61428F7197B96297E15074C88F214D5247ED06BC5787A1403A87AAA479D6DDD860BC2FAFA8FF95DAD863632A898315313D353C9147118A7BE2E11ECFD21AF788
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1637776
Entropy (8bit):	6.316140077808731
Encrypted:	false
SSDEEP:	24576:zzZzKrsdCmasrf9Xr5wzW27+w3E4nZ1jDkCZTunfmrd/Mq8pqiV+yeci+HMJ:HZ5d3f9Xr5wzW2x3E4vDkCZTEJ+3
MD5:	5D2BD0DA80A8E62789209A0EDAB83B1D
SHA1:	757F87BD301AA6F57CE838BE3153B8830921B501
SHA-256:	EAB3120F77B545B22123182F21EC23BEDE944108CC3C684E7BD282F7049B5535
SHA-512:	FE38763D90349CD0A6816E1EF7B49B6FDA6D7ED3102960F2033FD9FB24EA22FE28B49C0638D971B673D6E24C81FC03D7A414530007F68D005454C645E06F1898
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	224632
Entropy (8bit):	5.619874211696376
Encrypted:	false
SSDEEP:	3072:zr8WDrCrNzQsUdR7ROPHKTeA+EyBEBsLj6mCv0MC+8w+l+jDYgb:PupzrUdH7+Ey6yxCyncDYgb
MD5:	C13590C04F1E3D09263F396F200D3452
SHA1:	3DFBDA0E787B01FA3F39AA2852C2EFAA2BBE9DD7
SHA-256:	F1D24A7B92913E56B479B077CA38CF87F4153D9154AF1FFC1B27F2DC03C3408A
SHA-512:	8A32E90E9C1C3C326EB225B63FE0D2FABC7E4E2C7ADF8367E4016180D004F7DAFFF0ED24FC398F04CBF95EF6DB4F8F87F4AD21F76141AD2BF8351F4C11AD04B5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1922888
Entropy (8bit):	6.541750856572876
Encrypted:	false
SSDEEP:	49152:BxzduwxBjJMXDUlxqK/PDLWf+kfilcOk+4AgAQx:9uADax
MD5:	49F38F9FA23BAA8E1B8F5FF1B370B96B
SHA1:	B1B947630361E3C9B0B9CD17A2E95BF193EA427A
SHA-256:	1A36E884AA4A5DD09F648BB3DE9F89206DCFFF49A37B1164E5F5477F1FA24D79
SHA-512:	20DFF8A6AF31281E0F566CE03A60BECB36C99AF79493C0B06FC12C34003B00238990971E8E2D840554D96BD69A23B1BF506AFDA46B71D2908E75B640D574624C
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	431256
Entropy (8bit):	5.900901024115435
Encrypted:	false
SSDEEP:	6144:Pu4DBRMKC2DARcy85smiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVL3:zDBRPC23DWqOhf
MD5:	165B08FB9A429B745E9E168D329EB478
SHA1:	AC79D629D68A6177ADB43161D3731AF138802511
SHA-256:	3CB517BD21BD184AEA460E8925C81B16A8D6DD26D394AD9123F8C2AD943E6E8B
SHA-512:	F740313E067A29A4DFC358AA960B8E73AE350CA3F34FB851209E3505E49349B0A736BA0C5015CE6494DB43021B9A118CBD3BE3E467642F1F7AFD47EC0DF85519
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175056
Entropy (8bit):	5.99353613364511
Encrypted:	false
SSDEEP:	3072:zr8WDrCVBGrjhgGcKTeA4yJjAYykykBdg+FoQOJb/B1a:PuVgfhFAYykySfUb/B1a
MD5:	12C030EA2C1A9660563DEE8B7A25B079
SHA1:	A6FDE7087411C992CDE0D4E87E622C0C3A015527
SHA-256:	1F140237E5B5DAB4789F967B50E6994E1D9307B25ACB2E521CB72692B0EA44C7
SHA-512:	A39A033F4756D8068F60568BCADB9BE8A0AE8593A44AD72BDD069DEA4280C137FFD78D0CE04B359409EA3EA8FF5A6E8B5A56032D7952FBEF35FB95BCE556C5EA
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3158376
Entropy (8bit):	6.463770375021316
Encrypted:	false
SSDEEP:	49152:M7Inw/bT9uzlAndnpufoDbRwU/xv3lNOsWReEQZeEO1QOiPQOo4r+U:I/VmUAYrj
MD5:	F747D7C1167AE52C17B8EE2B2B648F50
SHA1:	7F99741F5EE38CEB68388AD913638C34AD9BDD81
SHA-256:	BDF99F70C03F23725102CB413F9069900350E5911F4566CFB5447284D4B28256
SHA-512:	A983A8C9114BFB32DCB2E42CF907EABC41B7DDF335B661F1BBCFA35C59CB238A2C0B1864F95F76B781BAD0198F82E0E25BC3754D8AA349AAF999FA70501413B3
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1309536
Entropy (8bit):	6.494467247437919
Encrypted:	false
SSDEEP:	24576:/vbIUnHtg+i54V0tqDNbu5kDIPQy+NTD4XnFzr:/zXzdMkDIPQy+Nv4Vr
MD5:	2E10137A170646449F276989631090FB
SHA1:	809AB6D6099509DF331284F36A8B8AD463C3A9D2
SHA-256:	7B9223995309B804C92D3244ACB070FC23B4A6FCAFFAD882CF7EA87C451C2A50
SHA-512:	C6F93A90B753C9FC3CE8655A95C358A2892AE8CFC11E615B9443F1317D3FE5699E98A752B100AF12A253064DC4F0E7DB570B06D86DEE4374422DB8C9C0117A6A
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	922960
Entropy (8bit):	6.460975970387529
Encrypted:	false
SSDEEP:	12288:R9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+pouCcqC7D4:n/BrnYuqFcL3pQ+pYmE
MD5:	8620D3407D835BF915F0FFF81B796100
SHA1:	BECA62BD742B85C5DAE7E40C12E224540FE5D527
SHA-256:	FC8B94FB0206DE6668B6F6711EFAF59F21E5814AAD2D097729AB830929310383
SHA-512:	BC5AD43D7A563BCA425B22A199F49F9C2D1851FEAFACB7C74AECDB11845C0D24BA0B511D63A56E3B7CD3ADF81965FA70340B3DBAF8DAEE66A23DEADDBF218A86
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B85.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Nov 19 08:07:30 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	155916
Entropy (8bit):	1.8114689390090422
Encrypted:	false
SSDEEP:	384:W7XQ1NR5VN6SgNSs6DGIgGz7bz6k3pH8khuioRfX9:W7gzR5VN6Scd6DGZGz3z6k3pH8kh/
MD5:	A3D0E0349FCFC813D7F928A9F61F8A18
SHA1:	19587FA90A4E0B5CA179621EE966A38F4C7DFA00
SHA-256:	3DF12EAF40FB79ED1774889B97418366D246065F632219DA5F4CF53C38F0148A
SHA-512:	B0CC8434D21EFFC174007553316226F465A4826C1DB1BE842252236514836AF98053F9F271225F13B4ED55ADD8952E5C67C6DD5A5B82A398D3F184F05F79593D
Malicious:	false
Preview:	MDMP..a..... .......BG<g............t...............\|.......T...jL..........T.......8...........T............8...)..........T...........@...............................................................................eJ..............GenuineIntel............T...........2G<g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E64.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8316
Entropy (8bit):	3.703961050981205
Encrypted:	false
SSDEEP:	192:R6l7wVeJGB6F6YYf6AR5gmfmupDi89bvK8sfSFIm:R6lXJ46F6YY6AR5gmfmgvKPfkN
MD5:	6BBAD3C7E411EB4EC76A417F59E53077
SHA1:	94555F9F4D33881D74D431C9578CCA6F517D83AA
SHA-256:	9141AD98E50C6617AA7A1E636A13AC170D972400F080F068DC6886FFE38BB463
SHA-512:	B65B58FBBE8F0790943F6EC93B4FE8C13524E2AA19CF7ACC9592AF55539CF71835DD7DC5AFA882A624CD1CC07EBE608385D8BD2682E31771C03AFD4EF9BE90F3
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F11.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4565
Entropy (8bit):	4.455295026967999
Encrypted:	false
SSDEEP:	48:cvIwWl8zshJg77aI99inWpW8VYdYm8M4JQDFk+q8c1qfdghfd:uIjfzI7WW7VZJbrKghfd
MD5:	8933A9AA85CAE053CDA9B323137CF0DC
SHA1:	66B4C951E23A9F3E5213480076776A7C4E6C4FC2
SHA-256:	E55FB13A80AEC8AB12F92F4DB814ED6F4FA9617D801564CB94D50F99DC32B085
SHA-512:	A2ACB9AC17FDDF60BAB2B259F0CEFABA6D885BA25EC9F7D468BECB8EB4E6639465D494CFCCAAE22B9C6A5BF405CA86F15806C82771D47324A63B29BD3062DC4C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594670" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	692064
Entropy (8bit):	7.194014407923939
Encrypted:	false
SSDEEP:	12288:IskY7gjcjhVIEhqgM7bWvcsi6aVUfIy+U40vy3W/ceKSHMsiFyY6XNmnMwJ:IsZgjS1hqgSC/izkfFjymk4HM5yJwMK
MD5:	449FF18CECF6F5F51192A3B2DED55D19
SHA1:	344C9315CC65A9A8B57B7CA713EDDCFC00BD7A93
SHA-256:	0F891BFC3F74490937A0A339092EC8515409EC972B0EE12A7F3A21EA039CD706
SHA-512:	474720A4D8E0E992343DE1A897072C9062A5149E4F235013A28DF8C1DBA19020EA894231C1AAB7F5B3C041FD67CF3B2A26E5B25C7D6901FB4B0BEFCCB57957B4
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\702ccb25-2628-401c-954c-163d19289f6b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44682
Entropy (8bit):	6.09710890696794
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xL/DLmZDtIYsbQfCFUvKwWE7RTupzKscDX//NPC1oV:z/Ps+wsI7yO6tIYDKoRTuiVIoV
MD5:	7E9DEEC6DC02258A5FBD012E2D08B189
SHA1:	B4C4CCECD554E91E40FDC70C86C9B67F4291C2BB
SHA-256:	6A272D6AA27902CF094843F985EE0059043E1BA43CD0E168FA9B446BFAFF60CD
SHA-512:	1D4F8D444A067CCF041FAF94A4DB66ED53E522AC3D74496EF25E85C33A943934A115F2383D6B3E2D4A9C46159B546ED001C96E5C48E858F3A16D24321D3C78D0
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\92a104a4-2767-4f3c-9e02-dd219a03b8aa.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	44621
Entropy (8bit):	6.09713887024349
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kCDLmZDtIYCgQ37FDKwWE7RTupzKscDX//NPC1os:z/Ps+wsI7ynptIYuKoRTuiVIos
MD5:	39395D3C57DCBA41CF3F4DD5CDA596BD
SHA1:	1BE3B59BA151B183E804808F32D1CF6E04925209
SHA-256:	322FA583C7CF396D2A88DED93D8CE99EBDA8668ACD92DDA08C0369DA0A1D912D
SHA-512:	FB55D03111A65F3640CCBF2089BEC84EEF54CF41814144D2B2B26178B64DEF3DA06E89659D45B0F7097395951915270D842808DFC0BF10986A053D5D81B764B0
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\9343b7b8-345f-46c9-b3fb-57950281c97f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44681
Entropy (8bit):	6.097125985201856
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xLMDLmZDtIYsbQfCFUvKwWE7RTupzKscDX//NPC1os:z/Ps+wsI7yODtIYDKoRTuiVIos
MD5:	7F00B07F0802D0F2BA53CB901607E1BB
SHA1:	4CCECD4086BC815376BCF0C7E5FE601DEB432858
SHA-256:	9F2339F29D540C8E909425A6078420779958A1C93BC5E80986C946773C429162
SHA-512:	DE68722ECA31BADB83AD317EC54957E53D629F023D86811D13E7EFA713564EE78B3B1200C893B88F894D24F63C6AD0C965E57E8C3AF192748155572E26B9DC40
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\9c8ce125-89c1-4a50-9882-ae3999240af3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44071
Entropy (8bit):	6.091501755696675
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xL/4LmZSPxceCFUcwWE7RTupzKscDX//NPC1oV:z/Ps+wsI7yOCEoRTuiVIoV
MD5:	EBC65720AC91FC7F1AE547A1A81895A8
SHA1:	9F382CBF060C5D85F77D016CD2A9E4C50E271953
SHA-256:	AC5A71EBE6E812316D21AB35FCD44F91334EFE6915E920AD8E8D9D9D2336D61E
SHA-512:	FC890141F017A93F1BE0A04C87A92BB2689AE6F112C0D2EC654667A1DF3F42107E9D2CCD97E4F1FEF1B4CF2332BE08BBD922FE15E033C521FF2492F7BAB654BE
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-673C4738-5B0.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.047928165961392384
Encrypted:	false
SSDEEP:	192:LCK6U0pqtm/8LnOAQ5Y0JPi6VBK/7+G1gsX1PIcq5EvjBzhc5N9Mf+RQ9ab/lE7s:L96U0ctJq8q8K6hMimXle08T2RGOD
MD5:	244A7539807FD0C91F94287427E014D8
SHA1:	07253D9889053F65A78CF180660F69AC01E20FD6
SHA-256:	3174C5BAD52395657CBCD036697A65AD659ADC133F50C4587B84C3A55A12E13A
SHA-512:	BC99C37969F98C0FDE97406BB67B12FCBC69AEE64FF97431E7D2CB78EBBA2C58CB65628E0034DCF41E952504BB371DAFF5DAB8DFC09C4CEF7C4BCB8888554E16
Malicious:	false
Preview:	...@..@...@.....C.].....@................k..P[..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?.......".abjlmo20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...j....... .8.@..............!......................w..U...&..`v.>.........."....."...24.."."h5wmA/c+VK/+HCTGwU1TrwNY52XBTo9O05htSkjnNRA=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...V.-../Q@..$...SF@.......Y@.......4@.......Y@.......Y@.......Y@.......Y@................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@.......Y@.......Y@2............... .2........6...... .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-673C473B-1C84.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.3239363415067256
Encrypted:	false
SSDEEP:	3072:Vb7ipLd4v47tDNO4aaEz2/JMIKar5rwp+41OhE0hlpqP3W7ClQK5Ff4+W8edAUgG:50d1FprM+4KSkaHWslHB+D
MD5:	A4A33AA847335A5665F413672017016B
SHA1:	FC7155ADB6A527B2A95D1A12D3BA9562095C7822
SHA-256:	7B409ADF21F9B63BDA318F51E656D53706A6DCB62BB69D330D8788BB5269713B
SHA-512:	4AB91F3F66C3537C540AE8EE7A1FC215B362E6F1FDAF4DF2FB972A8316237B34482A13B7059541AEC78F0D9CD98EAFFF3C7B0A2E21CE74AEAB26AD6C81F5BCD3
Malicious:	false
Preview:	...@..@...@.....C.].....@...............`3...2..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB*...Windows NT..10.0.190452....x86_64..?.......".abjlmo20,1(.0..8..B....(.....10.0.19041.5462.Google Inc. (Google):bANGLE (Google, Vulkan 1.3.0 (SwiftShader Device (Subzero) (0x0000C0DE)), SwiftShader driver-5.0.0)M..BU..Be...?j...GenuineIntel... .. ..............x86_64...J../T...^o..J...Y...^o..J..w....^o..J..A....^o..J..1H...^o..J....c..^o..J...c=..^o..J....J..^o..J..3.(..^o..J.......^o..J...b.J.^o..J...#...^o..J....k..^o..J..?....^o..J..S..O.^o..J..l.zL.^o..J..@."..^o..J..?U...^o..J..!..h.^o..J..z{...^o..J..n....^o..J..0....^o..J....%.^o..J...I.r.^o..J.......^o..J..ZK...^o..J.....^o..J.......^o..J...'x#.^o..J......^o..J....\.^o..J.......^o.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.195531555605597
Encrypted:	false
SSDEEP:	3:FiWWltlMpKoKuNoDZbkDURSHxig5ABVP/Sh/JzvNKIUBUhX9USWXQPWllt:o1GVKCoD4Hxi2ABVsJDZYeulX+W/
MD5:	B43C738AB1422F16D60B4C4B49CC7DF2
SHA1:	98C07F5F5E4F25C2BC0B2B5E6A3A2245F7D18215
SHA-256:	C28208A8D5052C44515333D67BE35E9900BB0C1E68DECF8C8CDC8DB67DE51E4C
SHA-512:	07A58D40C283CBDB4063D1EF70EBDAFF8E84CB47F530B939FA25195F9652976CB3E439F315A18D732128E60B5F2856DC1CA42E814DE45F2301DC143A0D22798E
Malicious:	false
Preview:	sdPC.........................TJ.[Y....."h5wmA/c+VK/+HCTGwU1TrwNY52XBTo9O05htSkjnNRA="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................ecadf109-1d88-4bd2-8ebf-85346832b43e............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\0d41d117-4f42-4ede-ace7-b3a66695005d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24718
Entropy (8bit):	5.58682842647285
Encrypted:	false
SSDEEP:	768:4iMDXtWY1RftD8F1+UoAYDCx9Tuqh0VfUC9xbog/OVvZLXzrwFTpztugr:4iMDXtWY1RftDu1jas1XIPtBr
MD5:	080A0393DF72F77F22D96113C58C7D9A
SHA1:	7376C9B2895F72249C9297DCBF06FDB1F3C08CA1
SHA-256:	DC0964EF7F6D028A24751CBF03E9F4BB792C1D9F05DD474E8E23A60FD76918ED
SHA-512:	5C0C56B89EBF5A7A0FC2D3E9130B8E942F44AB18383337C836E85CCC3907710742B3887F7CA3B73EFBF1FE9681F94CD51194B0D78E3AF80345D9BFB8C8D9D4A3
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13376477244643453","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13376477244643453","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\46180b17-ec2d-49bc-96a1-0c3cf09ab806.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\486d96e3-eb50-441f-a65e-2cedc46a2d8d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7510
Entropy (8bit):	5.090293332106113
Encrypted:	false
SSDEEP:	192:stI3s8Hsa34kkrsY8bV+FiA4jq7NICPLMJ:stI3s8HbnbGixu7NIl
MD5:	AD6FF7AF06091A08309090E5613FE63C
SHA1:	07FB22A35C286B1DEE5A350DC5E53B54F74E7A8C
SHA-256:	2BEB31750D68588DB3598FC4C79F57BDA0E11DB1186F8CC63917AF3A59222006
SHA-512:	08398A502FE01572C14DD1E5430F7B628C5AF3FBF5C65B15F8286EC1232FEED31033E6CE9F5F1CB3E11EAFC3A2F3FC5AF454E9A7972B88E6351A96EB6B5CCD13
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477245601789","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477245600140"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\64535eb8-62fd-430f-9d88-0762200f82b8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7675
Entropy (8bit):	5.089484873020526
Encrypted:	false
SSDEEP:	192:stI3s8Hsa34kkrsY8bV+FiA4q7f7NICPLMJ:stI3s8HbnbGixkf7NIl
MD5:	E95889BC274E082EF8463850D1849714
SHA1:	05EE51B8AA7BBE1D5CD31575FEE498770EA3133F
SHA-256:	79AE8E52D3CE943AD9AEB07EC18F91D7F9F92770428B2E4CBB9A1D0E449F9D3F
SHA-512:	E459637B47B9E84CE87F525A882F31ACB275FD651E0657D74CF119BFB9B2E9DBC0A0CC3B1ADA133EE373EABE1F85A0BFE004F8A073757A4F4258701697BB366E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477245601789","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477245600140"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\6d31a2c4-cb6c-4bdc-9e3b-e0d64c071608.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24719
Entropy (8bit):	5.586407236411198
Encrypted:	false
SSDEEP:	768:4iMDXtWY1RfUD8F1+UoAYDCx9Tuqh0VfUC9xbog/OVvZLXzrwBTpztuy:4iMDXtWY1RfUDu1jas1XIjtF
MD5:	ED339E4165246CE001B4F92D8EF4503E
SHA1:	37898442D30F95D947CEFBCCDD64446A5035EC67
SHA-256:	F006921B3AB09A7731BFCF7EA6E74A70FCED98C4EBE6FF69A4795E8DA330434E
SHA-512:	961FFE267A8114A42F9791FFB1B177957727515A197400EEFB800FB0FE8BFBAA002AB37DB573F84B6D8FC20BCC5143DDE9B566A285E9E8F1E3A21684C5D29349
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13376477244643453","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13376477244643453","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\8b8e2d48-4f8a-4e28-b2bc-64cc20b1c5eb.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7510
Entropy (8bit):	5.090398503497406
Encrypted:	false
SSDEEP:	192:stI3s8Hsa34kkrsY8bV+FiA4oq7NICPLMJ:stI3s8HbnbGixj7NIl
MD5:	76301AD800DAA83B4BE944C4BE8F9D42
SHA1:	3A676AA5C3EE3A6F261E207BBF9F15C2D10CD03B
SHA-256:	FDEC3D60819809CEBE24073A84B73FBFA30F163084FC65ECE482A1DCB82E58B4
SHA-512:	04448226D429AD0699F35C7510495D8AB6F92EFA116DCC10228577085779722B5B8F5487628285DAD3FC6B7B1FFC02001F10F53B76CF3D0B668EE6F49794FBB5
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477245601789","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477245600140"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	336
Entropy (8bit):	5.198535531565205
Encrypted:	false
SSDEEP:	6:HU8VgT+q2PCHhJ23oH+Tcwt9Eh1tIFUt8YU8VguZmw+YU8Vg2fVkwOCHhJ23oH+8:UqvBYeb9Eh16FUt81u/+1Y56Yeb9Eh1H
MD5:	A1E6A4ECBCCD109B8C174753D7311660
SHA1:	0A5FE429FA6EB42DD9514CA86CAE599AFC199F1A
SHA-256:	7FF5CB8A53DA970453B1163A9F930201A5B050AD8BAE15123DF6B8656A364540
SHA-512:	3E502126CB6849A512912E6EFB218294B18466625BA603977E46E1D6321A7EA5B861DF3C288E9D65F3AE429518DCEF3FDAE9D391527DFE3F8BCEB58A66BFAB60
Malicious:	false
Preview:	2024/11/19-03:07:36.515 2028 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/MANIFEST-000001.2024/11/19-03:07:36.527 2028 Recovering log #3.2024/11/19-03:07:36.554 2028 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.198535531565205
Encrypted:	false
SSDEEP:	6:HU8VgT+q2PCHhJ23oH+Tcwt9Eh1tIFUt8YU8VguZmw+YU8Vg2fVkwOCHhJ23oH+8:UqvBYeb9Eh16FUt81u/+1Y56Yeb9Eh1H
MD5:	A1E6A4ECBCCD109B8C174753D7311660
SHA1:	0A5FE429FA6EB42DD9514CA86CAE599AFC199F1A
SHA-256:	7FF5CB8A53DA970453B1163A9F930201A5B050AD8BAE15123DF6B8656A364540
SHA-512:	3E502126CB6849A512912E6EFB218294B18466625BA603977E46E1D6321A7EA5B861DF3C288E9D65F3AE429518DCEF3FDAE9D391527DFE3F8BCEB58A66BFAB60
Malicious:	false
Preview:	2024/11/19-03:07:36.515 2028 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/MANIFEST-000001.2024/11/19-03:07:36.527 2028 Recovering log #3.2024/11/19-03:07:36.554 2028 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.251950817693604
Encrypted:	false
SSDEEP:	6:HU8VT+q2PCHhJ23oH+TcwtnG2tMsIFUt8YU8V4XZmw+YU8VRVkwOCHhJ23oH+Tci:evBYebn9GFUt8vX/+G56Yebn95J
MD5:	74BD6EEA760522B1828AD6B08843B084
SHA1:	5CA9406E017A4E2D87A70CAB9A5882716F77786C
SHA-256:	A63822738CD54E6057800DB8C950861A4E9402A8A1255C3EE4CD8FD1D52CB719
SHA-512:	AF0DE2905ED33025D7FCB39DA3926CD52AB46A6DEDE06C1D1E48D9E21C8E5228B31CFF3A55C1BFA3F2FCB4FB75FA0241ED7363EDD3E12DF5C317F64DA1B1D812
Malicious:	false
Preview:	2024/11/19-03:07:25.114 1d38 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/11/19-03:07:25.115 1d38 Recovering log #3.2024/11/19-03:07:25.116 1d38 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.251950817693604
Encrypted:	false
SSDEEP:	6:HU8VT+q2PCHhJ23oH+TcwtnG2tMsIFUt8YU8V4XZmw+YU8VRVkwOCHhJ23oH+Tci:evBYebn9GFUt8vX/+G56Yebn95J
MD5:	74BD6EEA760522B1828AD6B08843B084
SHA1:	5CA9406E017A4E2D87A70CAB9A5882716F77786C
SHA-256:	A63822738CD54E6057800DB8C950861A4E9402A8A1255C3EE4CD8FD1D52CB719
SHA-512:	AF0DE2905ED33025D7FCB39DA3926CD52AB46A6DEDE06C1D1E48D9E21C8E5228B31CFF3A55C1BFA3F2FCB4FB75FA0241ED7363EDD3E12DF5C317F64DA1B1D812
Malicious:	false
Preview:	2024/11/19-03:07:25.114 1d38 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/11/19-03:07:25.115 1d38 Recovering log #3.2024/11/19-03:07:25.116 1d38 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	551
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWWWWWWWWW
MD5:	47755D758FF3B7335CA27F6313D4C2BE
SHA1:	6CC4C834FF24B973F044F6BA0F42833CBE28B92B
SHA-256:	1744842F55053137F5A2505747766DECEBABA068C91AE3D80A9FA37AF60C106E
SHA-512:	70E4E13CA6652D06040121BA4E4CADB2ADE5D577CF7530270F7FE9BEB8E362AF256050FA6CAC162A32DBA3FDA9F136AE8F670A5C86A50046B37E48D7E332861F
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.216302136439439
Encrypted:	false
SSDEEP:	6:HU8VF+q2PCHhJ23oH+Tcwt8aPrqIFUt8YU8V0mWZmw+YU8VVRVkwOCHhJ23oH+Ts:J+vBYebL3FUt8RmW/+WRV56YebQJ
MD5:	F4ED24F3C254A33FB7C63596AA7B412E
SHA1:	D9332741380E183C109A1096FE07CADC633ED2F6
SHA-256:	18F1AD1D0BE1DC5001B1AD4E3A7FAC7B4F8FF52007936775B4E0DA9EB2A8D295
SHA-512:	FEAD7E12AFFE003F93030B1903D0C36ECBB2050CA39AE79A80D48D5B0ED79B1F27AE2EDDF2D4072217744EDEB21D130D12113D6276A9AC94E65271DA1A5D75FA
Malicious:	false
Preview:	2024/11/19-03:07:25.117 1d3c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/11/19-03:07:25.118 1d3c Recovering log #3.2024/11/19-03:07:25.119 1d3c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.216302136439439
Encrypted:	false
SSDEEP:	6:HU8VF+q2PCHhJ23oH+Tcwt8aPrqIFUt8YU8V0mWZmw+YU8VVRVkwOCHhJ23oH+Ts:J+vBYebL3FUt8RmW/+WRV56YebQJ
MD5:	F4ED24F3C254A33FB7C63596AA7B412E
SHA1:	D9332741380E183C109A1096FE07CADC633ED2F6
SHA-256:	18F1AD1D0BE1DC5001B1AD4E3A7FAC7B4F8FF52007936775B4E0DA9EB2A8D295
SHA-512:	FEAD7E12AFFE003F93030B1903D0C36ECBB2050CA39AE79A80D48D5B0ED79B1F27AE2EDDF2D4072217744EDEB21D130D12113D6276A9AC94E65271DA1A5D75FA
Malicious:	false
Preview:	2024/11/19-03:07:25.117 1d3c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/11/19-03:07:25.118 1d3c Recovering log #3.2024/11/19-03:07:25.119 1d3c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.202426997193088
Encrypted:	false
SSDEEP:	6:HU8VYN+q2PCHhJ23oH+Tcwt865IFUt8YU8VeWZmw+YU8V1VkwOCHhJ23oH+TcwtD:g+vBYeb/WFUt8nW/+SV56Yeb/+SJ
MD5:	C61F16441C832EE445A6B35E437BFCB4
SHA1:	26FD94CE24879AC1A19DFAD2C5F49D37F1093DBC
SHA-256:	23B05CD44072E0B1B1EB9776E00CDB4C23A7C92BE5B7F5B7B513DE33A0DAD0CD
SHA-512:	436FFDF2F98CAEE7BC2557498CA35FAB6059DDD2C02EC91593425BF6350A3BF017A8C9ACF8FBE68E56791359BB2FB206A1CB63A789C3FB613CBC440728889B6B
Malicious:	false
Preview:	2024/11/19-03:07:25.121 1d3c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/11/19-03:07:25.122 1d3c Recovering log #3.2024/11/19-03:07:25.122 1d3c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.202426997193088
Encrypted:	false
SSDEEP:	6:HU8VYN+q2PCHhJ23oH+Tcwt865IFUt8YU8VeWZmw+YU8V1VkwOCHhJ23oH+TcwtD:g+vBYeb/WFUt8nW/+SV56Yeb/+SJ
MD5:	C61F16441C832EE445A6B35E437BFCB4
SHA1:	26FD94CE24879AC1A19DFAD2C5F49D37F1093DBC
SHA-256:	23B05CD44072E0B1B1EB9776E00CDB4C23A7C92BE5B7F5B7B513DE33A0DAD0CD
SHA-512:	436FFDF2F98CAEE7BC2557498CA35FAB6059DDD2C02EC91593425BF6350A3BF017A8C9ACF8FBE68E56791359BB2FB206A1CB63A789C3FB613CBC440728889B6B
Malicious:	false
Preview:	2024/11/19-03:07:25.121 1d3c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/11/19-03:07:25.122 1d3c Recovering log #3.2024/11/19-03:07:25.122 1d3c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW:
MD5:	914FD8DC5F9A741C6947E1AB12A9D113
SHA1:	6529EFE14E7B0BEA47D78B147243096408CDAAE4
SHA-256:	8BE3C96EE64B5D2768057EA1C4D1A70F40A0041585F3173806E2278E9300960B
SHA-512:	2862BF83C061414EFA2AC035FFC25BA9C4ED523B430FDEEED4974F55D4450A62766C2E799D0ACDB8269210078547048ACAABFD78EDE6AB91133E30F6B5EBFFBD
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.247699367655687
Encrypted:	false
SSDEEP:	6:HU8VXTq2PCHhJ23oH+Tcwt8NIFUt8YU8VXrJZmw+YU8VXrDkwOCHhJ23oH+Tcwt2:/vBYebpFUt8YJ/+YD56YebqJ
MD5:	64E51A919E7CAD94DA384428AACFF89B
SHA1:	6C2C2F8303A8E80B849F5F6154A1231EDC1866AD
SHA-256:	451DFBF7628F350731868D419DA2C16F6870EB2CD664C3F03E4CD927B9046FD3
SHA-512:	9E2FC55CEADD7461B37042EDDD4BB90860139BBCF949E7BF892F8B04D44E8705BDB2B647E3C112420386D23862FECD6057D209EAE34B00539587AE4D9C30FBCF
Malicious:	false
Preview:	2024/11/19-03:07:25.676 1cf4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/11/19-03:07:25.677 1cf4 Recovering log #3.2024/11/19-03:07:25.677 1cf4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.247699367655687
Encrypted:	false
SSDEEP:	6:HU8VXTq2PCHhJ23oH+Tcwt8NIFUt8YU8VXrJZmw+YU8VXrDkwOCHhJ23oH+Tcwt2:/vBYebpFUt8YJ/+YD56YebqJ
MD5:	64E51A919E7CAD94DA384428AACFF89B
SHA1:	6C2C2F8303A8E80B849F5F6154A1231EDC1866AD
SHA-256:	451DFBF7628F350731868D419DA2C16F6870EB2CD664C3F03E4CD927B9046FD3
SHA-512:	9E2FC55CEADD7461B37042EDDD4BB90860139BBCF949E7BF892F8B04D44E8705BDB2B647E3C112420386D23862FECD6057D209EAE34B00539587AE4D9C30FBCF
Malicious:	false
Preview:	2024/11/19-03:07:25.676 1cf4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/11/19-03:07:25.677 1cf4 Recovering log #3.2024/11/19-03:07:25.677 1cf4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.2191763562065486
Encrypted:	false
SSDEEP:	3:Knl7ntFlljq7A/mhWJFuQ3yy7IOWUbSl4/dweytllrE9SFcTp4AGbNCV9RUIhn:KnK75fOxS+/d0Xi99pEY3n
MD5:	DF0FE12E3CF4E18308199FE89A56B2B7
SHA1:	547A58C42A677A67EA15F9DADEBB4075B13B5178
SHA-256:	F5E368FB564290744EF9D15536F9F6CF5DC6502E2A42325989B1948E22260D2C
SHA-512:	19CE7065F63DFF2FC6591B860F8F7304C6372E96BC8404EB2B20956EA36E03F8F16A2D492296ABF47BA64EC73C53A0DA9815CE13631037279E9C20C53C95158A
Malicious:	false
Preview:	..............IK...&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	408
Entropy (8bit):	5.331754843247033
Encrypted:	false
SSDEEP:	12:A4vBYeb8rcHEZrELFUt8YZ/+Yz56Yeb8rcHEZrEZSJ:zBYeb8nZrExg8o6Yeb8nZrEZe
MD5:	D1FC77D7FD50698B37F552C0D2727C26
SHA1:	A92F6C3DD9914E8BDA9E35A1704858AE3F59074C
SHA-256:	A96B5AA19E4A4F5EB8F5A37E97537D87F299E96E4D87FA84351A8B9D4F6C402C
SHA-512:	97F1E66EBB024C2E7D17645A7804CDD5022CFA64239CD0A8DD918833AE11F1B9616F54940CF04DC7BF0857D9F83692D162661AC6FB3E3709534B01FD16FDD88C
Malicious:	false
Preview:	2024/11/19-03:07:27.667 1cf4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.2024/11/19-03:07:27.668 1cf4 Recovering log #3.2024/11/19-03:07:27.668 1cf4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	408
Entropy (8bit):	5.331754843247033
Encrypted:	false
SSDEEP:	12:A4vBYeb8rcHEZrELFUt8YZ/+Yz56Yeb8rcHEZrEZSJ:zBYeb8nZrExg8o6Yeb8nZrEZe
MD5:	D1FC77D7FD50698B37F552C0D2727C26
SHA1:	A92F6C3DD9914E8BDA9E35A1704858AE3F59074C
SHA-256:	A96B5AA19E4A4F5EB8F5A37E97537D87F299E96E4D87FA84351A8B9D4F6C402C
SHA-512:	97F1E66EBB024C2E7D17645A7804CDD5022CFA64239CD0A8DD918833AE11F1B9616F54940CF04DC7BF0857D9F83692D162661AC6FB3E3709534B01FD16FDD88C
Malicious:	false
Preview:	2024/11/19-03:07:27.667 1cf4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.2024/11/19-03:07:27.668 1cf4 Recovering log #3.2024/11/19-03:07:27.668 1cf4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.206804716019958
Encrypted:	false
SSDEEP:	6:HU8VZA/Oq2PCHhJ23oH+Tcwt8a2jMGIFUt8YU8VZA/XZmw+YU8VZzkwOCHhJ23oL:F0OvBYeb8EFUt8I0X/+Iz56Yeb8bJ
MD5:	869FF8BB414FC98A766A7BE7DE6B7005
SHA1:	0BF28F470DCDA96B081C25162465AEBB88700CA7
SHA-256:	8A10E5D6BD8BEBAD0632804F198EB64DFE94D8E55F0601E125EC45F2E4C77C48
SHA-512:	4A8B75EECCAB8E433E27CB8D87B182E0A5736546F275EC5075F330F6E7270832126999648FA07B8EDE9B558210211417BFC89E5A4FEB5E8325D1220E061D6FF0
Malicious:	false
Preview:	2024/11/19-03:07:25.894 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/11/19-03:07:25.894 1e24 Recovering log #3.2024/11/19-03:07:25.897 1e24 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.206804716019958
Encrypted:	false
SSDEEP:	6:HU8VZA/Oq2PCHhJ23oH+Tcwt8a2jMGIFUt8YU8VZA/XZmw+YU8VZzkwOCHhJ23oL:F0OvBYeb8EFUt8I0X/+Iz56Yeb8bJ
MD5:	869FF8BB414FC98A766A7BE7DE6B7005
SHA1:	0BF28F470DCDA96B081C25162465AEBB88700CA7
SHA-256:	8A10E5D6BD8BEBAD0632804F198EB64DFE94D8E55F0601E125EC45F2E4C77C48
SHA-512:	4A8B75EECCAB8E433E27CB8D87B182E0A5736546F275EC5075F330F6E7270832126999648FA07B8EDE9B558210211417BFC89E5A4FEB5E8325D1220E061D6FF0
Malicious:	false
Preview:	2024/11/19-03:07:25.894 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/11/19-03:07:25.894 1e24 Recovering log #3.2024/11/19-03:07:25.897 1e24 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\7939178b-5d19-4f07-a902-3c1c71ade229.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF2a2ae.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\b28d6acc-bb93-4666-a1ce-0c8555c8ed02.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\dfbbcf43-3c42-481b-8610-207db5ce0ed7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7510
Entropy (8bit):	5.090398503497406
Encrypted:	false
SSDEEP:	192:stI3s8Hsa34kkrsY8bV+FiA4oq7NICPLMJ:stI3s8HbnbGixj7NIl
MD5:	76301AD800DAA83B4BE944C4BE8F9D42
SHA1:	3A676AA5C3EE3A6F261E207BBF9F15C2D10CD03B
SHA-256:	FDEC3D60819809CEBE24073A84B73FBFA30F163084FC65ECE482A1DCB82E58B4
SHA-512:	04448226D429AD0699F35C7510495D8AB6F92EFA116DCC10228577085779722B5B8F5487628285DAD3FC6B7B1FFC02001F10F53B76CF3D0B668EE6F49794FBB5
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477245601789","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477245600140"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF2dc7b.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7510
Entropy (8bit):	5.090398503497406
Encrypted:	false
SSDEEP:	192:stI3s8Hsa34kkrsY8bV+FiA4oq7NICPLMJ:stI3s8HbnbGixj7NIl
MD5:	76301AD800DAA83B4BE944C4BE8F9D42
SHA1:	3A676AA5C3EE3A6F261E207BBF9F15C2D10CD03B
SHA-256:	FDEC3D60819809CEBE24073A84B73FBFA30F163084FC65ECE482A1DCB82E58B4
SHA-512:	04448226D429AD0699F35C7510495D8AB6F92EFA116DCC10228577085779722B5B8F5487628285DAD3FC6B7B1FFC02001F10F53B76CF3D0B668EE6F49794FBB5
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477245601789","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477245600140"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF30754.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7510
Entropy (8bit):	5.090398503497406
Encrypted:	false
SSDEEP:	192:stI3s8Hsa34kkrsY8bV+FiA4oq7NICPLMJ:stI3s8HbnbGixj7NIl
MD5:	76301AD800DAA83B4BE944C4BE8F9D42
SHA1:	3A676AA5C3EE3A6F261E207BBF9F15C2D10CD03B
SHA-256:	FDEC3D60819809CEBE24073A84B73FBFA30F163084FC65ECE482A1DCB82E58B4
SHA-512:	04448226D429AD0699F35C7510495D8AB6F92EFA116DCC10228577085779722B5B8F5487628285DAD3FC6B7B1FFC02001F10F53B76CF3D0B668EE6F49794FBB5
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477245601789","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477245600140"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF3737b.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7510
Entropy (8bit):	5.090398503497406
Encrypted:	false
SSDEEP:	192:stI3s8Hsa34kkrsY8bV+FiA4oq7NICPLMJ:stI3s8HbnbGixj7NIl
MD5:	76301AD800DAA83B4BE944C4BE8F9D42
SHA1:	3A676AA5C3EE3A6F261E207BBF9F15C2D10CD03B
SHA-256:	FDEC3D60819809CEBE24073A84B73FBFA30F163084FC65ECE482A1DCB82E58B4
SHA-512:	04448226D429AD0699F35C7510495D8AB6F92EFA116DCC10228577085779722B5B8F5487628285DAD3FC6B7B1FFC02001F10F53B76CF3D0B668EE6F49794FBB5
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477245601789","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477245600140"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24718
Entropy (8bit):	5.58682842647285
Encrypted:	false
SSDEEP:	768:4iMDXtWY1RftD8F1+UoAYDCx9Tuqh0VfUC9xbog/OVvZLXzrwFTpztugr:4iMDXtWY1RftDu1jas1XIPtBr
MD5:	080A0393DF72F77F22D96113C58C7D9A
SHA1:	7376C9B2895F72249C9297DCBF06FDB1F3C08CA1
SHA-256:	DC0964EF7F6D028A24751CBF03E9F4BB792C1D9F05DD474E8E23A60FD76918ED
SHA-512:	5C0C56B89EBF5A7A0FC2D3E9130B8E942F44AB18383337C836E85CCC3907710742B3887F7CA3B73EFBF1FE9681F94CD51194B0D78E3AF80345D9BFB8C8D9D4A3
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13376477244643453","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13376477244643453","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RF2d6ce.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24718
Entropy (8bit):	5.58682842647285
Encrypted:	false
SSDEEP:	768:4iMDXtWY1RftD8F1+UoAYDCx9Tuqh0VfUC9xbog/OVvZLXzrwFTpztugr:4iMDXtWY1RftDu1jas1XIPtBr
MD5:	080A0393DF72F77F22D96113C58C7D9A
SHA1:	7376C9B2895F72249C9297DCBF06FDB1F3C08CA1
SHA-256:	DC0964EF7F6D028A24751CBF03E9F4BB792C1D9F05DD474E8E23A60FD76918ED
SHA-512:	5C0C56B89EBF5A7A0FC2D3E9130B8E942F44AB18383337C836E85CCC3907710742B3887F7CA3B73EFBF1FE9681F94CD51194B0D78E3AF80345D9BFB8C8D9D4A3
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13376477244643453","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13376477244643453","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	194
Entropy (8bit):	2.8096948641228403
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljljljljljljljl:S85aEFljljljljljljljl
MD5:	D7D9437445AA960DCEA52FFE772822DC
SHA1:	C2BBF4AC0732D905D998C4F645FD60F95A675D02
SHA-256:	4FF49903BEC1197017A35995D5C5FC703CAF9D496467345D783F754B723D21C1
SHA-512:	335EB1BA85670550ED1E1E4E14EA4B5D14F8306125BF147A42DE4DEF5E5F75F14C422B014414030CF30378C04F748AC875CF056ADDA196511A0B057B3598FE9A
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f.................&f.................&f.................&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.140452203612464
Encrypted:	false
SSDEEP:	6:HU8Vdoq2PCHhJ23oH+TcwtrQMxIFUt8YU8VdE9Zmw+YU8VdfuGzkwOCHhJ23oH+L:RovBYebCFUt8W0/+WfuGz56YebtJ
MD5:	D43E87928713F450A3A559BC31F667B3
SHA1:	E85BEE7F2A99E0173A3412A2B9C4D2160D419A4C
SHA-256:	92696A0E8882D12466CB2E9F10B60F4F26E671EB96219BC41715DC690B7FC560
SHA-512:	E04B1CDB6F8AF541184E44B914A1730B861D3F163AFA2A1C0BB0793E222CC7EB42DB5A501766A499D3CF84DFD8E9C5ADE33554E66A5E972203AFCE4C7DEB6198
Malicious:	false
Preview:	2024/11/19-03:07:41.899 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/11/19-03:07:41.900 1e24 Recovering log #3.2024/11/19-03:07:41.903 1e24 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.140452203612464
Encrypted:	false
SSDEEP:	6:HU8Vdoq2PCHhJ23oH+TcwtrQMxIFUt8YU8VdE9Zmw+YU8VdfuGzkwOCHhJ23oH+L:RovBYebCFUt8W0/+WfuGz56YebtJ
MD5:	D43E87928713F450A3A559BC31F667B3
SHA1:	E85BEE7F2A99E0173A3412A2B9C4D2160D419A4C
SHA-256:	92696A0E8882D12466CB2E9F10B60F4F26E671EB96219BC41715DC690B7FC560
SHA-512:	E04B1CDB6F8AF541184E44B914A1730B861D3F163AFA2A1C0BB0793E222CC7EB42DB5A501766A499D3CF84DFD8E9C5ADE33554E66A5E972203AFCE4C7DEB6198
Malicious:	false
Preview:	2024/11/19-03:07:41.899 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/11/19-03:07:41.900 1e24 Recovering log #3.2024/11/19-03:07:41.903 1e24 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.124644696123584
Encrypted:	false
SSDEEP:	6:HU8Vw+q2PCHhJ23oH+Tcwt7Uh2ghZIFUt8YU8VNmWZmw+YU8VNNVkwOCHhJ23oHT:s+vBYebIhHh2FUt85W/+EV56YebIhHLJ
MD5:	3A48EBD15F18BCF0264530D77C089632
SHA1:	1F48E45AD945B855AFBD1BC6872E081FFEE5A705
SHA-256:	43A96C07DCE5D46303422B3C528A0955E505B53A67786B973DE2E84CF3ABDCB4
SHA-512:	9B22BDBC638A0B0BC92E40C6B3720AF02309A0ED7A561B1FFE3EA87F6E5DC875E310F12F1DE4BF05361B3847E9C2DD497EBBB5E3EB63C856EC0D69DF78EE90C3
Malicious:	false
Preview:	2024/11/19-03:07:25.110 1d3c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/11/19-03:07:25.111 1d3c Recovering log #3.2024/11/19-03:07:25.111 1d3c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.124644696123584
Encrypted:	false
SSDEEP:	6:HU8Vw+q2PCHhJ23oH+Tcwt7Uh2ghZIFUt8YU8VNmWZmw+YU8VNNVkwOCHhJ23oHT:s+vBYebIhHh2FUt85W/+EV56YebIhHLJ
MD5:	3A48EBD15F18BCF0264530D77C089632
SHA1:	1F48E45AD945B855AFBD1BC6872E081FFEE5A705
SHA-256:	43A96C07DCE5D46303422B3C528A0955E505B53A67786B973DE2E84CF3ABDCB4
SHA-512:	9B22BDBC638A0B0BC92E40C6B3720AF02309A0ED7A561B1FFE3EA87F6E5DC875E310F12F1DE4BF05361B3847E9C2DD497EBBB5E3EB63C856EC0D69DF78EE90C3
Malicious:	false
Preview:	2024/11/19-03:07:25.110 1d3c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/11/19-03:07:25.111 1d3c Recovering log #3.2024/11/19-03:07:25.111 1d3c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	434
Entropy (8bit):	5.23241075813072
Encrypted:	false
SSDEEP:	6:HU8VEmq2PCHhJ23oH+TcwtzjqEKj3K/2jMGIFUt8YU8VGfZmw+YU8VNNzkwOCHhv:wmvBYebvqBQFUt8V/++Nz56YebvqBvJ
MD5:	5A60A09B6F06FDF0376A141058DD49A4
SHA1:	CE5EBFB514B465DDB8917B1572E614B219075EB9
SHA-256:	D71766D073E8C87FBECC6E6996AAE04D3C610C1C8CBC52FF2AD173C62F438224
SHA-512:	87C6FC14242465B06BF94E443C7E8000C1E41E892501FD5E3BF91A6F9EE7CE6AF6DFE76C3FA449C7463318872762CDAE79AA4532D58585B9EE1E8280066C8EA8
Malicious:	false
Preview:	2024/11/19-03:07:25.917 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2024/11/19-03:07:25.919 1e24 Recovering log #3.2024/11/19-03:07:25.921 1e24 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	434
Entropy (8bit):	5.23241075813072
Encrypted:	false
SSDEEP:	6:HU8VEmq2PCHhJ23oH+TcwtzjqEKj3K/2jMGIFUt8YU8VGfZmw+YU8VNNzkwOCHhv:wmvBYebvqBQFUt8V/++Nz56YebvqBvJ
MD5:	5A60A09B6F06FDF0376A141058DD49A4
SHA1:	CE5EBFB514B465DDB8917B1572E614B219075EB9
SHA-256:	D71766D073E8C87FBECC6E6996AAE04D3C610C1C8CBC52FF2AD173C62F438224
SHA-512:	87C6FC14242465B06BF94E443C7E8000C1E41E892501FD5E3BF91A6F9EE7CE6AF6DFE76C3FA449C7463318872762CDAE79AA4532D58585B9EE1E8280066C8EA8
Malicious:	false
Preview:	2024/11/19-03:07:25.917 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2024/11/19-03:07:25.919 1e24 Recovering log #3.2024/11/19-03:07:25.921 1e24 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\25040347-573d-471f-b4a2-9e46465e693d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\780f82f9-99b7-4e73-8f10-4a62e8a0e9d5.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x7, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.3886039372934488
Encrypted:	false
SSDEEP:	24:TLqEeWOT/kIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:T2EeWOT/nDtX5nDOvyKDhU1cSB
MD5:	DEA619BA33775B1BAEEC7B32110CB3BD
SHA1:	949B8246021D004B2E772742D34B2FC8863E1AAA
SHA-256:	3669D76771207A121594B439280A67E3A6B1CBAE8CE67A42C8312D33BA18854B
SHA-512:	7B9741E0339B30D73FACD4670A9898147BE62B8F063A59736AFDDC83D3F03B61349828F2AE88F682D42C177AE37E18349FD41654AEBA50DDF10CD6DC70FA5879
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	80
Entropy (8bit):	3.4921535629071894
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljl:S85aEFljl
MD5:	69449520FD9C139C534E2970342C6BD8
SHA1:	230FE369A09DEF748F8CC23AD70FD19ED8D1B885
SHA-256:	3F2E9648DFDB2DDB8E9D607E8802FEF05AFA447E17733DD3FD6D933E7CA49277
SHA-512:	EA34C39AEA13B281A6067DE20AD0CDA84135E70C97DB3CDD59E25E6536B19F7781E5FC0CA4A11C3618D43FC3BD3FBC120DD5C1C47821A248B8AD351F9F4E6367
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	422
Entropy (8bit):	5.21525872878204
Encrypted:	false
SSDEEP:	6:HU8VKZzIq2PCHhJ23oH+TcwtzjqEKj0QMxIFUt8YU8VjZmw+YU8VVzkwOCHhJ237:eNIvBYebvqBZFUt8Q/+E56YebvqBaJ
MD5:	8F2AA388B1F32CFC4AA73D56F6AB4F53
SHA1:	5A7E467C5EEF80B5CF3CE807BDFEFAE47439586E
SHA-256:	0785219F58EC94DF6024123B85E07D3C4E9E66C5633A6CFEF72259D15A77D8F2
SHA-512:	5E2E12E4A5C28C5509EDEFACA4E76603FF44533E187756DA320966945F65CC1BAD4EC6D891AC68EE54E1039AAABBB8367C632FE2C6D81E0E564920DC6B3AF624
Malicious:	false
Preview:	2024/11/19-03:07:42.213 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/11/19-03:07:42.214 1e24 Recovering log #3.2024/11/19-03:07:42.218 1e24 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	422
Entropy (8bit):	5.21525872878204
Encrypted:	false
SSDEEP:	6:HU8VKZzIq2PCHhJ23oH+TcwtzjqEKj0QMxIFUt8YU8VjZmw+YU8VVzkwOCHhJ237:eNIvBYebvqBZFUt8Q/+E56YebvqBaJ
MD5:	8F2AA388B1F32CFC4AA73D56F6AB4F53
SHA1:	5A7E467C5EEF80B5CF3CE807BDFEFAE47439586E
SHA-256:	0785219F58EC94DF6024123B85E07D3C4E9E66C5633A6CFEF72259D15A77D8F2
SHA-512:	5E2E12E4A5C28C5509EDEFACA4E76603FF44533E187756DA320966945F65CC1BAD4EC6D891AC68EE54E1039AAABBB8367C632FE2C6D81E0E564920DC6B3AF624
Malicious:	false
Preview:	2024/11/19-03:07:42.213 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/11/19-03:07:42.214 1e24 Recovering log #3.2024/11/19-03:07:42.218 1e24 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.219750588427962
Encrypted:	false
SSDEEP:	6:HU8VRhyq2PCHhJ23oH+TcwtpIFUt8YU8VRhs1Zmw+YU8VRh6RkwOCHhJ23oH+TcM:NkvBYebmFUt8Aa1/+Ac56YebaUJ
MD5:	B4797CB1114021945C7FB05EEA8AEA62
SHA1:	ECC5EC5CF9D91259448264D3957D5857D77EBC9F
SHA-256:	EFAA3A80F17001A6930BB0A63C7774DC350D0FC02FC4E118B0FD8290002FB01C
SHA-512:	23E04D8026308694BD08A060AA309A09BF6D24096C65FF4D8E66B0A218B9DD3865AB01EE9D7ED0CC569773D16FE009DCB708225AA3C9F8C055BF92865B5D5A4A
Malicious:	false
Preview:	2024/11/19-03:07:25.091 1d30 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/11/19-03:07:25.092 1d30 Recovering log #3.2024/11/19-03:07:25.092 1d30 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.219750588427962
Encrypted:	false
SSDEEP:	6:HU8VRhyq2PCHhJ23oH+TcwtpIFUt8YU8VRhs1Zmw+YU8VRh6RkwOCHhJ23oH+TcM:NkvBYebmFUt8Aa1/+Ac56YebaUJ
MD5:	B4797CB1114021945C7FB05EEA8AEA62
SHA1:	ECC5EC5CF9D91259448264D3957D5857D77EBC9F
SHA-256:	EFAA3A80F17001A6930BB0A63C7774DC350D0FC02FC4E118B0FD8290002FB01C
SHA-512:	23E04D8026308694BD08A060AA309A09BF6D24096C65FF4D8E66B0A218B9DD3865AB01EE9D7ED0CC569773D16FE009DCB708225AA3C9F8C055BF92865B5D5A4A
Malicious:	false
Preview:	2024/11/19-03:07:25.091 1d30 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/11/19-03:07:25.092 1d30 Recovering log #3.2024/11/19-03:07:25.092 1d30 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1217763036768513
Encrypted:	false
SSDEEP:	192:72qAdB9TbTbuDDsnxCkhSAE+WslKOMq+8QbnVcxjONC4Je5Q:72qOB1nxCkhSAELyKOMq+8QTQKC+
MD5:	FB5CFC2323F96D8C3E1784C53FEF477F
SHA1:	1AB0EC1D4186AA60A900327B407197731FCBAC29
SHA-256:	1DDE0C3068E6FD0AC888995AAEC4F679DF0CA02CFDAB435C084F8805C2E3498A
SHA-512:	EFCB5BCBB6741DA0E18AFEA94854541F9D61A9E4D6DCABEDDD58841F31764FACD106F3A8ED6CC72A4962C8A29404D9FC286D06E3536ADD801F0547B3A48AB8B4
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\bcd7aa6d-7754-4e36-81d4-cd856cb68ce5.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7510
Entropy (8bit):	5.090398503497406
Encrypted:	false
SSDEEP:	192:stI3s8Hsa34kkrsY8bV+FiA4oq7NICPLMJ:stI3s8HbnbGixj7NIl
MD5:	76301AD800DAA83B4BE944C4BE8F9D42
SHA1:	3A676AA5C3EE3A6F261E207BBF9F15C2D10CD03B
SHA-256:	FDEC3D60819809CEBE24073A84B73FBFA30F163084FC65ECE482A1DCB82E58B4
SHA-512:	04448226D429AD0699F35C7510495D8AB6F92EFA116DCC10228577085779722B5B8F5487628285DAD3FC6B7B1FFC02001F10F53B76CF3D0B668EE6F49794FBB5
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13376477245601789","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340968290017037","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13376477245600140"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\f4d032fa-8e2c-47a9-9f37-8dad8147f076.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.049668671001406366
Encrypted:	false
SSDEEP:	6:Gd0YuR/0YuJL9XCChslotGLNl0ml/XoQDeX:zUZpEjVl/XoQ
MD5:	DFF02F6AD8462530628ED63D4C9E0456
SHA1:	BC1139867E7795A3A81DDF8F43775A563AE23143
SHA-256:	AD1E91AFACFF982CAA17FC20F8D5D59183E1682120387CD24C5AA6B9E52C8667
SHA-512:	29C671EAE0F24F3E3E76A3E8410BE03E6902A9D7F6BBCC2A72A67F82AD590916730E252080808AE7BD8AB8D6F77A9F2ECA31124FA6D8D902D37F9FE6009B8352
Malicious:	false
Preview:	..-......................yL.J.<.XE6.:...+&...7j..-......................yL.J.<.XE6.:...+&...7j........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	5.5162431731744315
Encrypted:	false
SSDEEP:	48:t2z8vSBS6QDPCHRHUxaIYjIYwzwqkRMYjMYJyHAlkfAlkp3J:kH06QyIYjIYwzwbRMYjMY8YcY83J
MD5:	EB2F0B69CE421C9228893C24EC318BAF
SHA1:	5C9057C19367B7BF5BD9C33573CBEDE0E40CFD41
SHA-256:	613F19035067A1A8017A4390E55A22C8270640D0FCD8DF669066DC3C7C5EDDB1
SHA-512:	D2E26B5C21E5EEB2F33589C885AAF71CC55E3FF5C2A4994FDD1689A9CCBAD7F10D90D81550E901265BEB3A04FAD4FB7FA54614FDB631EE4D41510F716EAF824B
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1....0................39_config..........6.....n ....1u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=................A.G.................4_IPH_CompanionSidePanel...IPH_CompanionSidePanel....$4_IPH_CompanionSidePanelRegionSearch(."IPH_CompanionSidePanelRegionSearch.....4_IPH_DownloadToolbarButton...IPH_DownloadToolbarButton....&4_IPH_FocusHelpBubbleScreenReaderPromo*.$IPH_FocusHelpBubbleScreenReaderPromo.....4_IPH_GMCCastStartStop...IPH_GMCCastStartStop.....4_IPH_HighEfficiencyMode...IPH_HighEfficiencyMode.....4_IPH_LiveCaption...IPH_LiveCaption.....4_IPH_PasswordsAccountStorage!..IPH_PasswordsAccountStorage...."4_IPH_PasswordsWebAppProfileSwitch&. IPH_PasswordsWebAppProfileSwitch....-4_IPH_PriceInsightsPageActionIconLabelFeature1.+IPH_PriceInsightsPageActionIconLabelFeat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.263922172246528
Encrypted:	false
SSDEEP:	6:HU8VXDq2PCHhJ23oH+TcwtfrK+IFUt8YU8VXbXZZmw+YU8VXbXzkwOCHhJ23oH+t:PvBYeb23FUt8AJ/+AD56Yeb3J
MD5:	0CC6554E46E19EA4D6343C174DEF3E1E
SHA1:	AE96B84175B4752E1EAF4799DDD30653D5B12110
SHA-256:	ABAC7451D487372BA90987C5CC44DD37D90D2F1DE5E7268E1DD4A8BDF40134C7
SHA-512:	F856FFCB2B3C1AC165030827530642953835EC948997D2BD02A309D32A12518D11F8FE8733F562AF49860BD5F8794F3FFFD57439FB3B64FD5CED88020A54B9B9
Malicious:	false
Preview:	2024/11/19-03:07:25.632 1cf4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/11/19-03:07:25.633 1cf4 Recovering log #3.2024/11/19-03:07:25.633 1cf4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.263922172246528
Encrypted:	false
SSDEEP:	6:HU8VXDq2PCHhJ23oH+TcwtfrK+IFUt8YU8VXbXZZmw+YU8VXbXzkwOCHhJ23oH+t:PvBYeb23FUt8AJ/+AD56Yeb3J
MD5:	0CC6554E46E19EA4D6343C174DEF3E1E
SHA1:	AE96B84175B4752E1EAF4799DDD30653D5B12110
SHA-256:	ABAC7451D487372BA90987C5CC44DD37D90D2F1DE5E7268E1DD4A8BDF40134C7
SHA-512:	F856FFCB2B3C1AC165030827530642953835EC948997D2BD02A309D32A12518D11F8FE8733F562AF49860BD5F8794F3FFFD57439FB3B64FD5CED88020A54B9B9
Malicious:	false
Preview:	2024/11/19-03:07:25.632 1cf4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/11/19-03:07:25.633 1cf4 Recovering log #3.2024/11/19-03:07:25.633 1cf4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	865
Entropy (8bit):	4.046212061862141
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Uz0RuWlJhC+lvBavRtin01zvZDEtlkyBrgxvBH2Vtgs2W:G0nYUtypD3RUovhC+lvBOL+t3IvBmtFn
MD5:	CC7FC366FEE21379F07DD9BA0CACDB88
SHA1:	05BE9EE7B4F6D4C8B80EFCB9D2BA5D62AC6845AC
SHA-256:	2216EC3A08EA86589477A650BC1635373F651975CF50CE69FA72712B0B9CB0EC
SHA-512:	367317234A2D0297F28ADD76504F5FBA5396EAE19F831406B3324FE01D04A714C19AB1FEC2D3503E2B4B80536647F188E7E5A511F41888407D32D1AD660F4E50
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....<.J\|.................37_...... .A.................38_..........................39_........].................20_.....Owa..................20_.....`..N.................19_.....D8.X.................18_......`...................37_..........................38_......\e..................39_.....dz.\|.................9_.....'\c..................9_.......f-.................__global... .\|.&R.................__global... ./....................__global... ..T...................__global... ..)9..................3_........r.................4_......r...................3_.....L.(t.................4_.....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.267358936972058
Encrypted:	false
SSDEEP:	6:HU8VXXSqq2PCHhJ23oH+TcwtfrzAdIFUt8YU8VXXLRFZZmw+YU8VXXLRFzkwOCHX:RvBYeb9FUt8ejZ/+ejz56Yeb2J
MD5:	965A175578E229A9F12223E63DA5F411
SHA1:	95941A878867125BB0FA507F94856BF7D7E4BBFB
SHA-256:	3EDFF978D61D6D71E145C0DBBDD4D4D643BECD308A96FC8FC97B68C2EAF15FAC
SHA-512:	CAD982F4B9B985CF47F9D268845226A50FA170F0F3A4F90A03DF83E5B9CA3F62A9E6F02E71E9C9A5874D256F8FEAEA7D9B4A309EF71D46BEA6D577E5A874A208
Malicious:	false
Preview:	2024/11/19-03:07:25.627 1cf4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/11/19-03:07:25.628 1cf4 Recovering log #3.2024/11/19-03:07:25.628 1cf4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.267358936972058
Encrypted:	false
SSDEEP:	6:HU8VXXSqq2PCHhJ23oH+TcwtfrzAdIFUt8YU8VXXLRFZZmw+YU8VXXLRFzkwOCHX:RvBYeb9FUt8ejZ/+ejz56Yeb2J
MD5:	965A175578E229A9F12223E63DA5F411
SHA1:	95941A878867125BB0FA507F94856BF7D7E4BBFB
SHA-256:	3EDFF978D61D6D71E145C0DBBDD4D4D643BECD308A96FC8FC97B68C2EAF15FAC
SHA-512:	CAD982F4B9B985CF47F9D268845226A50FA170F0F3A4F90A03DF83E5B9CA3F62A9E6F02E71E9C9A5874D256F8FEAEA7D9B4A309EF71D46BEA6D577E5A874A208
Malicious:	false
Preview:	2024/11/19-03:07:25.627 1cf4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/11/19-03:07:25.628 1cf4 Recovering log #3.2024/11/19-03:07:25.628 1cf4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	3.143272870858976
Encrypted:	false
SSDEEP:	3:XgabNZo/3jBi5nvLCoOlflZAUAl:XM/TSnWZVkBl
MD5:	EB9E4AF4E5478C0DC2F9090411AF2684
SHA1:	79AD059420D1245C5E598F201A66BF3558F30772
SHA-256:	0E13B2A33CBF12C0BCD4FA85AFB4147938201726E65FAE9A2AC346DBD26D6091
SHA-512:	6AC0981F24FE76C2A1A0627C4FB2A680D6E2C8DC37CC271B3D18587BFF7BAE7AFD0AC036C3B6CEA3CA73D64AC3EBD5F7B088266E7EAB3904F747C733DB2D7269
Malicious:	false
Preview:	C.:.\.P.R.O.G.R.A.~.2.\.M.I.C.R.O.S.~.1.\.E.d.g.e.\.A.P.P.L.I.C.~.1.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.09054024111369
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kxCLmZtEtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynCtGhOxqQoRTuiVIos
MD5:	6B311915973A722A3919B885BF379906
SHA1:	A9ABF29E883202029CE53517EF776DC03B060FA1
SHA-256:	DC87724D9C214E1C098481236FD566699536AB40BAE369044E4C9FF872E4954F
SHA-512:	D4B90E0902AF09796BF7AB669A19460BD3606FA26BD38A42A61FE64A42B30BC813B5D3C0AA1D01F3BFB248D4571E3A306C86DE62B0B1B97FF1C72B701DD4432F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF26354.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.09054024111369
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kxCLmZtEtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynCtGhOxqQoRTuiVIos
MD5:	6B311915973A722A3919B885BF379906
SHA1:	A9ABF29E883202029CE53517EF776DC03B060FA1
SHA-256:	DC87724D9C214E1C098481236FD566699536AB40BAE369044E4C9FF872E4954F
SHA-512:	D4B90E0902AF09796BF7AB669A19460BD3606FA26BD38A42A61FE64A42B30BC813B5D3C0AA1D01F3BFB248D4571E3A306C86DE62B0B1B97FF1C72B701DD4432F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF26363.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.09054024111369
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kxCLmZtEtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynCtGhOxqQoRTuiVIos
MD5:	6B311915973A722A3919B885BF379906
SHA1:	A9ABF29E883202029CE53517EF776DC03B060FA1
SHA-256:	DC87724D9C214E1C098481236FD566699536AB40BAE369044E4C9FF872E4954F
SHA-512:	D4B90E0902AF09796BF7AB669A19460BD3606FA26BD38A42A61FE64A42B30BC813B5D3C0AA1D01F3BFB248D4571E3A306C86DE62B0B1B97FF1C72B701DD4432F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF26d18.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.09054024111369
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kxCLmZtEtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynCtGhOxqQoRTuiVIos
MD5:	6B311915973A722A3919B885BF379906
SHA1:	A9ABF29E883202029CE53517EF776DC03B060FA1
SHA-256:	DC87724D9C214E1C098481236FD566699536AB40BAE369044E4C9FF872E4954F
SHA-512:	D4B90E0902AF09796BF7AB669A19460BD3606FA26BD38A42A61FE64A42B30BC813B5D3C0AA1D01F3BFB248D4571E3A306C86DE62B0B1B97FF1C72B701DD4432F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF29234.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.09054024111369
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kxCLmZtEtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynCtGhOxqQoRTuiVIos
MD5:	6B311915973A722A3919B885BF379906
SHA1:	A9ABF29E883202029CE53517EF776DC03B060FA1
SHA-256:	DC87724D9C214E1C098481236FD566699536AB40BAE369044E4C9FF872E4954F
SHA-512:	D4B90E0902AF09796BF7AB669A19460BD3606FA26BD38A42A61FE64A42B30BC813B5D3C0AA1D01F3BFB248D4571E3A306C86DE62B0B1B97FF1C72B701DD4432F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF35739.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.09054024111369
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kxCLmZtEtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynCtGhOxqQoRTuiVIos
MD5:	6B311915973A722A3919B885BF379906
SHA1:	A9ABF29E883202029CE53517EF776DC03B060FA1
SHA-256:	DC87724D9C214E1C098481236FD566699536AB40BAE369044E4C9FF872E4954F
SHA-512:	D4B90E0902AF09796BF7AB669A19460BD3606FA26BD38A42A61FE64A42B30BC813B5D3C0AA1D01F3BFB248D4571E3A306C86DE62B0B1B97FF1C72B701DD4432F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37e49.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.09054024111369
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kxCLmZtEtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynCtGhOxqQoRTuiVIos
MD5:	6B311915973A722A3919B885BF379906
SHA1:	A9ABF29E883202029CE53517EF776DC03B060FA1
SHA-256:	DC87724D9C214E1C098481236FD566699536AB40BAE369044E4C9FF872E4954F
SHA-512:	D4B90E0902AF09796BF7AB669A19460BD3606FA26BD38A42A61FE64A42B30BC813B5D3C0AA1D01F3BFB248D4571E3A306C86DE62B0B1B97FF1C72B701DD4432F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF3e86d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.09054024111369
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kxCLmZtEtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynCtGhOxqQoRTuiVIos
MD5:	6B311915973A722A3919B885BF379906
SHA1:	A9ABF29E883202029CE53517EF776DC03B060FA1
SHA-256:	DC87724D9C214E1C098481236FD566699536AB40BAE369044E4C9FF872E4954F
SHA-512:	D4B90E0902AF09796BF7AB669A19460BD3606FA26BD38A42A61FE64A42B30BC813B5D3C0AA1D01F3BFB248D4571E3A306C86DE62B0B1B97FF1C72B701DD4432F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQw:YQ3Kq9X0dMgAEwj2
MD5:	16B7586B9EBA5296EA04B791FC3D675E
SHA1:	8890767DD7EB4D1BEAB829324BA8B9599051F0B0
SHA-256:	474D668707F1CB929FEF1E3798B71B632E50675BD1A9DCEAAB90C9587F72F680
SHA-512:	58668D0C28B63548A1F13D2C2DFA19BCC14C0B7406833AD8E72DFC07F46D8DF6DED46265D74A042D07FBC88F78A59CB32389EF384EC78A55976DFC2737868771
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\c2192ed7-a9ec-42e6-a91f-1f0ac8f2a8b6.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44071
Entropy (8bit):	6.091513118678635
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xI/4LmZKPxceCFUcwWE7RTupzKscDX//NPC1oV:z/Ps+wsI7yO9EoRTuiVIoV
MD5:	CC1AC259D4BF7C66536A11ADE75C2C39
SHA1:	9FB22579A50EF07BE9100CC9DDCB5E25B24E9591
SHA-256:	888E699435B146B93EFADBAA3756E86F55C15832C3620DF65732AD985234702D
SHA-512:	F7310CBA093E51A53D3DDC0041270B5A3DD97512A93BA319ABDBED88B7050C8EFC2BFC4C304D16CAE07D06A4D7BF776D0F42D04B41E84FB2A2E4A843D23C1026
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\e37e2d82-7be2-4997-9dfb-38671bc2596e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44170
Entropy (8bit):	6.09054024111369
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kxCLmZtEtR96hOxq4gFkFDlwWE7RTupzKscDX//NPCh:z/Ps+wsI7ynCtGhOxqQoRTuiVIos
MD5:	6B311915973A722A3919B885BF379906
SHA1:	A9ABF29E883202029CE53517EF776DC03B060FA1
SHA-256:	DC87724D9C214E1C098481236FD566699536AB40BAE369044E4C9FF872E4954F
SHA-512:	D4B90E0902AF09796BF7AB669A19460BD3606FA26BD38A42A61FE64A42B30BC813B5D3C0AA1D01F3BFB248D4571E3A306C86DE62B0B1B97FF1C72B701DD4432F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ea24e361-8cb2-423d-9667-dd68fb8e3828.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44071
Entropy (8bit):	6.091511776530107
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xL/4LmZKPxceCFUcwWE7RTupzKscDX//NPC1oV:z/Ps+wsI7yOaEoRTuiVIoV
MD5:	819FF3D185495FCE1274F299B10BADCA
SHA1:	20BFD2EBDAA88355827E8CA846E2F1F8C1AD36C3
SHA-256:	1E37C5433B56C32BD008DCAF480CD54CF5D0D444E34B6D0428C3FC1D8BAB3513
SHA-512:	51395D48CD71249FE9BC3B88FFB593B813B02F0C97F2BF3C915989D83FCF09949006628E84079524AB574437AC3317CD4A0C6DDC9E22F9882D67E5A6C7BDF29C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\fcdba1e3-d7f2-4ee3-8d84-99491c5a8284.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44621
Entropy (8bit):	6.09713887024349
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kCDLmZDtIYCgQ37FDKwWE7RTupzKscDX//NPC1os:z/Ps+wsI7ynptIYuKoRTuiVIos
MD5:	39395D3C57DCBA41CF3F4DD5CDA596BD
SHA1:	1BE3B59BA151B183E804808F32D1CF6E04925209
SHA-256:	322FA583C7CF396D2A88DED93D8CE99EBDA8668ACD92DDA08C0369DA0A1D912D
SHA-512:	FB55D03111A65F3640CCBF2089BEC84EEF54CF41814144D2B2B26178B64DEF3DA06E89659D45B0F7097395951915270D842808DFC0BF10986A053D5D81B764B0
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4A61AEE9-A64D-11EF-8C2C-ECF4BB45F69C}.dat

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	2.0478905547514143
Encrypted:	false
SSDEEP:	48:r3Go4wcrGW8cXcs4cz8PAQpO3BoT8PAQpLRo:Mwc2cXc5cz8Wu8
MD5:	03345C7C5DCB57B1D147EF35E9174321
SHA1:	05C4C804ACC3A0BD96E1B74578C571047BE3CCEB
SHA-256:	EEC790885BE5E407E8AD3878FBDD20352068D57D053CF209FC3509CAA6F2C806
SHA-512:	6E63E51A5EC3A61C2645A321E39B249324B2959B1021CE01013C7ACBBA1A3B0B89F46F2250791CFD0C9B6EF64E96E48753065AFE5662EBC1316D1D0F8152D549
Malicious:	false
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...........................................................................................N.Z:................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t.......................................................................................................0.......O._.T.S.6.q.5.h.S.k.2.m.7.x.G.M.L.O.z.0.u.0.X.2.n.A.=.=.........:.......................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4A61AEEB-A64D-11EF-8C2C-ECF4BB45F69C}.dat

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.881310907443818
Encrypted:	false
SSDEEP:	12:rl0oXGFCrEgm8GE76FXOxrEgm8GE7qw9l4+rg0tnRYCDAyKP9l4+rg0tnRYCDAvk:rpG8COxG8F9l28nOBy49l28nOB
MD5:	81291E6F1ED0CF9A4615F1E37746A78A
SHA1:	E9653C142917657814009395F670A4AB952C160F
SHA-256:	5DF208EDBA8B8F98B5DE3F448A4B71D9A95DB716FA0C1D55CED963F77B9215D5
SHA-512:	E662F91837BE1A5E74117224A13BE07EFE072354D936C9BC44157CC17A28BC4928A8CCC107F297E33D3FC83B0103F90029B8CEE2EDEFC7A065128ABF35C62CA7
Malicious:	false
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y..........................................................................................3&.Z:......@.........K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.854310052023789
Encrypted:	false
SSDEEP:	48:uiTrlKxrgxOxl9Il8uY7hM+vIPlDbn6FipaD7hd1rc:mfYKNM+vIPlDbnuqaD7C
MD5:	BF4B028A85D7095A9F85008455515B34
SHA1:	3FF4571AA19D6965D58392B0D926E3AED1AF3CCC
SHA-256:	CB4AB452CC5B2A3E9857E78F731E776C3BF88A4291BAB7570A4B1551D3D70B02
SHA-512:	DA28BB6935AC9783053368458331E00816B8F73B505FD7711FB50606DB84E8BAEAC7B591531747942BCF5D7AAABD95667F7C560B7EF6077676FF4E9783095A3F
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.G.J.I.d.2.I.6.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.H.W.A.8.i.G.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	4.006878086668393
Encrypted:	false
SSDEEP:	96:WYKz0tNI1XVUybbed2UWs2B3YOC9fs1jrV1iGoSGvGJ:WCtWdVjikspOeU1jZYFGJ
MD5:	6D62C6FBB08BC65B58C9B759564402C4
SHA1:	71805DAB45BEAA3454E27B6B7FEA48718FD373C2
SHA-256:	75EDBE681EF5FDADFBA3D46C39864BF84EDC26EA7F1A2E407103671E350E44EA
SHA-512:	B09F0A66DEC005E19AEA83EDD1F1FC30A4A8FC2918F105074689770411545B07459FE87E9017062AD37D7F34F51B17AE11501DEC90193F1595C3281ABE15BCC0
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".3.C.1.L.X.F.o.6.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.H.W.A.8.i.G.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2684
Entropy (8bit):	3.8981120336542294
Encrypted:	false
SSDEEP:	48:uiTrlKx68Wa7xtxl9Il8uYcKzyVpcmuRS/b4lBmG+8K4yCxQlHQd/vc:azYKcoyoi/b4DmR8K4ykwJ
MD5:	B9937B9F6D50B2A9E0B3AA78EF41E6DC
SHA1:	19E995CD1581B0C6478427A5D2D526C5502C6B79
SHA-256:	499AA3A63574042D6D53781EAD2E75F61837109DBE050EB6A14675F98C9354B1
SHA-512:	0E61795F4DC16503EDF5902C6372949395415B114B37D23B8B32B1C471C9AB607E4E313FC5332672CB2C47985BE39E04F8DE42164F08FB89C3147AE3FEAFFCFA
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".6.N.3.U.y.9.n.A.U.E.q.s.5.u.9.6.E./.o.g.0.E./.V.J.A.g.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".6.C.K.f.i.y.t.Z.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.H.W.A.8.i.G.

C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1212928
Entropy (8bit):	6.414369473400902
Encrypted:	false
SSDEEP:	24576:7lwtjSFltv+l2d1fjtZCqaw+dRKPG3hjD7S4lwx:7mNSwl2tZg9KPanXmx
MD5:	CF530E5210C08CD0A8613AE62957628E
SHA1:	CE6E25EB1846FCF79BD0E4196AB065D390A0382D
SHA-256:	FF7CF09A3185F9970C054C7A54D038275579D0496E2C46DFD157190D9CABA8D2
SHA-512:	17E33B053BFBA414EF453BC56015DDC059CB7A6ADD9AB5201C7BC1973AC81B45CD5618C2C2F0E0022D0878B2477C5B0652DB0A7C5493FDDB68B27559ED6FA2FF
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w..u...u...u..i...u..j...u..j...u..si...u..j...u..wi...u..j...u...u..8w..w}D..u...S..u...S..&u...j..u...j...u...u...u..3s...u..Rich.u..........PE..L....}.Y.....................`...............P....@.........................................................................h0..@....0..Hu...........................................................................P...............................text....9.......@.................. ....rdata.......P.......P..............@....data........`.......`..............@....rsrc........0....... ............>.@....rmnet.............................. ......}.uu..P.......P.................. ...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	97792
Entropy (8bit):	7.345675805687577
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrC5MXL5uXZnzEPf+hzRsibKplyXTq8OGRnsPFG+RODTbN:zr8WDrCawnYPmROzoTq0+RO7N
MD5:	91F8C5655E265566963C8110F8A9DE7B
SHA1:	B96F17997E415AEB3CDF82A68927AEAE232FEBAC
SHA-256:	CB9E615DCAF44187AD82F13EE4B711C38696C33E0FC25AA44309937BD571811F
SHA-512:	7E9B9612E3B4868AFB70C9DD6A94715FD0511043949A89CACEAD24E2369744525D0A411D92C6CC81F24F7E222E1BE37A0BA790DCB9ED7E8AB289E0D4F504F7D1
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\cbd5f64c-36f9-40d2-b7f4-9388f1696944.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 276634
Category:	dropped
Size (bytes):	242356
Entropy (8bit):	7.991210403664034
Encrypted:	true
SSDEEP:	6144:nvRDe2ei//LiBCNBs4vIVeMRhzb6d0X7ayNC:nde2edcbveZRFW0X2yk
MD5:	B73A9C52EF76DD9F575BDCF919B05902
SHA1:	A7ED2E7B5F85D6E502B538FDEBD91343D811E55A
SHA-256:	EF05EE3FA07D46FDDD88DA7760509F7BA658D3A9A5696004404F5A128349B323
SHA-512:	01EB2E462F3EDE544A66C0EEABA9172B668B6EA20D2FEF5A3DD2217E60ED42F70523F194B8901A48CDA3E55E1F65A14BAB2FBE3B34D2CB410B1939B9BB7B4CBC
Malicious:	false
Preview:	...........}.w..._..W.2...W.N&....I..k..'@..Y...c...~K..3vB....#.K.........R.Q.%.4......+.r.M?.\....l....q......Xo\..6.u..q.i.[V_...u..M0...LK......)KcyM.<#....q.$..n<..f5.'..V3oY.v.....k....f.kul...F..4.^..^.(r}.k..[...?.....Y..K.9.VZ..r.c.m..wL.n....L+7.fnY..j.r..v..;P..Xz....~..;....yO3.P.`.]H2u...]...zV....[..m...v;...6.....8.._.l...;NK..W.4...G.....4...>..F.xl.Z..B?.zAcZO.....VI.(}f..j.k..)._...z.72-h.Fj....o.WB..~.gO..5-da+PW....H..n......q......W..5.C.+m..u.~.<.....E.uf?.?...3.......$@+......Z..6..4...&..Mz..W..~...V-}@'.w....t..nx..,.....0b.:QR'..W\|#2b.....3}....wP.5.n..j.&...8q-H#O4.{/..G.....%.@(.&...M.5X,3(.d.L3~[.Yp.^.m../4...OB..u .=.7...:.N.k.m......... T..6!8......._. ..?..<...v...X.F.....<,....01.+...H.'....<...E......O..%P..-HH[M.......1[.7@H....eBJw.\|....x.....i.....i.&.B.A.L.l..T...6..z....4).Y.F.%.>.o.a6{vw.=..F....e..e\|.i.4.n.O-.1.FK.Z+..x@..$...?..C.....t....>...O...n.mN{.R .@.uNG...p.TT......9#=.z.j.....Oa..S.a;.

C:\Users\user\AppData\Local\Temp\chrome.exe

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	182272
Entropy (8bit):	6.778841629892176
Encrypted:	false
SSDEEP:	3072:zr8WDrCe7WLuzeHpl18fCtnRPF9EVnb43jaI5gr/uHqZLWfp2KkvL5kdnQB:PueqmCtnRPF9cCGr/uH0gkSdQB
MD5:	D307A8D049BC1C09C5C3B972F3609FD3
SHA1:	D84D853F3BD3E3DADFE2CB5E4A294B83780A3F3D
SHA-256:	C8FB712D11C1F2AE2BC71F58C2D859B0F2F45AA9ED88F6C9F42E89217D03DF48
SHA-512:	7D3DE68A9DC7AD364B0E8A37F8A56E556FF774537FDF93AF869BEA4CD14DDD3C0205BD74FBDD66FCDAB5F1FA6E9D5F10F3C8C66D99BF5235109DE51975A2BF7F
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	1527
Entropy (8bit):	5.408306740399364
Encrypted:	false
SSDEEP:	24:YJxF5sQ5szAW01Rp5yK10YO5qv70VhQu5Fa05Olxt5qOai5qOaAk5qOciLVp5M:YJxF5sQ5sEW01X5y60YO5qD0VH5Fa058
MD5:	4E1F83939F800B24366B842D81754C9B
SHA1:	7A3C16C3CC9AD5F4ABDC0852EC207873FAC9C9DB
SHA-256:	DD620248582E99AA415C5D1AA43890556210B1D94DC5E81A17DBDCBDCE19D08E
SHA-512:	68E99AFE109807A86F5280DC4E5D1276879D3B09216DC0E24A36B3F0F734CF61FED8910680E0B8C1288723EA0ED23C8E08BEC25A72C56A87675A8535F08FDBFE
Malicious:	false
Preview:	{"logTime": "1005/081724", "correlationVector":"2/PmMr7SOFFRIqTwW+HesJ","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/081729", "correlationVector":"mBsci4p0IuAlecFQAh3IDU","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/081729", "correlationVector":"EFCCE5F7ECC74238A0D17C500D8EB81C","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/083130", "correlationVector":"jkXXrPbML/1ucIa5c7okZ6","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/083130", "correlationVector":"CECEB17551BE48CCBF3DD12E07118D84","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/083241", "correlationVector":"WUtA7xoJfeUJPFSRRtPAng","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/083242", "correlationVector":"B7F67C44DD3147F7BE748158D3F8E7B5","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/083444", "correlationVector":"6kKZpL8SvSsrBcj/Fl+tva","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/083445", "correlationVector":"94D95442

C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031113762428177
Encrypted:	false
SSDEEP:	384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
MD5:	56B2C3810DBA2E939A8BB9FA36D3CF96
SHA1:	99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
SHA-256:	4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
SHA-512:	27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5023.tmp

Download File

Process:	C:\Windows\svchost.com
File Type:	data
Category:	modified
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Ta4n:l
MD5:	BFF7044267BB09B424FABBA7161713D0
SHA1:	A2E00B8C9114709049FA15897CA0A397DF3A00B1
SHA-256:	5DF5165599F437EDB4C7C8D622B24686B18BF930FF27CA3A8CD8EC156EDB425C
SHA-512:	93EB26BDFEC220F5715F96B5C95FC19128AE4AE91A59A82E6B51015BF509FD8D4820E0640D3668755DC3C9279F1608856A6EC63BBEB453EB1F260175DB024A77
Malicious:	false
Preview:	...C..&A

C:\Users\user\AppData\Local\Temp\~DF71BDFF1DBF95CC10.TMP

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08218886695036304
Encrypted:	false
SSDEEP:	6:yVQHR/l6dKFHR6llgUFAl3+ts8/FHR9CwWQHRl:yVQVF8Jq0tBFPCwWQn
MD5:	0145E478E7BD25CBD89431779AA2E94B
SHA1:	865DEAD57E456C60DDD92B3611F60C7DB38F2652
SHA-256:	3BF4064A4706653DA5EFD4B997FF253A90AE1354E59612ED31C1191A71827AC7
SHA-512:	161D533B21D96B8AAED5EF8763BD4A1649BCF07F21A8880D68264E32FC134AEE0C9BC2594DADD766594237E438C5A40B5C8CE85AC82E73BF04095CB51B550CB6
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD5545485F6BB745C.TMP

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.09654617012969507
Encrypted:	false
SSDEEP:	3:alFXEAUolllrllvE3lX9/Dl/OlyvlnPlgJl9llRsltFll2/lsllM/llQllblRfRS:a/vll4f2rgl3+tsMGVEBf5YCDAv9C
MD5:	1C1237DCB159B9C1E3813720CB174041
SHA1:	493906668F91B7563A39DE7612E5846F5850B207
SHA-256:	BD8B935A6DDF80A728589C8748C5DFCEC0ACB9AC99E87CF1186C7A733941AC10
SHA-512:	08F54272AAC0E174D7666C738C075B0C8443E62211FF5AA65247351FED6822756598FF467CE3912C5AB3E9358C75733077387DE92B60A6EE727781B4096E200D
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372066911021396
Encrypted:	false
SSDEEP:	6144:BFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguN+iL:nV1QyWWI/glMM6kF7sq
MD5:	5C202E3A4FC4B7E7D9A5E3B15DE195C9
SHA1:	443AA83A4F483AE84DA8D6D85C2143FA49550A74
SHA-256:	A96CCB75EFC67EFB8852D3BC0F15372E149CDED6A9646A2EBDEFDC81DDBE4A2B
SHA-512:	76E0D22BD32972665FC89D7589F29EEA9C6B7415850BE93C84FADA4564F468CB20FF09561418E04BD81AAA76B9A4FB3496A1162C3CFBD395EB1E6F956258F206
Malicious:	false
Preview:	regfC...B....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmf...Z:................................................................................................................................................................................................................................................................................................................................................. ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1716224
Entropy (8bit):	4.578819922494309
Encrypted:	false
SSDEEP:	6144:LFVfpi6ceLP/9skLmb0ayWWSPDaJG8nAge35OlMMhA2AX4WABlguN+iL:xV1QyWWS/glMM6kF7sq
MD5:	7830A465F1389E34A7832D7544FC5D4A
SHA1:	0A63118688D8F644E25CDE94B2BD8C39B1357BE6
SHA-256:	C255A210922924C9A4E126625161BD8B5835433D1A2BC42CA889D35E05CF13F5
SHA-512:	F9482D0A2D79E58ABDA55473810B7EF4569140CA61BF64F906668A50F9CEB5DAC559657787D9AFA259CDF63401C41ED848EAF59A5542C8B1971AF9D218E70DDB
Malicious:	false
Preview:	regfB...B....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmf...Z:................................................................................................................................................................................................................................................................................................................................................. HvLE........B....0..........1.*...@........0...@......hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........A...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t.......vk..<...............

C:\Windows\directx.sys

Download File

Process:	C:\Windows\svchost.com
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	162
Entropy (8bit):	4.995584616531937
Encrypted:	false
SSDEEP:	3:otkLt+56hsaM5B6RW5zQr4N81ZkQExmXiWdCutACovk1ZkLt+56hsoBCay:otkLtv6Hz6WOr4N8fkQE4CuvovkfkLt2
MD5:	83485B4616EBB9F614F256E459DF61BF
SHA1:	5E26A57CC2A6D1C0809CA4551A18769BC2B728FD
SHA-256:	CB7DF624E85C377E323126BEDE91D52A5A9C2495B601F77B14FCA1BAEFDF3FA3
SHA-512:	897198CE1856043B6B927B9C10980AB16444CAA2644B40751303EC3D6FD6AB602BC5C8B75241593B1061BF39B50208FB254252D015C6E9AF2EA9BE572A2C802C
Malicious:	true
Preview:	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe..C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe..C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe..

C:\Windows\svchost.com

Download File

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	6.262786282729797
Encrypted:	false
SSDEEP:	768:nyxqjQl/EMQt4Oei7RwsHxKANM0nDhlzOQdJE/rOFY:yxqjQ+P04wsZLnDrC31
MD5:	811C79A695A4715D805A61F5EF41264D
SHA1:	4B4FC6BFFD02C6ED72E136C10886D1A96BDFFBD1
SHA-256:	3995ABD6BA376CA9E8AC227C62E3689D03B9D062D39E604E1CE5B330A3A15BAC
SHA-512:	7CDCFF48B5DCB64D10E49BFE679429898787BAB4E49069AA15D9EB19B608FD219D5CC306E92D1667B2E14D5027BB0E1BFEEC6C2531654184F6145E5D81B3DF97
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.421233686406191
TrID:	Win32 Executable (generic) a (10002005/4) 97.12% Win32 Executable Borland Delphi 6 (262906/60) 2.55% Win32 Executable Delphi generic (14689/80) 0.14% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	#U65b0#U7248#U7f51#U5173.exe
File size:	1'254'400 bytes
MD5:	dc6bd8c6c6f2546decbf866c7a7df25d
SHA1:	263d0299b4e803f995480d866d8c82ef82c83023
SHA256:	08e00ccaa704c210e5841227e0db6b5c911ad675f3eaf48f5a629877c0ac3de1
SHA512:	d931389061a1b2a6959fc687b792eeaf46f076072de80d2f891f32971445fb556366712f3cc9ebec73a8cd0516ab35ec2885c7bf6ad9f1f6738b390a20f54632
SSDEEP:	24576:ojSFltv+l2d1fjtZCqaw+dRKPG3hjD7S4lwBlwx:aSwl2tZg9KPanXmBmx
TLSH:	25459F52F6C280F5D6151A303CE76736EA759A860F25CFC3A3A8ED782D326909B3711D
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	037183ab0a09090d

Static PE Info

General

Entrypoint:	0x408178
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9f4693fc0c511135129493f2161d1e86

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFE0h
xor eax, eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-1Ch], eax
mov dword ptr [ebp-14h], eax
mov eax, 004080E8h
call 00007F8F150695B3h
xor eax, eax
push ebp
push 004082B4h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov eax, 004091A8h
mov ecx, 0000000Bh
mov edx, 0000000Bh
call 00007F8F1506C74Dh
mov eax, 004091B4h
mov ecx, 00000009h
mov edx, 00000009h
call 00007F8F1506C739h
mov eax, 004091C0h
mov ecx, 00000003h
mov edx, 00000003h
call 00007F8F1506C725h
mov eax, 004091DCh
mov ecx, 00000003h
mov edx, 00000003h
call 00007F8F1506C711h
mov eax, dword ptr [00409210h]
mov ecx, 0000000Bh
mov edx, 0000000Bh
call 00007F8F1506C6FDh
call 00007F8F1506C754h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F8F15069FEEh
mov eax, dword ptr [ebp-14h]
call 00007F8F1506A582h
cmp eax, 0000A200h
jle 00007F8F1506D837h
call 00007F8F1506CCD2h
call 00007F8F1506D529h
mov eax, 004091C4h
mov ecx, 00000003h
mov edx, 00000003h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15000	0x864	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x1400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18000	0x5cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x17000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x72c0	0x7400	57df3a5615ac3f00c33b7f1f6f46d36a	False	0.6197804418103449	data	6.521149320889011	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x9000	0x218	0x400	7ffc3168a7f3103634abdf3a768ed128	False	0.3623046875	data	3.1516983405583385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xa000	0xa899	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x15000	0x864	0xa00	6e7a45521bfca94f1e506361f70e7261	False	0.37421875	data	4.173859768945439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x16000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x17000	0x18	0x200	7e6c0f4f4435abc870eb550d5072bad6	False	0.05078125	data	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x18000	0x5cc	0x600	2f4536f51417a33d5e7cc1d66b1ca51e	False	0.8333333333333334	data	6.433117350337874	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x19000	0x1400	0x1400	3752ee895deade67279786564a299097	False	0.4125	data	4.307670739015947	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x19150	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4264	Russian	Russia	0.40736397748592873
RT_RCDATA	0x1a1f8	0x10	data			1.5
RT_RCDATA	0x1a208	0xac	data			1.063953488372093
RT_GROUP_ICON	0x1a2b4	0x14	data	Russian	Russia	1.1

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, MessageBoxA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	WriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
gdi32.dll	StretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
user32.dll	ReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
shell32.dll	ShellExecuteA, ExtractIconA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-19T09:07:17.065183+0100	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	1	192.168.2.8	62882	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 09:07:17.520150900 CET	49704	799	192.168.2.8	44.221.84.105
Nov 19, 2024 09:07:18.524276972 CET	49704	799	192.168.2.8	44.221.84.105
Nov 19, 2024 09:07:20.524137020 CET	49704	799	192.168.2.8	44.221.84.105
Nov 19, 2024 09:07:24.539693117 CET	49704	799	192.168.2.8	44.221.84.105
Nov 19, 2024 09:07:32.305439949 CET	49715	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:32.305488110 CET	443	49715	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:32.305628061 CET	49715	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:32.306015968 CET	49716	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:32.306015968 CET	49715	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:32.306027889 CET	443	49716	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:32.306047916 CET	443	49715	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:32.306166887 CET	49716	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:32.306205988 CET	49716	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:32.306215048 CET	443	49716	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:32.530529976 CET	49717	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:32.530585051 CET	443	49717	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:32.530652046 CET	49717	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:32.531255007 CET	49717	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:32.531271935 CET	443	49717	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:32.547947884 CET	49704	799	192.168.2.8	44.221.84.105
Nov 19, 2024 09:07:33.125230074 CET	49718	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:33.125286102 CET	443	49718	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:33.125441074 CET	49718	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:33.125799894 CET	49718	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:33.125816107 CET	443	49718	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:33.223478079 CET	49719	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:33.223490953 CET	443	49719	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:33.223547935 CET	49719	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:33.223786116 CET	49719	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:33.223790884 CET	443	49719	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:33.253690958 CET	49720	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:33.253721952 CET	443	49720	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:33.253778934 CET	49720	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:33.253987074 CET	49720	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:33.254004955 CET	443	49720	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:34.550621033 CET	49723	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:34.550653934 CET	443	49723	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:34.550793886 CET	49723	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:34.551026106 CET	49723	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:34.551039934 CET	443	49723	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:34.581491947 CET	49724	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:34.581532001 CET	443	49724	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:34.581617117 CET	49724	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:34.581866980 CET	49724	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:34.581892014 CET	443	49724	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:34.614867926 CET	49726	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:34.614902020 CET	443	49726	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:34.615020037 CET	49726	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:34.615185022 CET	49726	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:34.615199089 CET	443	49726	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:36.383282900 CET	49727	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:36.383343935 CET	443	49727	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:36.383413076 CET	49727	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:36.383647919 CET	49727	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:36.383660078 CET	443	49727	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:36.725869894 CET	49728	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:36.725917101 CET	443	49728	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:36.725985050 CET	49728	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:36.726207018 CET	49728	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:36.726222038 CET	443	49728	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:36.803263903 CET	49729	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:36.803308010 CET	443	49729	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:36.803464890 CET	49729	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:36.803713083 CET	49729	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:36.803744078 CET	443	49729	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:39.601207972 CET	49731	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:39.601270914 CET	443	49731	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:39.601393938 CET	49731	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:39.601794958 CET	49731	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:39.601813078 CET	443	49731	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:39.708627939 CET	49732	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:39.708678007 CET	443	49732	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:39.708791971 CET	49732	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:39.709078074 CET	49732	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:39.709098101 CET	443	49732	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:39.995902061 CET	49733	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:39.995954990 CET	443	49733	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:39.996021986 CET	49733	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:39.996244907 CET	49733	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:39.996263981 CET	443	49733	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:43.799216986 CET	49734	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:43.799261093 CET	443	49734	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:43.799367905 CET	49734	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:43.799604893 CET	49734	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:43.799622059 CET	443	49734	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:44.222103119 CET	49735	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:44.222143888 CET	443	49735	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:44.222296000 CET	49735	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:44.222522974 CET	49735	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:44.222541094 CET	443	49735	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:44.362981081 CET	49736	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:44.363028049 CET	443	49736	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:44.363332033 CET	49736	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:44.363687992 CET	49736	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:44.363704920 CET	443	49736	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.063432932 CET	49717	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.063586950 CET	49719	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.063740015 CET	49723	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.063795090 CET	49727	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.063916922 CET	49731	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.064044952 CET	49734	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.064548016 CET	49738	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.064587116 CET	443	49738	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.064722061 CET	49739	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.064765930 CET	443	49739	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.064789057 CET	49738	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.064955950 CET	49739	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.065242052 CET	49740	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.065272093 CET	443	49740	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.065563917 CET	49740	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.065812111 CET	49741	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.065903902 CET	443	49741	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.065978050 CET	49741	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.066037893 CET	49742	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.066046953 CET	443	49742	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.066095114 CET	49742	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.066313982 CET	49743	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.066334963 CET	443	49743	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.066598892 CET	49743	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.066621065 CET	49716	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.066725016 CET	49720	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.066814899 CET	49726	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.066907883 CET	49729	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.066951036 CET	49733	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.067013025 CET	49735	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.067589045 CET	49744	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.067598104 CET	443	49744	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.067651987 CET	49744	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.067910910 CET	49745	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.067929029 CET	443	49745	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.068074942 CET	49746	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.068083048 CET	443	49746	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.068111897 CET	49745	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.068129063 CET	49746	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.068461895 CET	49747	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.068479061 CET	443	49747	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.068653107 CET	49748	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.068653107 CET	49747	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.068665028 CET	443	49748	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.068778038 CET	49749	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.068789005 CET	443	49749	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.068799973 CET	49748	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.068834066 CET	49749	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.069335938 CET	49715	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.069494009 CET	49718	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.069571018 CET	49724	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.069679022 CET	49728	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.069796085 CET	49732	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.069823027 CET	49736	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.077277899 CET	49753	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.077285051 CET	443	49753	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.077342033 CET	49753	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.077569962 CET	49754	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.077590942 CET	443	49754	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.077635050 CET	49754	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.077781916 CET	49755	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.077789068 CET	443	49755	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.077847958 CET	49755	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.078012943 CET	49756	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.078027964 CET	443	49756	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.078284979 CET	49756	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.078289032 CET	49757	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.078326941 CET	443	49757	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.078371048 CET	49758	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.078378916 CET	443	49758	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.078423023 CET	49758	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.078460932 CET	49757	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.079046965 CET	49749	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.079062939 CET	443	49749	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.079152107 CET	49748	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.079164982 CET	443	49748	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.079328060 CET	49747	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.079339027 CET	49746	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.079353094 CET	443	49746	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.079377890 CET	443	49747	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.079452991 CET	49745	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.079472065 CET	443	49745	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.079540968 CET	49744	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:07:45.079551935 CET	443	49744	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.079663992 CET	49743	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.079689026 CET	443	49743	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.079741955 CET	49742	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.079751968 CET	443	49742	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.079848051 CET	49741	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.079873085 CET	443	49741	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.079933882 CET	49740	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.079955101 CET	443	49740	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.080029011 CET	49739	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.080044031 CET	443	49739	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.080121040 CET	49738	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.080137014 CET	443	49738	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.080302000 CET	49753	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.080313921 CET	443	49753	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.080400944 CET	49754	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.080415010 CET	443	49754	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.080487967 CET	49755	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.080498934 CET	443	49755	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.080598116 CET	49756	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.080605984 CET	443	49756	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.080682039 CET	49758	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.080691099 CET	443	49758	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.080816984 CET	49757	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:07:45.080838919 CET	443	49757	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.107342958 CET	443	49727	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.107355118 CET	443	49731	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.107367992 CET	443	49735	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.107383013 CET	443	49733	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.107392073 CET	443	49729	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.107399940 CET	443	49726	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.107408047 CET	443	49720	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.107414961 CET	443	49716	162.159.61.3	192.168.2.8
Nov 19, 2024 09:07:45.111345053 CET	443	49723	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.111346960 CET	443	49734	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.111366034 CET	443	49719	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.111380100 CET	443	49717	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.111390114 CET	443	49736	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.111398935 CET	443	49732	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.111408949 CET	443	49724	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.115325928 CET	443	49728	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.115329027 CET	443	49715	172.64.41.3	192.168.2.8
Nov 19, 2024 09:07:45.115330935 CET	443	49718	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.095609903 CET	49749	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.096102953 CET	49763	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.096127033 CET	49748	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.096157074 CET	443	49763	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:15.096251011 CET	49763	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.096302986 CET	49764	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.096338987 CET	443	49764	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:15.096347094 CET	49747	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.096395016 CET	49764	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.096419096 CET	49746	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.096481085 CET	49745	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.096550941 CET	49744	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.096611023 CET	49743	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.096782923 CET	49765	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.096811056 CET	443	49765	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.096822023 CET	49742	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.096858978 CET	49765	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.096992016 CET	49766	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.097008944 CET	443	49766	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.097023010 CET	49741	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.097064018 CET	49766	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.097160101 CET	49740	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.097258091 CET	49739	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.097331047 CET	49738	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.097456932 CET	49753	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.097698927 CET	49767	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.097708941 CET	443	49767	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.097754955 CET	49767	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.097942114 CET	49763	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.097955942 CET	443	49763	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:15.097985983 CET	49754	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.098179102 CET	49768	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.098207951 CET	49755	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.098212957 CET	443	49768	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.098263025 CET	49768	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.098320961 CET	49756	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.099024057 CET	49758	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.099118948 CET	49757	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.099420071 CET	49764	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.099438906 CET	443	49764	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:15.099806070 CET	49765	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.099818945 CET	443	49765	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.099977970 CET	49766	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.099992990 CET	443	49766	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.100131989 CET	49767	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.100142002 CET	443	49767	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.100253105 CET	49768	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.100275993 CET	443	49768	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.129829884 CET	49770	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.129885912 CET	443	49770	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.129966021 CET	49770	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.130136013 CET	49770	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:15.130152941 CET	443	49770	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.139329910 CET	443	49740	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.139342070 CET	443	49742	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.139343977 CET	443	49757	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.139348030 CET	443	49753	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.139348984 CET	443	49744	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:15.139354944 CET	443	49741	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.139358997 CET	443	49746	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:15.139369011 CET	443	49748	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:15.139390945 CET	443	49738	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.139430046 CET	443	49743	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.139450073 CET	443	49745	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:15.139467955 CET	443	49747	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:15.143332958 CET	443	49758	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.143336058 CET	443	49739	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.143337011 CET	443	49755	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.143345118 CET	443	49754	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.143356085 CET	443	49756	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:15.143361092 CET	443	49749	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:15.782634974 CET	49771	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.782676935 CET	443	49771	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:15.782782078 CET	49771	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.782968044 CET	49771	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:15.782979965 CET	443	49771	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:16.923160076 CET	49772	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:16.923217058 CET	443	49772	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:16.923382044 CET	49772	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:16.923496962 CET	49772	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:16.923511028 CET	443	49772	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:30.111102104 CET	49731	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:30.111119032 CET	49726	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:30.111131907 CET	443	49731	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:30.111136913 CET	443	49726	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:30.111135006 CET	49716	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:30.111143112 CET	49735	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:30.111172915 CET	443	49735	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:30.111200094 CET	443	49716	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:30.114311934 CET	49719	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:30.114326954 CET	443	49719	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:30.114329100 CET	49732	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:30.114335060 CET	443	49732	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:30.123260975 CET	49728	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:30.123261929 CET	49715	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:30.123279095 CET	443	49715	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:30.123286963 CET	443	49728	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:30.208311081 CET	49729	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:30.208309889 CET	49727	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:30.208309889 CET	49720	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:30.208309889 CET	49733	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:30.208324909 CET	443	49729	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:30.208339930 CET	49723	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:30.208339930 CET	49734	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:30.208340883 CET	49717	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:30.208340883 CET	49736	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:30.208343983 CET	443	49727	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:30.208353996 CET	443	49734	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:30.208357096 CET	443	49720	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:30.208357096 CET	443	49723	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:30.208358049 CET	443	49717	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:30.208367109 CET	443	49736	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:30.208368063 CET	443	49733	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:30.208368063 CET	49718	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:30.208369017 CET	49724	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:30.208395004 CET	443	49718	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:30.208398104 CET	443	49724	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:36.267597914 CET	49776	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:36.267654896 CET	443	49776	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:36.267723083 CET	49776	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:36.267966986 CET	49776	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:36.267976999 CET	443	49776	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:36.586993933 CET	49777	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:36.587038040 CET	443	49777	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:36.587105036 CET	49777	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:36.587304115 CET	49777	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:36.587322950 CET	443	49777	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:38.376210928 CET	49778	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:38.376270056 CET	443	49778	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:38.376349926 CET	49778	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:38.376552105 CET	49778	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:38.376563072 CET	443	49778	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:45.121356010 CET	49763	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:45.121855974 CET	49765	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:45.121906996 CET	49766	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:45.121983051 CET	49767	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:45.122030973 CET	49768	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:45.122068882 CET	49764	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:45.131526947 CET	49770	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:45.163337946 CET	443	49768	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:45.167320967 CET	443	49766	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:45.167325974 CET	443	49763	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:45.167331934 CET	443	49764	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:45.167335033 CET	443	49767	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:45.167350054 CET	443	49765	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:45.175332069 CET	443	49770	172.64.41.3	192.168.2.8
Nov 19, 2024 09:08:45.798372030 CET	49771	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:08:45.839344978 CET	443	49771	162.159.61.3	192.168.2.8
Nov 19, 2024 09:08:46.931345940 CET	49772	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:08:46.975337029 CET	443	49772	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:00.146614075 CET	49753	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:00.146620989 CET	49749	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:00.146617889 CET	49758	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:00.146621943 CET	49747	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:00.146616936 CET	49748	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:00.146621943 CET	49743	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:00.146616936 CET	49757	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:00.146614075 CET	49755	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:00.146625042 CET	49744	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:00.146616936 CET	49738	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:00.146617889 CET	49756	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:00.146625042 CET	49740	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:00.146621943 CET	49741	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:00.146625042 CET	49746	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:00.146621943 CET	49745	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:00.146625042 CET	49742	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:00.146648884 CET	443	49748	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:00.146650076 CET	443	49749	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:00.146651983 CET	443	49758	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:00.146658897 CET	443	49753	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:00.146662951 CET	443	49757	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:00.146667004 CET	443	49738	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:00.146668911 CET	443	49744	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:00.146670103 CET	443	49756	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:00.146672010 CET	443	49747	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:00.146678925 CET	443	49740	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:00.146681070 CET	443	49743	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:00.146683931 CET	443	49746	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:00.146686077 CET	443	49741	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:00.146688938 CET	49754	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:00.146689892 CET	443	49745	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:00.146689892 CET	49739	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:00.146696091 CET	443	49739	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:00.146696091 CET	443	49754	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:00.146702051 CET	443	49755	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:00.146707058 CET	443	49742	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:06.268960953 CET	49776	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:06.311341047 CET	443	49776	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:06.596103907 CET	49777	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:06.639336109 CET	443	49777	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:08.158468008 CET	49788	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:08.158503056 CET	443	49788	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:08.158559084 CET	49788	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:08.158885956 CET	49788	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:08.158899069 CET	443	49788	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:08.391731024 CET	49778	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:08.435336113 CET	443	49778	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:09.899418116 CET	49789	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:09.899461985 CET	443	49789	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:09.899538994 CET	49789	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:09.899759054 CET	49789	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:09.899770021 CET	443	49789	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:13.110992908 CET	49797	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:13.111033916 CET	443	49797	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:13.111185074 CET	49797	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:13.111327887 CET	49797	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:13.111341953 CET	443	49797	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:15.111784935 CET	49731	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:15.111798048 CET	49726	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:15.111799955 CET	49735	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:15.111802101 CET	49716	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:15.111804962 CET	443	49731	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:15.111814022 CET	443	49726	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:15.111823082 CET	443	49735	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:15.111833096 CET	443	49716	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:15.127326012 CET	49715	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:15.127329111 CET	49719	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:15.127331972 CET	49732	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:15.127331972 CET	49728	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:15.127335072 CET	443	49715	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:15.127346992 CET	443	49719	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:15.127350092 CET	443	49732	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:15.127355099 CET	443	49728	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:15.220103025 CET	49729	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:15.220103025 CET	49723	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:15.220103979 CET	49734	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:15.220103979 CET	49717	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:15.220103979 CET	49736	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:15.220104933 CET	49727	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:15.220104933 CET	49718	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:15.220104933 CET	49720	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:15.220104933 CET	49733	443	192.168.2.8	162.159.61.3
Nov 19, 2024 09:09:15.220114946 CET	443	49729	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:15.220119953 CET	443	49717	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:15.220122099 CET	443	49718	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:15.220123053 CET	443	49727	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:15.220124960 CET	443	49723	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:15.220129013 CET	443	49736	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:15.220130920 CET	443	49734	172.64.41.3	192.168.2.8
Nov 19, 2024 09:09:15.220130920 CET	443	49720	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:15.220135927 CET	443	49733	162.159.61.3	192.168.2.8
Nov 19, 2024 09:09:15.220201015 CET	49724	443	192.168.2.8	172.64.41.3
Nov 19, 2024 09:09:15.220228910 CET	443	49724	172.64.41.3	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 09:07:17.065182924 CET	62882	53	192.168.2.8	1.1.1.1
Nov 19, 2024 09:07:17.256015062 CET	53	62882	1.1.1.1	192.168.2.8
Nov 19, 2024 09:07:32.280904055 CET	62675	53	192.168.2.8	1.1.1.1
Nov 19, 2024 09:07:32.281435013 CET	49208	53	192.168.2.8	1.1.1.1
Nov 19, 2024 09:07:32.285475969 CET	54243	53	192.168.2.8	1.1.1.1
Nov 19, 2024 09:07:32.285741091 CET	64835	53	192.168.2.8	1.1.1.1
Nov 19, 2024 09:07:32.288156033 CET	53	62675	1.1.1.1	192.168.2.8
Nov 19, 2024 09:07:32.288388968 CET	53	49208	1.1.1.1	192.168.2.8
Nov 19, 2024 09:07:32.292684078 CET	53	54243	1.1.1.1	192.168.2.8
Nov 19, 2024 09:07:32.293215036 CET	53	64835	1.1.1.1	192.168.2.8
Nov 19, 2024 09:07:32.521996975 CET	57693	53	192.168.2.8	1.1.1.1
Nov 19, 2024 09:07:32.522128105 CET	62205	53	192.168.2.8	1.1.1.1
Nov 19, 2024 09:07:32.529258013 CET	53	57693	1.1.1.1	192.168.2.8
Nov 19, 2024 09:07:32.529303074 CET	53	62205	1.1.1.1	192.168.2.8
Nov 19, 2024 09:08:36.256414890 CET	49663	53	192.168.2.8	1.1.1.1
Nov 19, 2024 09:08:36.257189035 CET	50226	53	192.168.2.8	1.1.1.1
Nov 19, 2024 09:08:36.263377905 CET	53	49663	1.1.1.1	192.168.2.8
Nov 19, 2024 09:08:36.263947964 CET	53	50226	1.1.1.1	192.168.2.8
Nov 19, 2024 09:08:36.578710079 CET	56096	53	192.168.2.8	1.1.1.1
Nov 19, 2024 09:08:36.578849077 CET	54844	53	192.168.2.8	1.1.1.1
Nov 19, 2024 09:08:36.585925102 CET	53	54844	1.1.1.1	192.168.2.8
Nov 19, 2024 09:08:36.586236000 CET	53	56096	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2024 09:07:17.065182924 CET	192.168.2.8	1.1.1.1	0xa708	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:07:32.280904055 CET	192.168.2.8	1.1.1.1	0x676c	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:07:32.281435013 CET	192.168.2.8	1.1.1.1	0xa192	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 19, 2024 09:07:32.285475969 CET	192.168.2.8	1.1.1.1	0x3af3	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:07:32.285741091 CET	192.168.2.8	1.1.1.1	0xae2d	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 19, 2024 09:07:32.521996975 CET	192.168.2.8	1.1.1.1	0x5fc0	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:07:32.522128105 CET	192.168.2.8	1.1.1.1	0x587e	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 19, 2024 09:08:36.256414890 CET	192.168.2.8	1.1.1.1	0xf90b	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:08:36.257189035 CET	192.168.2.8	1.1.1.1	0xc238	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 19, 2024 09:08:36.578710079 CET	192.168.2.8	1.1.1.1	0x3e88	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:08:36.578849077 CET	192.168.2.8	1.1.1.1	0x847e	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 09:07:17.256015062 CET	1.1.1.1	192.168.2.8	0xa708	No error (0)	ddos.dnsnb8.net	44.221.84.105	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:07:32.288156033 CET	1.1.1.1	192.168.2.8	0x676c	No error (0)	chrome.cloudflare-dns.com	162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:07:32.288156033 CET	1.1.1.1	192.168.2.8	0x676c	No error (0)	chrome.cloudflare-dns.com	172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:07:32.288388968 CET	1.1.1.1	192.168.2.8	0xa192	No error (0)	chrome.cloudflare-dns.com		65	IN (0x0001)	false
Nov 19, 2024 09:07:32.292684078 CET	1.1.1.1	192.168.2.8	0x3af3	No error (0)	chrome.cloudflare-dns.com	172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:07:32.292684078 CET	1.1.1.1	192.168.2.8	0x3af3	No error (0)	chrome.cloudflare-dns.com	162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:07:32.293215036 CET	1.1.1.1	192.168.2.8	0xae2d	No error (0)	chrome.cloudflare-dns.com		65	IN (0x0001)	false
Nov 19, 2024 09:07:32.529258013 CET	1.1.1.1	192.168.2.8	0x5fc0	No error (0)	chrome.cloudflare-dns.com	172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:07:32.529258013 CET	1.1.1.1	192.168.2.8	0x5fc0	No error (0)	chrome.cloudflare-dns.com	162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:07:32.529303074 CET	1.1.1.1	192.168.2.8	0x587e	No error (0)	chrome.cloudflare-dns.com		65	IN (0x0001)	false
Nov 19, 2024 09:08:36.263377905 CET	1.1.1.1	192.168.2.8	0xf90b	No error (0)	chrome.cloudflare-dns.com	162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:08:36.263377905 CET	1.1.1.1	192.168.2.8	0xf90b	No error (0)	chrome.cloudflare-dns.com	172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:08:36.263947964 CET	1.1.1.1	192.168.2.8	0xc238	No error (0)	chrome.cloudflare-dns.com		65	IN (0x0001)	false
Nov 19, 2024 09:08:36.585925102 CET	1.1.1.1	192.168.2.8	0x847e	No error (0)	chrome.cloudflare-dns.com		65	IN (0x0001)	false
Nov 19, 2024 09:08:36.586236000 CET	1.1.1.1	192.168.2.8	0x3e88	No error (0)	chrome.cloudflare-dns.com	162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 19, 2024 09:08:36.586236000 CET	1.1.1.1	192.168.2.8	0x3e88	No error (0)	chrome.cloudflare-dns.com	172.64.41.3	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:07:14
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173.exe"
Imagebase:	0x400000
File size:	1'254'400 bytes
MD5 hash:	DC6BD8C6C6F2546DECBF866C7A7DF25D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.2293751786.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:07:14
Start date:	19/11/2024
Path:	C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173.exe"
Imagebase:	0x400000
File size:	1'212'928 bytes
MD5 hash:	CF530E5210C08CD0A8613AE62957628E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	03:07:14
Start date:	19/11/2024
Path:	C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\gXhmKFnw.exe
Imagebase:	0xf00000
File size:	15'872 bytes
MD5 hash:	56B2C3810DBA2E939A8BB9FA36D3CF96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:07:15
Start date:	19/11/2024
Path:	C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe
Imagebase:	0x400000
File size:	56'320 bytes
MD5 hash:	FF5E1F27193CE51EEC318714EF038BEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ramnit, Description: Yara detected Ramnit, Source: 00000005.00000002.1508242032.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:07:16
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
Imagebase:	0x400000
File size:	56'320 bytes
MD5 hash:	FF5E1F27193CE51EEC318714EF038BEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ramnit, Description: Yara detected Ramnit, Source: 00000006.00000002.1513070709.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:07:16
Start date:	19/11/2024
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Internet Explorer\iexplore.exe"
Imagebase:	0x7ff6b7110000
File size:	834'512 bytes
MD5 hash:	CFE2E6942AC1B72981B3105E22D3224E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:07:17
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:17410 /prefetch:2
Imagebase:	0xa60000
File size:	828'368 bytes
MD5 hash:	6F0F06D6AB125A99E43335427066A4A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:07:18
Start date:	19/11/2024
Path:	C:\Windows\svchost.com
Wow64 process (32bit):	true
Commandline:	"C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454
Imagebase:	0x400000
File size:	41'472 bytes
MD5 hash:	811C79A695A4715D805A61F5EF41264D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:07:18
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe
Wow64 process (32bit):	false
Commandline:	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe --from-ie-to-edge=3 --ie-frame-hwnd=10454
Imagebase:	0x7ff65e560000
File size:	540'712 bytes
MD5 hash:	89CF8972D683795DAB6901BC9456675D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:07:19
Start date:	19/11/2024
Path:	C:\Windows\svchost.com
Wow64 process (32bit):	true
Commandline:	"C:\Windows\svchost.com" "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Imagebase:	0x400000
File size:	41'472 bytes
MD5 hash:	811C79A695A4715D805A61F5EF41264D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:07:19
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe
Wow64 process (32bit):	true
Commandline:	C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe -new
Imagebase:	0x370000
File size:	85'632 bytes
MD5 hash:	F9A898A606E7F5A1CD7CFFA8079253A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:07:19
Start date:	19/11/2024
Path:	C:\Windows\svchost.com
Wow64 process (32bit):	true
Commandline:	"C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454
Imagebase:	0x400000
File size:	41'472 bytes
MD5 hash:	811C79A695A4715D805A61F5EF41264D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:07:20
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=10454
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:07:21
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=2112,i,18150823197177763783,15696018199099908702,262144 /prefetch:3
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:07:22
Start date:	19/11/2024
Path:	C:\Windows\svchost.com
Wow64 process (32bit):	true
Commandline:	"C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10454 --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x400000
File size:	41'472 bytes
MD5 hash:	811C79A695A4715D805A61F5EF41264D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:07:22
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=10454 --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	03:07:25
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2708 --field-trial-handle=2664,i,14214771295167982172,2696686499744709149,262144 /prefetch:3
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	03:07:28
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5868 --field-trial-handle=2664,i,14214771295167982172,2696686499744709149,262144 /prefetch:8
Imagebase:	0x7ff7f97c0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:07:29
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 1384
Imagebase:	0x650000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.2%
Total number of Nodes:	1117
Total number of Limit Nodes:	76

Executed Functions

Function 0054B006 Relevance: 59.7, APIs: 22, Strings: 12, Instructions: 195
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0054B074
GetProcAddress.KERNEL32(75550000,FreeLibrary), ref: 0054B096
GetProcAddress.KERNEL32(75550000,CreateMutexA), ref: 0054B0B8
GetProcAddress.KERNEL32(75550000,ReleaseMutex), ref: 0054B0DA
GetProcAddress.KERNEL32(75550000,CloseHandle), ref: 0054B0FC
GetProcAddress.KERNEL32(75550000,GetLastError), ref: 0054B11E
GetProcAddress.KERNEL32(75550000,CreateFileA), ref: 0054B140
GetProcAddress.KERNEL32(75550000,WriteFile), ref: 0054B162
GetProcAddress.KERNEL32(75550000,GetModuleFileNameA), ref: 0054B184
GetProcAddress.KERNEL32(75550000,CreateProcessA), ref: 0054B1A6
CreateMutexA.KERNELBASE(00000000,00000001,KyUffThOkYwRRtgPP), ref: 0054B1C6
GetLastError.KERNEL32(00000000), ref: 0054B1CD
ReleaseMutex.KERNEL32(?,?,00000000), ref: 0054B1D7
CloseHandle.KERNEL32(?,?,00000000), ref: 0054B1DD
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe,000000FF,?,00000000), ref: 0054B229
CreateFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe,40000000,00000002,00000000,00000002,00000080,00000000,?,00000000), ref: 0054B268
WriteFile.KERNELBASE(00000000,0054B573,0000DC00,0054B31C,00000000,00000000,?,00000000), ref: 0054B292
CloseHandle.KERNEL32(?,00000000), ref: 0054B298
CreateProcessA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe,00000000,00000000,00000000,00000000,00000000,00000000,0054B466,0054B4AA,?,00000000), ref: 0054B2E0
CloseHandle.KERNEL32(00000228,0054B4AA,?,00000000), ref: 0054B2F1
CloseHandle.KERNEL32(?,00000000), ref: 0054B2F7
FreeLibrary.KERNEL32(75550000), ref: 0054B303

Strings

C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe, xrefs: 0054B226, 0054B267, 0054B2DD
ReleaseMutex, xrefs: 0054B0D3
FreeLibrary, xrefs: 0054B08F
GetLastError, xrefs: 0054B117
CreateMutexA, xrefs: 0054B0B1
WriteFile, xrefs: 0054B15B
CreateProcessA, xrefs: 0054B19F
CloseHandle, xrefs: 0054B0F5
KyUffThOkYwRRtgPP, xrefs: 0054B1C1
kernel32.dll, xrefs: 0054B073
CreateFileA, xrefs: 0054B139
GetModuleFileNameA, xrefs: 0054B17D

Memory Dump Source

Source File: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: AddressProc$CloseHandle$CreateFile$LibraryMutex$ErrorFreeLastLoadModuleNameProcessReleaseWrite
String ID: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe$CloseHandle$CreateFileA$CreateMutexA$CreateProcessA$FreeLibrary$GetLastError$GetModuleFileNameA$KyUffThOkYwRRtgPP$ReleaseMutex$WriteFile$kernel32.dll
API String ID: 1180511664-4019485444
Opcode ID: 433a6612d00084cc81ed907b06d343000b3e8516625006df615d785e1d0a022e
Instruction ID: 58e02c30c0072d90e04924b534b8fe1925e67cf9f7fbe885fe18c9767c4f239f
Opcode Fuzzy Hash: 433a6612d00084cc81ed907b06d343000b3e8516625006df615d785e1d0a022e
Instruction Fuzzy Hash: 9E810671504189DFFB318E64CC88BDEBB79EF08348F520521EDA9E2152DB78BA45EB10

Function 0041EB00 Relevance: 55.2, APIs: 29, Strings: 2, Instructions: 979windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0041EB72
IsIconic.USER32(?), ref: 0041EBAA
SetActiveWindow.USER32(?,?,?), ref: 0041EBD3
IsWindow.USER32(?), ref: 0041EBFD
IsWindow.USER32(?), ref: 0041EECE
DestroyAcceleratorTable.USER32(?), ref: 0041F01E
DestroyMenu.USER32(?), ref: 0041F029
DestroyAcceleratorTable.USER32(?), ref: 0041F043
DestroyMenu.USER32(?), ref: 0041F052
DestroyAcceleratorTable.USER32(?), ref: 0041F0B2
DestroyMenu.USER32(?,000003EA,00000000,00000000,?,?,00000000,?,000007D9,00000000,00000000), ref: 0041F0C1
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0041F143
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?), ref: 0041F25B
IsWindow.USER32(?), ref: 0041F38C
SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 0041F3A1
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 0041F3BE
DestroyAcceleratorTable.USER32(?), ref: 0041F40C
IsWindow.USER32(?), ref: 0041F481
IsWindow.USER32(?), ref: 0041F4D1
IsWindow.USER32(?), ref: 0041F521
IsWindow.USER32(?), ref: 0041F55E
IsWindow.USER32(?), ref: 0041F5E1
GetParent.USER32(?), ref: 0041F5EF
GetFocus.USER32 ref: 0041F630

Part of subcall function 0041E9F0: IsWindow.USER32(?), ref: 0041EA6B
Part of subcall function 0041E9F0: GetFocus.USER32 ref: 0041EA75
Part of subcall function 0041E9F0: IsChild.USER32(?,00000000), ref: 0041EA87

IsWindow.USER32(?), ref: 0041F68F
SendMessageA.USER32(?,00008076,00000000,00000000), ref: 0041F6A4
IsWindow.USER32(00000000), ref: 0041F6B7
GetFocus.USER32 ref: 0041F6C1
SetFocus.USER32(00000000), ref: 0041F6CC

Strings

d, xrefs: 0041EB13
hB, xrefs: 0041EC8A

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$Destroy$AcceleratorFocusTable$MenuMessageSend$ActiveCallbackChildDispatcherIconicParentUser
String ID: hB$d
API String ID: 2657180179-827857596
Opcode ID: f86d11dc418dd4446794eebf2a33b4c7490e1185da7b0c0f8f2dc0121ca4acda
Instruction ID: 9821dccf66c8f1ae281e65a878111a292447d3623cc0e11b86525b58096c852f
Opcode Fuzzy Hash: f86d11dc418dd4446794eebf2a33b4c7490e1185da7b0c0f8f2dc0121ca4acda
Instruction Fuzzy Hash: 157291756043059BD324DF65C880FAFB7E9AF84704F44492EF94997341DB38E886CBAA

Function 0055A044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0055A223
WriteFile.KERNELBASE(00000000,FFFF0D8F,00003E00,?,00000000), ref: 0055A252
CloseHandle.KERNELBASE(00000000), ref: 0055A256
WinExec.KERNEL32(?,00000005), ref: 0055A262

Strings

Kern, xrefs: 0055A0F4
Writ, xrefs: 0055A148
GetM, xrefs: 0055A0B6
catA, xrefs: 0055A1AF
WinE, xrefs: 0055A110
athA, xrefs: 0055A199
odul, xrefs: 0055A22D
el32, xrefs: 0055A0FB
.dll, xrefs: 0055A102
GetT, xrefs: 0055A188
Clos, xrefs: 0055A129
gXhmKFnw.exe, xrefs: 0055A1FD, 0055A200
Crea, xrefs: 0055A169
lstr, xrefs: 0055A1A7
dleA, xrefs: 0055A0D0

Memory Dump Source

Source File: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: File$CloseCreateExecHandleWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$gXhmKFnw.exe$lstr$odul
API String ID: 3741012433-2471858179
Opcode ID: cc749d05006a5d5b39894afb29d14799fc7c4da586b49dd5fef519378ddc4fe7
Instruction ID: c208d6cddea4e8740f253365e3b30ba0b9a2103f6fd8d338a2842611cd6f6d0d
Opcode Fuzzy Hash: cc749d05006a5d5b39894afb29d14799fc7c4da586b49dd5fef519378ddc4fe7
Instruction Fuzzy Hash: D7613E74D01619DBCF24CFA4C964AADFFB0BF44316F14866BD805AB641C7709E85CB92

Function 004463B0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370
commemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 004463D9
OleInitialize.OLE32(00000000), ref: 00446415
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00446433
SetCurrentDirectoryA.KERNELBASE(025556F8,?), ref: 0044648D
LoadCursorA.USER32(00000000,00007F00), ref: 004464E8
GetStockObject.GDI32(00000005), ref: 00446509
GetCurrentThreadId.KERNEL32 ref: 00446531

Strings

HXL, xrefs: 004465E8
_EL_HideOwner, xrefs: 00446513

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Current$CursorDirectoryFileHeapInitializeLoadModuleNameObjectProcessStockThread
String ID: HXL$_EL_HideOwner
API String ID: 3783217854-3320778522
Opcode ID: 2c55a3ff85287065f95499e801762d65d8673819339ed33680ab517924530e3f
Instruction ID: 4642430245168a21967f7397eb7b7424280fae2ceec082433e8c203488f86bdb
Opcode Fuzzy Hash: 2c55a3ff85287065f95499e801762d65d8673819339ed33680ab517924530e3f
Instruction Fuzzy Hash: B9E1F270A002059FDB14DF55CC81FEEB7B4FF45304F15406EE905AB292DB78A985CBA9

Function 00433F50 Relevance: 9.1, APIs: 6, Instructions: 71
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 00433F7A
htonl.WS2_32(00000000), ref: 00433FA6
htons.WS2_32(?), ref: 00433FB5
bind.WS2_32(?,00000002,00000010), ref: 00433FCB
listen.WS2_32(?,7FFFFFFF), ref: 00433FDF
WSAAsyncSelect.WS2_32(?,?,00008079,00000008), ref: 00433FF9

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: AsyncSelectbindhtonlhtonslistensocket
String ID:
API String ID: 1284462097-0
Opcode ID: 55c89ef0e43ff5e47944e5f844af09a4a60e69f7157c596147bfd8617c22b17f
Instruction ID: 9e169701f3a6831f6492ac413025f81854717bc3046eee4d2b442196db85612f
Opcode Fuzzy Hash: 55c89ef0e43ff5e47944e5f844af09a4a60e69f7157c596147bfd8617c22b17f
Instruction Fuzzy Hash: A2211B70604B109BD3649F389848A6BB6F5BF48724F508B1DF2A6C62E0D775E8808759

Function 004BDB9F Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,?,?,004BDB9A), ref: 004BDC16
GetProcessVersion.KERNELBASE(00000000,?,?,?,004BDB9A), ref: 004BDC53
LoadCursorA.USER32(00000000,00007F02), ref: 004BDC81
LoadCursorA.USER32(00000000,00007F00), ref: 004BDC8C

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 9a1b1c9739f7006b139a84b4ccff276b4718dd95a9413b6d96a6f94097393df6
Instruction ID: b5b706150284b56425d4b64d9dcc6cfdcc353478bfc7de5729696ea428770f60
Opcode Fuzzy Hash: 9a1b1c9739f7006b139a84b4ccff276b4718dd95a9413b6d96a6f94097393df6
Instruction Fuzzy Hash: 38114CB1A44B508FD7649F3A888456ABBE5FB587047404D3FE18BC7B50D7B8E481CB54

Function 004B4DDD Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004BD003: TlsGetValue.KERNEL32(00540F94,00000000,?,004B36DD,004BC39A,?,?,004B36BA,?,0040BC52,000007DD,?,00000000), ref: 004BD042

CallNextHookEx.USER32(?,00000003,?,?), ref: 004B4E07
GetClassLongA.USER32(?,000000E6), ref: 004B4E4E
GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,004BC39A), ref: 004B4E7A
lstrcmpiA.KERNEL32(?,ime), ref: 004B4E89
GetWindowLongA.USER32(?,000000FC), ref: 004B4EFC
SetWindowLongA.USER32(?,000000FC,00000000), ref: 004B4F1D

Strings

ime, xrefs: 004B4E83
AfxOldWndProc423, xrefs: 004B4F5E, 004B4F63, 004B4F6E, 004B4F76, 004B4F7F

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: 0cff2e56a29f58d5b8aa2c082c04670e8d33f7d75411e4cd54c245b6f117a7c7
Instruction ID: e23b135c94301e364b698e0e036b844d76a421c333aeae8d8eb1a2bf5dbb7b14
Opcode Fuzzy Hash: 0cff2e56a29f58d5b8aa2c082c04670e8d33f7d75411e4cd54c245b6f117a7c7
Instruction Fuzzy Hash: A051AF71500615AFCB119F64DC48FEF3BB8BF84365F10452AF915A7292DB38E981CBA8

Function 0048FE00 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 245
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004BD098: __EH_prolog.LIBCMT ref: 004BD09D

LoadLibraryA.KERNELBASE(RICHED20.DLL,00495A10), ref: 0048FE3F
LoadLibraryA.KERNEL32(RICHED32.DLL), ref: 0048FE4D

Strings

RICHED20.DLL, xrefs: 0048FE3A
<, xrefs: 00490008
RICHED32.DLL, xrefs: 0048FE48
RICHEDIT, xrefs: 0048FFC2
(~i, xrefs: 0048FE18
RichEdit20A, xrefs: 0048FF87

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: LibraryLoad$H_prolog
String ID: (~i$<$RICHED20.DLL$RICHED32.DLL$RICHEDIT$RichEdit20A
API String ID: 752716358-2006755696
Opcode ID: c53b5ff94aa3e5f12ccbc9e34da912e016e377d9ad0c5b32d2cb7f7646ced40e
Instruction ID: 9c913ed1187bb29eb0d039448d5399a36f8085c5556f1f5bbb8b2822ba40690a
Opcode Fuzzy Hash: c53b5ff94aa3e5f12ccbc9e34da912e016e377d9ad0c5b32d2cb7f7646ced40e
Instruction Fuzzy Hash: DF81BF727443449BEB24DE65C841FABB7E4FB88710F10892EFA4997380DB79E8058B95

Function 004255E0 Relevance: 19.9, APIs: 13, Instructions: 375
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004B9C33: __EH_prolog.LIBCMT ref: 004B9C38
Part of subcall function 004B9C33: BeginPaint.USER32(?,?,?,?,0047CAE2), ref: 004B9C61

Part of subcall function 004B97E4: GetClipBox.GDI32(?,?), ref: 004B97EB

IsRectEmpty.USER32(?), ref: 0042562F
CreateRectRgn.GDI32 ref: 00425691
GetClientRect.USER32(?,?), ref: 0042572D

Part of subcall function 004B9CA5: __EH_prolog.LIBCMT ref: 004B9CAA
Part of subcall function 004B9CA5: EndPaint.USER32(?,?,?,?,0047CC71,?,?), ref: 004B9CC7

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$H_prologPaint$BeginClientClipCreateEmpty
String ID:
API String ID: 2708814891-0
Opcode ID: d4915c899a7bff23ed344e189596dd57c40ff0640b240da3b6d481a5ab3dadaf
Instruction ID: 2171162bb18fc539417e5243501f8eb24020c88d06f92010dd556387320ffd26
Opcode Fuzzy Hash: d4915c899a7bff23ed344e189596dd57c40ff0640b240da3b6d481a5ab3dadaf
Instruction Fuzzy Hash: 77E18E716083519FC314DF65D885EAFB7E8FBC8704F448A2EF59993241D778E8088BA6

Function 00426AF0 Relevance: 19.7, APIs: 13, Instructions: 187
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetParent.USER32(?), ref: 00426B3A

Part of subcall function 004B7504: IsWindowEnabled.USER32(?), ref: 004B750E

IsWindow.USER32(?), ref: 00426BDB
GetParent.USER32(?), ref: 00426BF6
IsWindowVisible.USER32(?), ref: 00426C0A
SetActiveWindow.USER32(?), ref: 00426C2B
IsWindow.USER32(?), ref: 00426C48
KiUserCallbackDispatcher.NTDLL(?), ref: 00426C56
IsWindow.USER32(?), ref: 00426C5D
IsWindow.USER32(?), ref: 00426CB8
IsWindow.USER32(?), ref: 00426D12
GetFocus.USER32 ref: 00426D26
IsWindow.USER32(00000000), ref: 00426D33
IsChild.USER32(?,00000000), ref: 00426D42

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$Parent$ActiveCallbackChildDispatcherEnabledFocusUserVisible
String ID:
API String ID: 416498738-0
Opcode ID: 7446b3778e79829e48779cd80bfd51fa8fc99ecf2fbaf56ef809697a0088a891
Instruction ID: d2081cd1c7cc980e99c7ad135ac5e11a4f9e07b589c93f8376f89e7e49854670
Opcode Fuzzy Hash: 7446b3778e79829e48779cd80bfd51fa8fc99ecf2fbaf56ef809697a0088a891
Instruction Fuzzy Hash: 435192717007259BC724EF66E884A6BBBA8FF44350F85452FF94993710CB38E844CBA9

Function 00416820 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 220
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateSolidBrush.GDI32(00000000), ref: 0041691D
SendMessageA.USER32(?,00000154,00000000,00000000), ref: 00416995
SendMessageA.USER32(?,00000153,00000000,?), ref: 004169AE
SendMessageA.USER32(?,00000141,?,00000000), ref: 004169BF
SendMessageA.USER32(?,00000143,00000000,?), ref: 004169FB
SendMessageA.USER32(?,00000143,00000000), ref: 00416A1E
SendMessageA.USER32(?,0000014E,?,00000000), ref: 00416A4F
SendMessageA.USER32(?,00000142,00000000,?), ref: 00416A89

Strings

COMBOBOX, xrefs: 00416956

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$BrushCreateSolid
String ID: COMBOBOX
API String ID: 943060551-1136563877
Opcode ID: 35a7dd1e8635cc01333bbf4065ad94781618c0ab6adfb5bc6c82515bc2fd30d1
Instruction ID: 1d032b7e6c7bf2c0951f8b68c054a1a5a4d71d281f25028b89b2e3ce1dbf4465
Opcode Fuzzy Hash: 35a7dd1e8635cc01333bbf4065ad94781618c0ab6adfb5bc6c82515bc2fd30d1
Instruction Fuzzy Hash: 40719F71604B009FE320DB69CC81FABB3E9EF85714F108A2EF69697390D678E841CB55

Function 004B4C02 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 004B4C07
GetPropA.USER32(?,AfxOldWndProc423), ref: 004B4C1F
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 004B4C7D

Part of subcall function 004B47EA: GetWindowRect.USER32(?,?), ref: 004B480F
Part of subcall function 004B47EA: GetWindow.USER32(?,00000004), ref: 004B482C

SetWindowLongA.USER32(?,000000FC,?), ref: 004B4CAD
RemovePropA.USER32(?,AfxOldWndProc423), ref: 004B4CB5
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 004B4CBC
GlobalDeleteAtom.KERNEL32(00000000), ref: 004B4CC3

Part of subcall function 004B47C7: GetWindowRect.USER32(?,?), ref: 004B47D3

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 004B4D17

Strings

AfxOldWndProc423, xrefs: 004B4C15, 004B4C1D, 004B4CB3, 004B4CBB

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: ea357fde576fa395accd46e45ed745c6dded1b97c3e6961b2b35d69c76f32a4b
Instruction ID: 62621456ee8adaed43a5b4a02bdd87174473fcea1c903c85302091e618fb8664
Opcode Fuzzy Hash: ea357fde576fa395accd46e45ed745c6dded1b97c3e6961b2b35d69c76f32a4b
Instruction Fuzzy Hash: B4318C3280010ABBCB01AFA5DD49EFF7F78EF85711F00412AF601A2252CB399A51DB79

Function 00412150 Relevance: 15.4, APIs: 10, Instructions: 430
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004B9C33: __EH_prolog.LIBCMT ref: 004B9C38
Part of subcall function 004B9C33: BeginPaint.USER32(?,?,?,?,0047CAE2), ref: 004B9C61

Part of subcall function 004B97E4: GetClipBox.GDI32(?,?), ref: 004B97EB

IsRectEmpty.USER32(?), ref: 00412197
GetClientRect.USER32(?,?), ref: 004121AF
InflateRect.USER32(?,?,?), ref: 0041226D
IntersectRect.USER32(?,?,?), ref: 004122D7
CreateRectRgn.GDI32(?,?,?,?), ref: 004122F1
FillRgn.GDI32(?,?,?), ref: 004124B0
GetCurrentObject.GDI32(?,00000006), ref: 0041252F

Part of subcall function 004B938B: GetStockObject.GDI32(?), ref: 004B9394
Part of subcall function 004B938B: SelectObject.GDI32(0040E855,00000000), ref: 004B93AE
Part of subcall function 004B938B: SelectObject.GDI32(0040E855,00000000), ref: 004B93B9

OffsetRect.USER32(?,00000001,00000001), ref: 0041260D
OffsetRect.USER32(?,00000002,00000002), ref: 004126A1
OffsetRect.USER32(?,00000001,00000001), ref: 00412654

Part of subcall function 004B955B: SetTextColor.GDI32(?,?), ref: 004B9575
Part of subcall function 004B955B: SetTextColor.GDI32(?,?), ref: 004B9583

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$Object$Offset$ColorSelectText$BeginClientClipCreateCurrentEmptyFillH_prologInflateIntersectPaintStock
String ID:
API String ID: 4264835570-0
Opcode ID: be543533fc705d7f872a78951107131f3a6fdabfff3df60004bdb2eaa300b85a
Instruction ID: 3d4e8c27c039de3900a49e7e6030d3d40e317834b0c3d55dc0a536b765880fbf
Opcode Fuzzy Hash: be543533fc705d7f872a78951107131f3a6fdabfff3df60004bdb2eaa300b85a
Instruction Fuzzy Hash: C1025C715087809FC324DF65C884AEBB7E5BBD8304F404D1EF59687290DBB4E989CB66

Function 004BCCB7 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00540FB0,00540F84,?,?,00540F94,00540F94,004BD037,00000000,?,004B36DD,004BC39A,?,?,004B36BA,?,0040BC52), ref: 004BCCC6
GlobalAlloc.KERNELBASE(00002002,00000000,?,?,00540F94,00540F94,004BD037,00000000,?,004B36DD,004BC39A,?,?,004B36BA,?,0040BC52), ref: 004BCD1B
GlobalHandle.KERNEL32(00672618), ref: 004BCD24
GlobalUnlock.KERNEL32(00000000), ref: 004BCD2D
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 004BCD3F
GlobalHandle.KERNEL32(00672618), ref: 004BCD56
GlobalLock.KERNEL32(00000000), ref: 004BCD5D
LeaveCriticalSection.KERNEL32(?,?,?,00540F94,00540F94,004BD037,00000000,?,004B36DD,004BC39A,?,?,004B36BA,?,0040BC52,000007DD), ref: 004BCD63
GlobalLock.KERNEL32(00000000), ref: 004BCD72
LeaveCriticalSection.KERNEL32(?), ref: 004BCDBB

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 4a19a13cf08387926e56fcd9e8b07c72a7c739653f5451dc0660d2c3391e2609
Instruction ID: 287b67d9463bae4af9454f76d6db3ce3bee935f5fa36d011c9ab4a0780ba0ac2
Opcode Fuzzy Hash: 4a19a13cf08387926e56fcd9e8b07c72a7c739653f5451dc0660d2c3391e2609
Instruction Fuzzy Hash: 22318E756007059FD7249F28DCC9AAABBE9FB44305B00093EF956C7661EBB5F8448B28

Function 0040E6B0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 267
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateSolidBrush.GDI32(00000000), ref: 0040E7F8
SendMessageA.USER32(?,000000C5,?,00000000), ref: 0040E889
SendMessageA.USER32(?,000000CC,?,00000000), ref: 0040E8A1
SendMessageA.USER32(?,00000465,00000000,?), ref: 0040E96B
SendMessageA.USER32(?,000000B1,?,?), ref: 0040E9A8
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0040E9B7

Strings

msctls_updown32, xrefs: 0040E8FF
EDIT, xrefs: 0040E837

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$BrushCreateSolid
String ID: EDIT$msctls_updown32
API String ID: 943060551-1401569126
Opcode ID: 1dc1cf95aadbf19c29322d1c63b6551321282fe7a8b4bf94e0021ad784dc5656
Instruction ID: a6d66e80fa10d4c3d7a8cb2603aaff84ffc564e442f53001997e3083d3ab9b04
Opcode Fuzzy Hash: 1dc1cf95aadbf19c29322d1c63b6551321282fe7a8b4bf94e0021ad784dc5656
Instruction Fuzzy Hash: A991AE71704B009BE734DB2ACC41F6BB7E5AB84704F104D2EF696A73C0DA78E8558B59

Function 004237D0 Relevance: 13.8, APIs: 9, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb7ac4b93ac8c1bc871164ce0f668b006f115e069238e14e9fd011ba7614e21
Instruction ID: 30f8d58b5b9d8eb6484cab7db76d45738571f822518479535b74c31b9aca5472
Opcode Fuzzy Hash: 3cb7ac4b93ac8c1bc871164ce0f668b006f115e069238e14e9fd011ba7614e21
Instruction Fuzzy Hash: A8B1AA70704710AFD724DF25D885B2BBBF5AB84705F90892EF18287390D7B9E981CB5A

Function 004B90AE Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 004B90BB
GetSystemMetrics.USER32(0000000C), ref: 004B90C2
GetDC.USER32(00000000), ref: 004B90DB
GetDeviceCaps.GDI32(00000000,00000058), ref: 004B90EC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004B90F4
ReleaseDC.USER32(00000000,00000000), ref: 004B90FC

Part of subcall function 004BDBBF: GetSystemMetrics.USER32(00000002), ref: 004BDBD1
Part of subcall function 004BDBBF: GetSystemMetrics.USER32(00000003), ref: 004BDBDB

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 4b3758abad66935e287bf73a39b3b3194ecd8563d987b9f55034349e68daf506
Instruction ID: 6e8db1d705fc5349d6a8da95404dd79fe004d1f1a72cc0658293c8745183e354
Opcode Fuzzy Hash: 4b3758abad66935e287bf73a39b3b3194ecd8563d987b9f55034349e68daf506
Instruction Fuzzy Hash: EDF09030640B009BE3206B628C49F5B77A4DF90752F15482AE605572D0DAB4A8408B65

Function 00413E40 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00413F4C
DestroyIcon.USER32(?,?,?,?,0000008C,00000000), ref: 00413FAA
SendMessageA.USER32(?,000000F7,00000001,?), ref: 0041404C
SendMessageA.USER32(?,000000F7,00000000,?), ref: 0041407E

Strings

BUTTON, xrefs: 0041400B

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$ColorDestroyIcon
String ID: BUTTON
API String ID: 1480523805-3405671355
Opcode ID: ca0ac171268cf4b6e8a9d12c45fe11be258eaec9d2291bf8fd7460a7479b0be9
Instruction ID: 719fffca3090ec1c707de3f480c250a88bba8f98b4cc5092cf6f0f6aa70c5321
Opcode Fuzzy Hash: ca0ac171268cf4b6e8a9d12c45fe11be258eaec9d2291bf8fd7460a7479b0be9
Instruction Fuzzy Hash: ED6190B1B047049FD324DF15D880BABB7A5FB84711F54492EF58A83780CB39E985CB5A

Function 0054B31C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe,00000000,00000000,00000000,00000000,00000000,00000000,0054B466,0054B4AA,?,00000000), ref: 0054B2E0
CloseHandle.KERNEL32(00000228,0054B4AA,?,00000000), ref: 0054B2F1
CloseHandle.KERNEL32(?,00000000), ref: 0054B2F7
FreeLibrary.KERNEL32(75550000), ref: 0054B303

Strings

C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe, xrefs: 0054B2DD

Memory Dump Source

Source File: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CloseHandle$CreateFreeLibraryProcess
String ID: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe
API String ID: 2817289219-1867704442
Opcode ID: 10d1c826e056d8dae11148c68169777c82895c56689a29d66d1988d9855e5148
Instruction ID: 54f60da03265e85e706fd2833933801523adb4f778fbad3626cfc5d2d588f4bd
Opcode Fuzzy Hash: 10d1c826e056d8dae11148c68169777c82895c56689a29d66d1988d9855e5148
Instruction Fuzzy Hash: C1018F3114D3C59FFB328F608C59BD8BF70AF07309F160182E999AA4A3C3A82505EB56

Function 0040E9E0 Relevance: 7.6, APIs: 5, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetTextExtentPoint32A.GDI32(?,004E9D74,?,?), ref: 0040EA81
GetSystemMetrics.USER32(0000002E), ref: 0040EA95
GetWindowRect.USER32(?,?), ref: 0040EAB5
GetStockObject.GDI32(00000011), ref: 0040EB02
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 0040EB11

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ExtentMessageMetricsObjectPoint32RectSendStockSystemTextWindow
String ID:
API String ID: 3316701254-0
Opcode ID: f54d6e38bac4d7e731dfccad3766984a1cf55743624fd25c3ceaa90eae5f63c1
Instruction ID: ea9e90072bb855f83a82ad9ceb053da6b9afbb9fb85154a3755cc9dc2b4274ac
Opcode Fuzzy Hash: f54d6e38bac4d7e731dfccad3766984a1cf55743624fd25c3ceaa90eae5f63c1
Instruction Fuzzy Hash: 4E417F71304700AFD324DF66CC85FAB77A8BB88714F444E2EF652A62C0DA78ED058B65

Function 0040FE20 Relevance: 7.6, APIs: 5, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 004B9B7F: __EH_prolog.LIBCMT ref: 004B9B84
Part of subcall function 004B9B7F: GetWindowDC.USER32(?), ref: 004B9BAD

GetClientRect.USER32 ref: 0040FE62
GetWindowRect.USER32(?,?), ref: 0040FE71

Part of subcall function 004B9939: ScreenToClient.USER32(?,?), ref: 004B994D
Part of subcall function 004B9939: ScreenToClient.USER32(?,?), ref: 004B9956

OffsetRect.USER32(?,?,?), ref: 0040FE9C

Part of subcall function 004B9876: ExcludeClipRect.GDI32(?,?,?,?,?,76C1A5C0,?,?,0040FEAC,?), ref: 004B989B
Part of subcall function 004B9876: ExcludeClipRect.GDI32(?,?,?,?,?,76C1A5C0,?,?,0040FEAC,?), ref: 004B98B0

OffsetRect.USER32(?,?,?), ref: 0040FEBF
FillRect.USER32(?,?,?), ref: 0040FEDA

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$Client$ClipExcludeOffsetScreenWindow$FillH_prolog
String ID:
API String ID: 2829754061-0
Opcode ID: a1e94a32aca80788308f9a4a7c389a1c8c0c54db18e1fe3ac153e7bfbfa3f227
Instruction ID: a73ce9bda79fbec212a81581e63a10decd80d43ac0aadbe11745fb57dd1178f2
Opcode Fuzzy Hash: a1e94a32aca80788308f9a4a7c389a1c8c0c54db18e1fe3ac153e7bfbfa3f227
Instruction Fuzzy Hash: 2D3161B1208702AFD714DF54D841FABB7E8EBD8754F008A1EF59687290DB38E905CB66

Function 004236B0 Relevance: 6.1, APIs: 4, Instructions: 94windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000080,00000001,?), ref: 00423758
SendMessageA.USER32(?,00000080,00000000,?), ref: 0042376A
DestroyIcon.USER32(?), ref: 0042377D
DestroyIcon.USER32(?), ref: 0042378A

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: DestroyIconMessageSend
String ID:
API String ID: 1880505497-0
Opcode ID: 5b13a601d90bf6fcf1fcb77d118becdb68a5cd7017f423499b250a5624c2dd13
Instruction ID: 664f55baff4117f234de77506494c41f657370c326d94faf07bf6065ac5e2d12
Opcode Fuzzy Hash: 5b13a601d90bf6fcf1fcb77d118becdb68a5cd7017f423499b250a5624c2dd13
Instruction Fuzzy Hash: FF3140B57043116FD760DF65E880B9BB3F8AFD4710F40882EF99997340D678E9098B66

Function 004754A0 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000030,00000030,?,00000001), ref: 004754D1
SendMessageA.USER32(?,00000030,?,00000001), ref: 004754E9
GetStockObject.GDI32(00000011), ref: 004754F3
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 00475513

Part of subcall function 00475330: CreateFontIndirectA.GDI32 ref: 00475379

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$CreateFontIndirectObjectStock
String ID:
API String ID: 1613733799-0
Opcode ID: 67eb7ee30a25135d42fb52d8951dd051642e8d2ad50c1b64829da85b8d43237b
Instruction ID: b16e4f3ab794995ebd9c0fc120756341cac50050cec47822c1be7abdd6033786
Opcode Fuzzy Hash: 67eb7ee30a25135d42fb52d8951dd051642e8d2ad50c1b64829da85b8d43237b
Instruction Fuzzy Hash: 14018C36201710AFDB949B54EC44FDB33A8AB88761F048849F6088B290C7B4EC82CBA4

Function 0041A590 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000005), ref: 0041A664
LoadCursorA.USER32(00000000,00007F00), ref: 0041A672

Strings

_EL_ServerSock, xrefs: 0041A67B

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CursorLoadObjectStock
String ID: _EL_ServerSock
API String ID: 3794545487-773586040
Opcode ID: d5dd14e51737f158113c52b7b7b420a4ef4b7d8531c09647edc1b6ea3c7e7ba5
Instruction ID: 5343f9fec49eb59e0af2b7d3c7ec03708f93ec0ee2e33a1098e736b08471ccac
Opcode Fuzzy Hash: d5dd14e51737f158113c52b7b7b420a4ef4b7d8531c09647edc1b6ea3c7e7ba5
Instruction Fuzzy Hash: 98319E71644B00AFD314DB58C841F6BB7E5EBC8B10F144A2EFA9A87390D674EC41CBA6

Function 0041B2C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000005), ref: 0041B3A0
LoadCursorA.USER32(00000000,00007F00), ref: 0041B3AE

Strings

_EL_ODBCDB, xrefs: 0041B3B7

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CursorLoadObjectStock
String ID: _EL_ODBCDB
API String ID: 3794545487-2286219941
Opcode ID: a170ced808f133104e1bfba9c22dc46fe5f5bd56d31c3664d3ed4bdabe0231a1
Instruction ID: c21c62346877b71f91e0e4d19dc82392a3d6d4537b5e80da3cb0c71bcedebdc1
Opcode Fuzzy Hash: a170ced808f133104e1bfba9c22dc46fe5f5bd56d31c3664d3ed4bdabe0231a1
Instruction Fuzzy Hash: A5317CB1644B10ABD354DB59CC42F6BB7E4EB88B10F104A1EFA56C7380D779E804CB95

Function 00411230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000005), ref: 00411301
LoadCursorA.USER32(00000000,00007F00), ref: 0041130F

Part of subcall function 004298D0: GetClassInfoA.USER32(?,?,00000000), ref: 004298E8

Strings

_EL_Label, xrefs: 00411318

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ClassCursorInfoLoadObjectStock
String ID: _EL_Label
API String ID: 1762135420-1571322718
Opcode ID: d87ea742d6dfb760ebfad02d419f9a33a34228616917195f42907301d60aa0bc
Instruction ID: cd292f16dd3861ce7bd735d0c53f6c49a07c67fbcb063893dc82d9fb2c24c71d
Opcode Fuzzy Hash: d87ea742d6dfb760ebfad02d419f9a33a34228616917195f42907301d60aa0bc
Instruction Fuzzy Hash: 3B316DB1608710ABE314DB58CC41F6BB7E5EB88B10F104A1EF65A97390D774EC40CBAA

Function 004B83E2 Relevance: 4.5, APIs: 3, Instructions: 29windowCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 004B83EF
TranslateMessage.USER32(?), ref: 004B840F
DispatchMessageA.USER32(?), ref: 004B8416

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Message$CallbackDispatchDispatcherTranslateUser
String ID:
API String ID: 2960505505-0
Opcode ID: ced93d2f3d93479aa543da5d1159c345ed15b89c3a3350be1d81f9d194175ee5
Instruction ID: 2438e756da34c890513f913cb9df2b4ce08fc299a17c1120d2442d5ee1a7ca81
Opcode Fuzzy Hash: ced93d2f3d93479aa543da5d1159c345ed15b89c3a3350be1d81f9d194175ee5
Instruction Fuzzy Hash: 64E09232200521BFD3616B25AC48DBF3BADEF85B01704043EF501C6110DB64AC82CA79

Function 00413510 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0040DE80: GetSysColor.USER32(0000000F), ref: 0040DE8D

CreateSolidBrush.GDI32(00000000), ref: 004135A8

Strings

BUTTON, xrefs: 004135FF

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: BrushColorCreateSolid
String ID: BUTTON
API String ID: 2798526982-3405671355
Opcode ID: 970880c896d21e9f90f08df97ca1c43368b0221904b69677ed4fad6c4ac92aa9
Instruction ID: 0de8f7819e78de8f723fddec681ddf205cd941f4125e58353229fd78dfb94fa4
Opcode Fuzzy Hash: 970880c896d21e9f90f08df97ca1c43368b0221904b69677ed4fad6c4ac92aa9
Instruction Fuzzy Hash: 8D3192B1604B10ABD314DF55C841F9BB7E9EF88B04F008A1EF58687390E778E945C795

Function 004744F0 Relevance: 3.1, APIs: 2, Instructions: 92COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000005), ref: 004745C2
LoadCursorA.USER32(00000000,00007F00), ref: 004745D0

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CursorLoadObjectStock
String ID:
API String ID: 3794545487-0
Opcode ID: bfbecc808ef352fa5efa4d3dab7330b959ce8c7110892fb1e66c1a0995db2d38
Instruction ID: 9f599f2745ce9217b06b8c33a67e47603ebeae83dd740206fa372a7e9274d86f
Opcode Fuzzy Hash: bfbecc808ef352fa5efa4d3dab7330b959ce8c7110892fb1e66c1a0995db2d38
Instruction Fuzzy Hash: A83160B1644B10AFE314DB68CD41F6BB7E4EB88B10F408A1EF64A87780D778E801CB95

Function 00421040 Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00008002,00000000,00000000), ref: 004210AE
GetParent.USER32(00000000), ref: 004210CA

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageParentSend
String ID:
API String ID: 928151917-0
Opcode ID: 59961e7f0ecdda44b26526bc55ada2c44b8b383cb293aef203c3b49ba6abc8e3
Instruction ID: e12b1099fd4d18491087c943bf41d96adabe49aa8070effa8c5673d87304a8c6
Opcode Fuzzy Hash: 59961e7f0ecdda44b26526bc55ada2c44b8b383cb293aef203c3b49ba6abc8e3
Instruction Fuzzy Hash: C311A3327053655BDB209A66A804BABB398AFA4754F814037ED04D7720D738EC81C6BD

Function 004BD8F6 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000,00000000,004B9130,00000000,00000000,00000000,00000000,?,00000000,?,004AFF35,00000000,00000000,00000000,00000000,004A1163), ref: 004BD8FF
SetErrorMode.KERNELBASE(00000000,?,00000000,?,004AFF35,00000000,00000000,00000000,00000000,004A1163,00000000), ref: 004BD906

Part of subcall function 004BD959: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 004BD98A
Part of subcall function 004BD959: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004BDA2B
Part of subcall function 004BD959: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004BDA58

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: 882ad133bf0242f773cda04c9ef6fd37683081e230452a0aaf0f5b4f4202c4ae
Instruction ID: e8618847e45455e2247a4e89849d28ff89cbe3854520f94c91e06c8987ddc148
Opcode Fuzzy Hash: 882ad133bf0242f773cda04c9ef6fd37683081e230452a0aaf0f5b4f4202c4ae
Instruction Fuzzy Hash: C7F04FB49043154FD754EF65D485B497BD4AF88714F05849FF4448B362DB78D840CF69

Function 004A6736 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,004A10E1,00000001), ref: 004A6747

Part of subcall function 004A65EE: GetVersionExA.KERNEL32 ref: 004A660D

HeapDestroy.KERNEL32 ref: 004A6786

Part of subcall function 004A9F95: HeapAlloc.KERNEL32(00000000,00000140,004A676F,000003F8), ref: 004A9FA2

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: c77bc41f6243d46b59d9702365ed8f121847890dcee3057ea4f54cab44cb798f
Instruction ID: 96cf6d44f366beedc74cb683316e906a2fbbb83f5028e713695cb197a76fad40
Opcode Fuzzy Hash: c77bc41f6243d46b59d9702365ed8f121847890dcee3057ea4f54cab44cb798f
Instruction Fuzzy Hash: 9EF065785243015EDB601B716C4576A36D0DB7678DF19442BF404C81A4EB6988D0E909

Function 0042A090 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

LoadImageA.USER32(?,?,00000001,00000020,00000020,00000000), ref: 0042A0AB
LoadImageA.USER32(?,?,00000001,00000010,00000010,00000000), ref: 0042A0BD

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ImageLoad
String ID:
API String ID: 306446377-0
Opcode ID: f1473f51eece5c9e4eea20c9fdaa71e2eeabd9c1c8f0909fefd5db7064ac9f5f
Instruction ID: 8f5cf6a9073ccf11600f225c2279c0c508b3eda8570d21729e3708fc935b1f8e
Opcode Fuzzy Hash: f1473f51eece5c9e4eea20c9fdaa71e2eeabd9c1c8f0909fefd5db7064ac9f5f
Instruction Fuzzy Hash: 48E0ED323813117BD620CE5A8C85F9BF7A9EB8DB10F100819B344AB1D1C2F1B4458669

Function 004B539E Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 004B53C5
CallWindowProcA.USER32(?,?,?,?,?), ref: 004B53DA

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: dad7fae872a8aa5a94abb038789a95ff456ad675147a97237c87dce810631e7c
Instruction ID: f7b59952f87702ddc46532f80de439e34f3471458ddbf9cbff536ef7c41082fa
Opcode Fuzzy Hash: dad7fae872a8aa5a94abb038789a95ff456ad675147a97237c87dce810631e7c
Instruction Fuzzy Hash: 3AF0F836100604EFDF114F94DC04EDABBF9FF083A1B048829F94586220D772E860AB64

Function 004B7E85 Relevance: 3.0, APIs: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004B7E98
SetWindowsHookExA.USER32(000000FF,004B81DA,00000000,00000000), ref: 004B7EA8

Part of subcall function 004BD098: __EH_prolog.LIBCMT ref: 004BD09D

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: 7d482d0d0c862dca97a04aca425f0fb1cd7aee47e7b4e515a2b2a461c8dfdef7
Instruction ID: 3d578628774f676033c7fe4e90379ddd5a5b98b09a39fdf9857ef41d16bcf0db
Opcode Fuzzy Hash: 7d482d0d0c862dca97a04aca425f0fb1cd7aee47e7b4e515a2b2a461c8dfdef7
Instruction Fuzzy Hash: 80F0A031804640ABC7707BB1A84EBDA3A91AF14719F040A9EB5125B1E2CBAC9881877D

Function 004B4FD3 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004BD003: TlsGetValue.KERNEL32(00540F94,00000000,?,004B36DD,004BC39A,?,?,004B36BA,?,0040BC52,000007DD,?,00000000), ref: 004BD042

GetCurrentThreadId.KERNEL32 ref: 004B4FF5
SetWindowsHookExA.USER32(00000005,004B4DDD,00000000,00000000), ref: 004B5005

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CurrentHookThreadValueWindows
String ID:
API String ID: 933525246-0
Opcode ID: 1d96cec28a2ee9ad71cacc9f64149e635432e687dda74ba7cbb65374b56ef1c5
Instruction ID: b3542002f4d3b7f4e374d26dec11b322843b36d5d4c2d331f3bb78514d50208e
Opcode Fuzzy Hash: 1d96cec28a2ee9ad71cacc9f64149e635432e687dda74ba7cbb65374b56ef1c5
Instruction Fuzzy Hash: EBE06D31600B00AEC7307F629805B9BB6E4EB90B15F10453FF20685680D7B4A8458FBE

Function 004A2B75 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00000000,?,?), ref: 004A2C5C

Part of subcall function 004A8DF4: InitializeCriticalSection.KERNEL32(00000000,?,?,?,004A2ACD,00000009,?,?,00000000), ref: 004A8E31
Part of subcall function 004A8DF4: EnterCriticalSection.KERNEL32(?,?,?,004A2ACD,00000009,?,?,00000000), ref: 004A8E4C

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 4a2efd11fa4bf1dbdbb12b4ceac37020b2d7d5edaaa67a1ef9657b0ce9840a04
Instruction ID: 213cce28df6829c63ba203f62e0c1a8c6d3ff48521fb2a01f41bd94945668457
Opcode Fuzzy Hash: 4a2efd11fa4bf1dbdbb12b4ceac37020b2d7d5edaaa67a1ef9657b0ce9840a04
Instruction Fuzzy Hash: A621F631A00605ABCB10DF6DDE42BDEB7A4EB22734F24411BF811EB2D0C7BCA941A65C

Function 004B493A Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B493F

Part of subcall function 004BD003: TlsGetValue.KERNEL32(00540F94,00000000,?,004B36DD,004BC39A,?,?,004B36BA,?,0040BC52,000007DD,?,00000000), ref: 004BD042

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: H_prologValue
String ID:
API String ID: 3700342317-0
Opcode ID: c82efa709df947b8725432acfacd952fc5ef44f89730f8bc16e14b02aaa002af
Instruction ID: 3d0ac73ae49a7a5dae4bd8310e7503111f420d55958f8cdb414d8dc2a249411f
Opcode Fuzzy Hash: c82efa709df947b8725432acfacd952fc5ef44f89730f8bc16e14b02aaa002af
Instruction Fuzzy Hash: 68218E72900209EFCF01DF54C481AEE7BB9FF45318F00406AF915AB241D778AE54CBA4

Function 004B5061 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,00000080,00446531,?,?,?,?,?,?,?,?,?), ref: 004B50FF

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cadb6f2084c8e0fb2e19b3086ed0757c521d4d8d64b151f76a369418f2b7cb18
Instruction ID: 391142ec6ec8393f84c0dcad0fa6c28b0e31ce8b7ecc0e4ca41a1f9669301ac6
Opcode Fuzzy Hash: cadb6f2084c8e0fb2e19b3086ed0757c521d4d8d64b151f76a369418f2b7cb18
Instruction Fuzzy Hash: C131BD75A00219AFCF41DFA8C845ADEBBF1BF4C300F10406AF918E7210E7359A519FA4

Function 0040CFB0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,00000000,?,?,00002800,00000000), ref: 0040D04E

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 9bf9109e034ac204f5a07b2d4bfa89a5f044ebfb45e6144ac947561d0b2ed9e5
Instruction ID: dc97973252b2d0974e5c1dfae6fa05dd537b0b842f2cf2179bc23ea8cd2d7258
Opcode Fuzzy Hash: 9bf9109e034ac204f5a07b2d4bfa89a5f044ebfb45e6144ac947561d0b2ed9e5
Instruction Fuzzy Hash: ED1168755003005BD314E776DC85D6BB3E8AF94718F00893EB94997281EA3CE809C7AA

Function 004B4BB1 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5d4ce85075bbc45606840c5af15bc9b43c169e5262ccde2c6aab80ed11f9bb
Instruction ID: 9550e09aa48fe211f550829b9a4acab4d254c439116a0c7ffbf7f7b077ddb24e
Opcode Fuzzy Hash: 1d5d4ce85075bbc45606840c5af15bc9b43c169e5262ccde2c6aab80ed11f9bb
Instruction Fuzzy Hash: F0F0A032009219FBCF125E919C00FEF3B28AF84360F008807FB4859022C379E661EBB9

Function 00433AA0 Relevance: 1.5, APIs: 1, Instructions: 19networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,00000000), ref: 00433ABE

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 671af8ad0471200a6c26e81907fa8164f17f8c522499a064721ccb16f08a4288
Instruction ID: 53088b066305f48bd2db3475dfaf064c2e50ce2ad5d298bd0e937989c70c8ec2
Opcode Fuzzy Hash: 671af8ad0471200a6c26e81907fa8164f17f8c522499a064721ccb16f08a4288
Instruction Fuzzy Hash: D2E086705007105FD370DF2CC801A9177E4AB04711F50062EA5A9C22C0E3B9A4444B54

Function 004B74DD Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,?,00477FC1,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00477C1A), ref: 004B74EB

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 54b5ebbd9c5fd30504ddcdb59a5414d6cf8b2feada479262c327db65cf848c92
Instruction ID: 3d183c8eb615b419072891aa8798a9454c51ef215ff120ed50d70e93476332d1
Opcode Fuzzy Hash: 54b5ebbd9c5fd30504ddcdb59a5414d6cf8b2feada479262c327db65cf848c92
Instruction Fuzzy Hash: 54D09230208201EFCB458F60DA48A5ABBA2BF95705F208969E44A8A125D736EC52EB16

Function 004B751F Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 004B752D

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 0441c7e74b5f89f50c6132b0e12f1a1fdc08422241a16d14cdfe17f7d608781f
Instruction ID: 712358b913c9f230fcf57f39f9852d69ba254809a194035105784c11cfd9adfc
Opcode Fuzzy Hash: 0441c7e74b5f89f50c6132b0e12f1a1fdc08422241a16d14cdfe17f7d608781f
Instruction Fuzzy Hash: 88D05230308200AFCF448F20CA08E0ABBA2AFA0300B6094A8E00A8A120D732DC52EB45

Function 004B1BDD Relevance: 1.5, APIs: 1, Instructions: 8windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000444,00000000,?), ref: 004B1BF2

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6d658ab89f460abff94c4c4243fb6f9d84eeb7bd6a2b4076bc4ab24ef178e8a9
Instruction ID: 3ce17672a6579639d9c7d198311fada72e55a9d3c8465409d347bbb05e9572b9
Opcode Fuzzy Hash: 6d658ab89f460abff94c4c4243fb6f9d84eeb7bd6a2b4076bc4ab24ef178e8a9
Instruction Fuzzy Hash: D3C04CB1241200AFEB569F00DD05F167B64AB51700F214454B2049E1E2C2719851DB19

Function 004BCBEC Relevance: 1.3, APIs: 1, Instructions: 11memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000040,?,00540F94,004BCE5E,00000010,?,00540F94,?,004BD073,00540F84,00000000,?,?,004B36BA,?,0040BC52), ref: 004BCBF3

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 50c65bd347949dba6bc3143027ee6840bc603b5b621b5450f5f7937a68ce46c0
Instruction ID: d46619b8e49ef90ca407630cb1a134ea91f8889e0d926d1d5cd867d2497421e1
Opcode Fuzzy Hash: 50c65bd347949dba6bc3143027ee6840bc603b5b621b5450f5f7937a68ce46c0
Instruction Fuzzy Hash: EEC08C37A015325BC26222A9680AECFFD108B207A1F014823FF0896210CD349C4087FA

Non-executed Functions

Function 00481940 Relevance: 163.7, APIs: 37, Strings: 55, Instructions: 2745COMMON

Download Yara Rule

Strings

top, xrefs: 0048267B, 0048268D
href, xrefs: 004833CE
a:link, xrefs: 00483546
sub, xrefs: 00483260
icon, xrefs: 00482AB1
image, xrefs: 00482DED
bmp, xrefs: 0048273B
style, xrefs: 00482071
msg, xrefs: 00483469
underline, xrefs: 00481E33
center, xrefs: 004825A1, 004825B3
strikeout, xrefs: 00483F23
span, xrefs: 00483294, 0048355F
left, xrefs: 0048255B, 0048256D
middle, xrefs: 004826BD
body, xrefs: 00483128
event, xrefs: 0048347F
idres, xrefs: 00482EED
iddll, xrefs: 00482F18
bottom, xrefs: 004826F1, 00482703
class, xrefs: 00483615
a:hover, xrefs: 0048352D
sup, xrefs: 0048327A
font, xrefs: 00481EA5, 00481EBB
italic, xrefs: 00483F56
code, xrefs: 004831F8
link, xrefs: 004832DE
bkgnd, xrefs: 004820C3
weight, xrefs: 00482098
<body>, xrefs: 004819BE
small, xrefs: 00483246
</body>, xrefs: 004819EC
baseline, xrefs: 00482631, 00482643
face, xrefs: 00481F94
div, xrefs: 004832AE
ilst, xrefs: 00482DD3
big, xrefs: 0048322C
!#"", xrefs: 004836C1, 004836C8
bold, xrefs: 00481DA6
url, xrefs: 004833E4
transparent, xrefs: 004820D9
", xrefs: 0048366F
#, xrefs: 004836A0
width, xrefs: 00482376
color, xrefs: 00482043, 004823E1
size, xrefs: 00482013, 004823AD
tab, xrefs: 00483DE8
new_line, xrefs: 00483E83
string, xrefs: 00482E07
*, xrefs: 00484092
srcdll, xrefs: 00482F43
right, xrefs: 004825E7, 004825F9
strike, xrefs: 00481E8B
vcenter, xrefs: 004826D7, 00483DB4
pre, xrefs: 00483212

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: !#""$"$#$*$</body>$<body>$a:hover$a:link$baseline$big$bkgnd$bmp$body$bold$bottom$center$class$code$color$div$event$face$font$href$icon$iddll$idres$ilst$image$italic$left$link$middle$msg$new_line$pre$right$size$small$span$srcdll$strike$strikeout$string$style$sub$sup$tab$top$transparent$underline$url$vcenter$weight$width
API String ID: 0-3545894080
Opcode ID: 16fc704333b4354b82d181a38ea0b947d24910ecff6439dccc39e664aff5e6d2
Instruction ID: 719d7ce6a59c19326fa227b92847922a6ea8be52c3b84ea11734655e20f6a625
Opcode Fuzzy Hash: 16fc704333b4354b82d181a38ea0b947d24910ecff6439dccc39e664aff5e6d2
Instruction Fuzzy Hash: CB336F706083819FC724EF55C885BAFB7E9AFD8704F04491EFA8997341DB78A904CB66

Function 0044A900 Relevance: 32.8, Strings: 26, Instructions: 305COMMON

Download Yara Rule

Strings

caps, xrefs: 0044AB94
baL, xrefs: 0044ABD0
intent outside defined range, xrefs: 0044A9EF
invalid ICC profile color space, xrefs: 0044AAA0
PCS illuminant is not D50, xrefs: 0044AA54
Gray color space not permitted on RGB PNG, xrefs: 0044AAE4
rtnm, xrefs: 0044AB37
unexpected NamedColor ICC profile class, xrefs: 0044AB7A
psca, xrefs: 0044AA28
unexpected DeviceLink ICC profile class, xrefs: 0044AB44
lcmn, xrefs: 0044AB20
tsba, xrefs: 0044AB29
ZYX, xrefs: 0044ABD7
rncs, xrefs: 0044AB8D
YARG, xrefs: 0044AA8E
BGR, xrefs: 0044AA95
RGB color space not permitted on grayscale PNG, xrefs: 0044AAC0
length does not match profile, xrefs: 0044A939
invalid rendering intent, xrefs: 0044A9CD
rtrp, xrefs: 0044AB86
unrecognized ICC profile class, xrefs: 0044AB9B
unexpected ICC PCS encoding, xrefs: 0044ABDE
invalid embedded Abstract ICC profile, xrefs: 0044AB61
tag count too large, xrefs: 0044AC04
knil, xrefs: 0044AB30
invalid signature, xrefs: 0044AA2F

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: BGR$ ZYX$ baL$Gray color space not permitted on RGB PNG$PCS illuminant is not D50$RGB color space not permitted on grayscale PNG$YARG$caps$intent outside defined range$invalid ICC profile color space$invalid embedded Abstract ICC profile$invalid rendering intent$invalid signature$knil$lcmn$length does not match profile$psca$rncs$rtnm$rtrp$tag count too large$tsba$unexpected DeviceLink ICC profile class$unexpected ICC PCS encoding$unexpected NamedColor ICC profile class$unrecognized ICC profile class
API String ID: 0-319498373
Opcode ID: 79fc8afab5caa59be15d3377bbbcbef9fc7a42d3fad7f6f5b45c98ceae48b1e5
Instruction ID: 5cfa49c4024cf9cc7a69ac4d65179b13466eed18807142a171beaa848685e0e1
Opcode Fuzzy Hash: 79fc8afab5caa59be15d3377bbbcbef9fc7a42d3fad7f6f5b45c98ceae48b1e5
Instruction Fuzzy Hash: E8917BD364819017FB08DE2C9C92A777BD6DBC9301F1E84AAF985CA303E419D925C76A

Function 00428040 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 93libraryloaderwindowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0042804C
IsZoomed.USER32(?), ref: 0042805A
LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 00428084
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00428097
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004280A5
FreeLibrary.KERNEL32(00000000), ref: 004280DB
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004280F1
IsWindow.USER32(?), ref: 0042811E
ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 0042812B

Strings

GetMonitorInfoA, xrefs: 0042809D
User32.dll, xrefs: 00428079
H, xrefs: 004280C8
MonitorFromWindow, xrefs: 00428091

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
API String ID: 447426925-661446951
Opcode ID: 037a355204eb26820adc1be209fd657b58eb8d9d2017fe84d84b891611e2b922
Instruction ID: a1d71ad3972c1cd2e44a457cf919064dec5e288719dc94292da78327f9fca1f2
Opcode Fuzzy Hash: 037a355204eb26820adc1be209fd657b58eb8d9d2017fe84d84b891611e2b922
Instruction Fuzzy Hash: 6A317F71300715AFE7109F619C49F2FB7A8EF84B41F40842DF941E6290DBB8EC098B69

Function 004948D0 Relevance: 21.5, APIs: 11, Strings: 1, Instructions: 483keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004948F3
WindowFromPoint.USER32(?,?), ref: 00494903
GetTickCount.KERNEL32 ref: 0049491E
GetKeyState.USER32(?), ref: 004949A7
GetKeyState.USER32 ref: 00494A09
GetKeyState.USER32(00000010), ref: 00494A1C
GetKeyState.USER32(00000012), ref: 00494A2F
IsWindow.USER32(?), ref: 00494A51

Part of subcall function 004931F0: IsWindow.USER32 ref: 0049325E

Part of subcall function 00493E90: IsWindow.USER32(?), ref: 00493EE2

GetTickCount.KERNEL32 ref: 00494A75
UpdateWindow.USER32(?), ref: 00494EDE
GetTickCount.KERNEL32 ref: 00494EE4

Strings

VUUU, xrefs: 00494963

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$State$CountTick$CursorFromPointUpdate
String ID: VUUU
API String ID: 3762057037-2040033107
Opcode ID: 6bd23fb14e297ed9c153050ce1e248a9ed3bb1495b1820a3f294947690847238
Instruction ID: 96a8c3f3237df281d6bcbfbb8ecc7b8e121cd58cd80a36511263f882e7aee2f3
Opcode Fuzzy Hash: 6bd23fb14e297ed9c153050ce1e248a9ed3bb1495b1820a3f294947690847238
Instruction Fuzzy Hash: 410246342047018FDF24DE29C585F6BBBE6BBC8344F14492EE99AC7354DB78E8428B59

Function 00420CA0 Relevance: 18.3, APIs: 12, Instructions: 273windowthreadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00420CC5
IsWindow.USER32(0001040E), ref: 00420CE1
SendMessageA.USER32(0001040E,000083E7,?,00000000), ref: 00420CFA
ExitProcess.KERNEL32 ref: 00420D0F
FreeLibrary.KERNEL32(?), ref: 00420DF3
FreeLibrary.KERNEL32 ref: 00420E47
DestroyIcon.USER32(00010433), ref: 00420E97
DestroyIcon.USER32(00010435), ref: 00420EAE
IsWindow.USER32(0001040E), ref: 00420EC5
DestroyIcon.USER32(?,00000001,00000000,000000FF), ref: 00420F74
WSACleanup.WS2_32 ref: 00420FBF

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: DestroyIcon$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
String ID:
API String ID: 3816745216-0
Opcode ID: 8f88ed78c62f00142d9577b32d70bb9f252c93bc0926cc19182cb57365a79b05
Instruction ID: 774ef535766816b476afdd53bf512723de5c706cbdd861e9edcd8c9e9f1e430c
Opcode Fuzzy Hash: 8f88ed78c62f00142d9577b32d70bb9f252c93bc0926cc19182cb57365a79b05
Instruction Fuzzy Hash: BEB17A70700B119BC724DF75D9C5BABB7E4BF48300F90492EE96A87292CB74B980CB59

Function 0043CFE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88clipboardmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000042,?), ref: 0043D057
GlobalLock.KERNEL32(00000000), ref: 0043D073
GlobalUnlock.KERNEL32(00000000), ref: 0043D095
OpenClipboard.USER32(00000000), ref: 0043D09D
GlobalFree.KERNEL32(00000000), ref: 0043D0A9
EmptyClipboard.USER32 ref: 0043D0B1
SetClipboardData.USER32(0000C1B3,00000000), ref: 0043D0C3
CloseClipboard.USER32 ref: 0043D0C9

Strings

PL, xrefs: 0043D0DB

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID: PL
API String ID: 453615576-2418937307
Opcode ID: 058d7633005de00f77d3bbea440e2b5c57565b6265e525a08d54cfe919ab7950
Instruction ID: 972b5aa215125be65d96e9a46718fc511743ece23722e3efb8af9fccf78a036e
Opcode Fuzzy Hash: 058d7633005de00f77d3bbea440e2b5c57565b6265e525a08d54cfe919ab7950
Instruction Fuzzy Hash: 4B31D171604601AFC358EB65EC45F2FB7E8FB88B14F404A2EF85693291DB78E805CB56

Function 004B41E0 Relevance: 13.6, APIs: 9, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B41E5
FindResourceA.KERNEL32(?,00000000,00000005), ref: 004B421D
LoadResource.KERNEL32(?,00000000), ref: 004B4225

Part of subcall function 004B501F: UnhookWindowsHookEx.USER32(?), ref: 004B5044

LockResource.KERNEL32(?,?,?,00000000), ref: 004B4232
IsWindowEnabled.USER32(?), ref: 004B4265
EnableWindow.USER32(?,00000000), ref: 004B4273
EnableWindow.USER32(?,00000001), ref: 004B4301
GetActiveWindow.USER32 ref: 004B430C
SetActiveWindow.USER32(?,?,?,?,00000000), ref: 004B431A

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: 10ecbb2e321593b801d7f6db219174a8a67f0860206253be4aa71455cd21d2c2
Instruction ID: 3919f5189e8512bf79ba792ae39d74e3870ff52df854518505c6f865554bc6b7
Opcode Fuzzy Hash: 10ecbb2e321593b801d7f6db219174a8a67f0860206253be4aa71455cd21d2c2
Instruction Fuzzy Hash: C641A030A007149FCF25AF65C84AAEEBBB5AFC4715F10051FF502A22A2CB799D41DB79

Function 00422180 Relevance: 12.9, APIs: 8, Instructions: 859COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f242af3167fa966695c4e8b7e642cfff3ce6c36ee6a35c70d9814a331bbb5f59
Instruction ID: b08b70f113d4629fd86c4df24c65655ca6b017f6a35c811c2639a9f5ab9c752a
Opcode Fuzzy Hash: f242af3167fa966695c4e8b7e642cfff3ce6c36ee6a35c70d9814a331bbb5f59
Instruction Fuzzy Hash: 46622371708311AFC724DF25D980BABB3E5AF84304F54452EF98A97341DB78E906CB9A

Function 00415190 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B2E42: InterlockedIncrement.KERNEL32(-000000F4), ref: 004B2E57

FindFirstFileA.KERNEL32(?,?,*.*), ref: 0041522A

Part of subcall function 004B02F0: __EH_prolog.LIBCMT ref: 004B02F5

Part of subcall function 004B30CD: InterlockedDecrement.KERNEL32 ref: 004B30E1

SendMessageA.USER32 ref: 004152D0
FindNextFileA.KERNEL32(?,00000010), ref: 004152DC
FindClose.KERNEL32(?), ref: 004152EF
SendMessageA.USER32(?,00001102,00000002,?), ref: 00415301

Strings

*.*, xrefs: 00415212

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Find$FileInterlockedMessageSend$CloseDecrementFirstH_prologIncrementNext
String ID: *.*
API String ID: 2486832813-438819550
Opcode ID: 8a73aadb131bb2b8a3cca6507f13aca6d674cf3f2db4230eea18143cb92dc384
Instruction ID: 1319d076af9395ae90fbbf389a3c1699b7bc8bf9595cc8cc44b32c1e6832e1b4
Opcode Fuzzy Hash: 8a73aadb131bb2b8a3cca6507f13aca6d674cf3f2db4230eea18143cb92dc384
Instruction Fuzzy Hash: 95418E71108381ABC314DF65C841FDBB3E8AF85714F00891EFAA5832D0DBB9D948CB66

Function 0043D140 Relevance: 10.6, APIs: 7, Instructions: 89clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0043D16D
GetClipboardData.USER32(0000C1B3), ref: 0043D186
CloseClipboard.USER32 ref: 0043D192
GlobalSize.KERNEL32(00000000), ref: 0043D1C8
GlobalLock.KERNEL32(00000000), ref: 0043D1D0
GlobalUnlock.KERNEL32(00000000), ref: 0043D1E8
CloseClipboard.USER32 ref: 0043D1EE

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Clipboard$Global$Close$DataLockOpenSizeUnlock
String ID:
API String ID: 2237123812-0
Opcode ID: 1ea770b96ba0e09aa12d05720e6647cd6436e49a4d5a13b22e3de7640173a116
Instruction ID: 081c51568b3bdad7b1bbe0d9d5eead1a462ad9f011fc426a93afc923f5f92f0b
Opcode Fuzzy Hash: 1ea770b96ba0e09aa12d05720e6647cd6436e49a4d5a13b22e3de7640173a116
Instruction Fuzzy Hash: 7D21AB717002019FDB14AB65F888E7FB3A9EF9C355F000A2EF905C3240EB29E904C7A6

Function 0044D35D Relevance: 10.5, Strings: 8, Instructions: 498COMMON

Download Yara Rule

Strings

rgb[gray] color-map: too few entries, xrefs: 0044D3DF
bad background index (internal error), xrefs: 0044DBEF
color map overflow (BAD internal error), xrefs: 0044DB49
rgb color-map: too few entries, xrefs: 0044D56C
bad data option (internal error), xrefs: 0044DAF8
rgb-alpha color-map: too few entries, xrefs: 0044D662
rgb+alpha color-map: too few entries, xrefs: 0044D5A7
rgb[ga] color-map: too few entries, xrefs: 0044D3A4

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: bad background index (internal error)$bad data option (internal error)$color map overflow (BAD internal error)$rgb color-map: too few entries$rgb+alpha color-map: too few entries$rgb-alpha color-map: too few entries$rgb[ga] color-map: too few entries$rgb[gray] color-map: too few entries
API String ID: 0-1509944728
Opcode ID: c90f813cf10e47e8c12611903600643a44123be6c0d7882f4b0edae0f63aeb4d
Instruction ID: 46b23e2086e2d52edafbc312db7bbfe818f2ee2d229cd625f744d51112862218
Opcode Fuzzy Hash: c90f813cf10e47e8c12611903600643a44123be6c0d7882f4b0edae0f63aeb4d
Instruction Fuzzy Hash: 2002F271A083409BF714DF14C882B6BB7D5EBD5308F14052EF8849B382D6BDE945C79A

Function 00478510 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

NML, xrefs: 00478858

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: H_prologMetricsSystemWindow
String ID: NML
API String ID: 1206562782-3220718891
Opcode ID: 4ff8f7f581d7fcb3dcf2ec1f1db03f20c30a9868ec4ee1f73328d6fb5f31105b
Instruction ID: 6d97e4aec99769846510355a409fdcbde829b02c8ae99e8752d0602fc9a4b684
Opcode Fuzzy Hash: 4ff8f7f581d7fcb3dcf2ec1f1db03f20c30a9868ec4ee1f73328d6fb5f31105b
Instruction Fuzzy Hash: E1C11E747446029FC348CF28C984956BBE2FB89718B28C56DE54DCB316DA36EC43CB49

Function 00420690 Relevance: 6.1, APIs: 4, Instructions: 94fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 004206E2
FindClose.KERNEL32 ref: 004206F1
FindFirstFileA.KERNEL32(?,?), ref: 004206FD
FindClose.KERNEL32(00000000), ref: 0042075B

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: fcee46c995fc7a202323ad701560079cde9473cb6d4f275a6dcdc9cdc31754d7
Instruction ID: b7dd93deaa045dc60de3c1c54de4b8ff7fbc7ac5a87a6094ae77a62587b04338
Opcode Fuzzy Hash: fcee46c995fc7a202323ad701560079cde9473cb6d4f275a6dcdc9cdc31754d7
Instruction Fuzzy Hash: C6212D327047358BD3315A24EC846BBB3D4ABC4354F950626EC2587392E77DEC428B8A

Function 004B670B Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B7375: GetWindowLongA.USER32(00000000,000000F0), ref: 004B7381

GetKeyState.USER32(00000010), ref: 004B672F
GetKeyState.USER32(00000011), ref: 004B6738
GetKeyState.USER32(00000012), ref: 004B6741
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 004B6757

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: d8e8a82929f8fbc266aded226a4e3af4cb0c53e8d2fc3e0391cff24d15c9c403
Instruction ID: 9a3b2a63be2a88748813e02189306c1b302aebd67d30fb572dbcb195d5ba820a
Opcode Fuzzy Hash: d8e8a82929f8fbc266aded226a4e3af4cb0c53e8d2fc3e0391cff24d15c9c403
Instruction Fuzzy Hash: C5F0A73674134636EAA032A61D82FEA41146F80FDCF42443FB701BE1D18DBD9C42567C

Function 00434150 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

, xrefs: 00434189

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4dcf0ddfd60fad7bd3548f83fa4d62fc5c3fca6b00a5b875f963152c7053a75e
Instruction ID: 236d77b1b40f129d93ab44ee10aa694178928e9b95ca870ab3810b8abe057508
Opcode Fuzzy Hash: 4dcf0ddfd60fad7bd3548f83fa4d62fc5c3fca6b00a5b875f963152c7053a75e
Instruction Fuzzy Hash: 60518C712047419FD318DF65C881AABB7A4FB99358F00062EF952A3291DB38F945CB5A

Function 0044D8C2 Relevance: 5.2, Strings: 4, Instructions: 245COMMON

Download Yara Rule

Strings

palette color-map: too few entries, xrefs: 0044D940
bad background index (internal error), xrefs: 0044DBEF
color map overflow (BAD internal error), xrefs: 0044DB49
bad data option (internal error), xrefs: 0044DAF8

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: bad background index (internal error)$bad data option (internal error)$color map overflow (BAD internal error)$palette color-map: too few entries
API String ID: 0-3263629853
Opcode ID: cc8b2278c8e1ad51dc7eb8e6d53e6fcdfaa2d53c1b2f76fb0c5806d6de474d18
Instruction ID: d17f437016d569ce91fc92176afef782491e4dc9140e45b58242fca77c14452e
Opcode Fuzzy Hash: cc8b2278c8e1ad51dc7eb8e6d53e6fcdfaa2d53c1b2f76fb0c5806d6de474d18
Instruction Fuzzy Hash: 8781CFB1A083419FE718CF18C891A7FB7E5EFC9344F14492EF48A87352D679E841875A

Function 004AD44C Relevance: 4.7, APIs: 3, Instructions: 207timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004A8DF4: InitializeCriticalSection.KERNEL32(00000000,?,?,?,004A2ACD,00000009,?,?,00000000), ref: 004A8E31
Part of subcall function 004A8DF4: EnterCriticalSection.KERNEL32(?,?,?,004A2ACD,00000009,?,?,00000000), ref: 004A8E4C

Part of subcall function 004A8E55: LeaveCriticalSection.KERNEL32(?,004A2C42,00000009,004A2C2E,?,?,00000000,?,?), ref: 004A8E62

GetTimeZoneInformation.KERNEL32(0000000C,?,?,?,0000000B,0000000B,?,004AD43D,004AD13E,?,?,?,?,004A3FFE,?,?), ref: 004AD49A
WideCharToMultiByte.KERNEL32(00000220,005415CC,000000FF,0000003F,00000000,?,?,004AD43D,004AD13E,?,?,?,?,004A3FFE,?,?), ref: 004AD530
WideCharToMultiByte.KERNEL32(00000220,00541620,000000FF,0000003F,00000000,?,?,004AD43D,004AD13E,?,?,?,?,004A3FFE,?,?), ref: 004AD569

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID:
API String ID: 3442286286-0
Opcode ID: 0a62758b6e4be1de897c74bc97690b25d04556858f31f9573f742ba3c7b9ad49
Instruction ID: 9aec989801aab82db25426c3dd54759dba937ecc6cd4ac0960dcaed876112ae0
Opcode Fuzzy Hash: 0a62758b6e4be1de897c74bc97690b25d04556858f31f9573f742ba3c7b9ad49
Instruction Fuzzy Hash: 9F61E4759045409ED7219F19AC51BAA3BE8A77B314F14012FE0478A6E1D7784986EF0E

Function 00428BD0 Relevance: 4.5, APIs: 3, Instructions: 49keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00428C01
GetKeyState.USER32(00000010), ref: 00428C16
GetKeyState.USER32(00000012), ref: 00428C2B

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 5acb0231bc42ceb1ddc9499afe89442d2ddb5a6b0c1db7f78dd5df6ab4e952d1
Instruction ID: fc2d8e60e084b32271f089427d977b8353cadd15d1f169b0241d78a9dcfe46e7
Opcode Fuzzy Hash: 5acb0231bc42ceb1ddc9499afe89442d2ddb5a6b0c1db7f78dd5df6ab4e952d1
Instruction Fuzzy Hash: A401F26AE4717905EE341266B9087FE89011720B90FD9003FE50C377958F8C4C8623BE

Function 0049C340 Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd71ea350755efc15e2dec8d1be63d3b3b1241824e12be6e7221b9b5ba5dfe8
Instruction ID: 06b0a18b3a4a4490f3fcccd800424a0ab32d9523df8c1e03d12ef427fe45df8f
Opcode Fuzzy Hash: 8dd71ea350755efc15e2dec8d1be63d3b3b1241824e12be6e7221b9b5ba5dfe8
Instruction Fuzzy Hash: 7DF03C31504109EBDF215F61CC88EAE7FB9AB04344F44C032FC1AD5161DB38DA65AB5D

Function 004B8232 Relevance: 4.5, APIs: 3, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 004B8259
GetKeyState.USER32(00000011), ref: 004B8262
GetKeyState.USER32(00000012), ref: 004B826B

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 142828813785d83091c2cb94d683b0c466d1042494787b4a2e7b5d03bfa6e30b
Instruction ID: 72a75299b995aac30e173ba6b8f7df6f7db2d61b25c8649684f220c160a22caf
Opcode Fuzzy Hash: 142828813785d83091c2cb94d683b0c466d1042494787b4a2e7b5d03bfa6e30b
Instruction Fuzzy Hash: 5BE09B3DD01A59DDEF4C52528900FF576945B007D4F4084EFE684AB0A5CEA89C82D779

Function 004B59AC Relevance: 3.4, APIs: 2, Instructions: 422COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B59B1
GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 004B5B64

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: H_prologVersion
String ID:
API String ID: 1836448879-0
Opcode ID: 80046d3473927ef852c777f76b6e4d1db8fd4e156cfdeb1784a1b8d21d9c2d54
Instruction ID: f40ac6e1f4dfe082c9783542a22b6fab0ef4aae82816210168b5934593267092
Opcode Fuzzy Hash: 80046d3473927ef852c777f76b6e4d1db8fd4e156cfdeb1784a1b8d21d9c2d54
Instruction Fuzzy Hash: 70E18F70504605EBDB14DF65CC85FFEB7B9AF48314F10851AF806AA291D738EA02DB79

Function 00458F50 Relevance: 3.3, Strings: 2, Instructions: 788COMMON

Download Yara Rule

Strings

libpng does not support gamma+background+rgb_to_gray, xrefs: 004593DC
invalid background gamma type, xrefs: 0045975C

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: invalid background gamma type$libpng does not support gamma+background+rgb_to_gray
API String ID: 0-3995106164
Opcode ID: d9098245da90a309d64780ec6acae5e7e95d71ec4b84113b0d60d4d2ccce6d02
Instruction ID: 8150b0dffed58160bbd19e661f34c5de8a5b95dcb5168d7df8664218fbe9791b
Opcode Fuzzy Hash: d9098245da90a309d64780ec6acae5e7e95d71ec4b84113b0d60d4d2ccce6d02
Instruction Fuzzy Hash: 52621835108B818AD3219F35C8417F7BBE1AF9A305F08496EDDEA87353E639E809C759

Function 00424360 Relevance: 3.2, APIs: 2, Instructions: 209windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00424490

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 7b2be96888aedef4068ce29a25e4e8a028956ee9f2915fa6694109629f6d54f3
Instruction ID: cf2913bda4d0c23dc6e4aa317917c62d02cd85884e0ce2ef5f91f240649e8f94
Opcode Fuzzy Hash: 7b2be96888aedef4068ce29a25e4e8a028956ee9f2915fa6694109629f6d54f3
Instruction Fuzzy Hash: 3081AB76214711CBD350CF28D480B8AB7E5FBE9310F10886EE59ACB350D776E896CB61

Function 00428A20 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 00428A30
FindClose.KERNEL32(00000000), ref: 00428A3C

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 2bdb5b90b94a69be0b7fa563b29cf14b3227a6fad34a1fa02d994016d16cded1
Instruction ID: 2e2c3de7133c66cea48cb5c11a61b5bfb172645487e548790abf2f399256de75
Opcode Fuzzy Hash: 2bdb5b90b94a69be0b7fa563b29cf14b3227a6fad34a1fa02d994016d16cded1
Instruction Fuzzy Hash: 5CD0A7B45005405BD7159B74EC08ABF3698B784320FC40A39BD3CC52F0FA7ED8588511

Function 0044DE20 Relevance: 2.9, Strings: 2, Instructions: 445COMMON

Download Yara Rule

Strings

color-map index out of range, xrefs: 0044DE6F
bad encoding (internal error), xrefs: 0044DFCD

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: bad encoding (internal error)$color-map index out of range
API String ID: 0-7351992
Opcode ID: 8cefdd31a6f9143020f390e55d80c3af6c634ce989f6977e6933278a841b89cf
Instruction ID: e161fc75225324e17f925f19556c9a9ef2dfd9787f783146404f951603a85aaf
Opcode Fuzzy Hash: 8cefdd31a6f9143020f390e55d80c3af6c634ce989f6977e6933278a841b89cf
Instruction Fuzzy Hash: F1F10672A083128BD718CF29D88166AB3D2FFD8304F08467EE859D7351E63DE905CB95

Function 00458760 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Row has too many bytes to allocate in memory, xrefs: 00458A2C
VUUU, xrefs: 00458878

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: Row has too many bytes to allocate in memory$VUUU
API String ID: 0-4092465491
Opcode ID: 865c826c0bd6646e6013ab6767293c3e47b222a3104e1daad76c9c420419db26
Instruction ID: 4a38adba0de1653ae2521283bfb4012fafd71430f5356aa93ad5306f924044de
Opcode Fuzzy Hash: 865c826c0bd6646e6013ab6767293c3e47b222a3104e1daad76c9c420419db26
Instruction Fuzzy Hash: 7D912971604E404BD7299A38CC563F773D2EB85306F58452ED9A7E7393DE3C68488749

Function 00431FB0 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 004321F4
MTrk, xrefs: 0043212C

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: MTrk$d
API String ID: 0-4044675371
Opcode ID: 7cce9ff1f73847370ad4606e60a7ee32a23aa458c0c8c4ca34b0662915b2a470
Instruction ID: db8b451209ee644539b2783013e34227c712f347cc5cfa47393e1bae0725629c
Opcode Fuzzy Hash: 7cce9ff1f73847370ad4606e60a7ee32a23aa458c0c8c4ca34b0662915b2a470
Instruction Fuzzy Hash: F291C171B006059FD718CF69C98096BB7E2EFC8304F24893EE84ACB355DA79E905CB55

Function 0044AC30 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

ICC profile tag outside profile, xrefs: 0044AD48
ICC profile tag start not a multiple of 4, xrefs: 0044ACF9

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: ICC profile tag outside profile$ICC profile tag start not a multiple of 4
API String ID: 0-2051163487
Opcode ID: 619203378347b0857be748fe8529824cda8bd98b9eeb52220b8f312ce7a48361
Instruction ID: 0e1ccab91154306f454872c30a38d4e2ccd57f80585886768a91c3ec671fc07b
Opcode Fuzzy Hash: 619203378347b0857be748fe8529824cda8bd98b9eeb52220b8f312ce7a48361
Instruction Fuzzy Hash: 713105F360C79107E71CCA2D9C606A7BBE3ABC8245F1DC96DE4DAC3301E8259505C758

Function 004455D0 Relevance: 2.5, APIs: 1, Instructions: 1006COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb20861e2104d25a0669ee19fe0b6716adfb0f0a04a8f18d67f17356c59877c
Instruction ID: fcf4e49e08ce862de3affebdd950feaf471b1a173216a3507d9ac53e222d732e
Opcode Fuzzy Hash: 1fb20861e2104d25a0669ee19fe0b6716adfb0f0a04a8f18d67f17356c59877c
Instruction Fuzzy Hash: B9926871604F418FE729CF29C0906A7BBE2EF99304F24892EC5DB87B62D635B845CB45

Function 004618B0 Relevance: 2.3, Strings: 1, Instructions: 1089COMMON

Download Yara Rule

Strings

8#O, xrefs: 00462137

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: 8#O
API String ID: 0-2381530714
Opcode ID: 34100c07ec183b6e467bef77863f26b66340e29af82924b2f48976396983f556
Instruction ID: aa87b4a53749c09f3cd52d365495b5b84295638612e4043e9b0d31e24ae10c13
Opcode Fuzzy Hash: 34100c07ec183b6e467bef77863f26b66340e29af82924b2f48976396983f556
Instruction Fuzzy Hash: 7D927FB5A047018FCB08CF19D98052ABBF5FFC9310F18896EE8998B355E735E845CB96

Function 00469A50 Relevance: 1.8, Strings: 1, Instructions: 503COMMON

Download Yara Rule

Strings

$O, xrefs: 0046A03E

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: $O
API String ID: 0-3498517077
Opcode ID: 99384a62394c5d69f1960a2c255a33ee18bd49d433a00e06182e99a89a55ecc5
Instruction ID: b2a67236bd8e3970968547394d630dc73d4c7d3d8af84dc395a4ab4db86a34a1
Opcode Fuzzy Hash: 99384a62394c5d69f1960a2c255a33ee18bd49d433a00e06182e99a89a55ecc5
Instruction Fuzzy Hash: 7E1228B46087018FC708CF29D590A2ABBE5FB88314F148A6EE48AC7751E774ED45CF5A

Function 004AD202 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000AD1BC), ref: 004AD207

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5ed541df277bb7883b75ca748839f8fb57ee259a7aefa5b77b95d45a71d36ff2
Instruction ID: 90ac1177bc48e53a75c5a5630e3b9c067a813c4aa5ba6e2b9ecf9a66d931318a
Opcode Fuzzy Hash: 5ed541df277bb7883b75ca748839f8fb57ee259a7aefa5b77b95d45a71d36ff2
Instruction Fuzzy Hash: F2A002B8985E11CB8B809F70EE4D9C83AE1AAB774672413AAE40385664DB7410C5AE5D

Function 004AD214 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 004AD219

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fbbc4885a07fed5165496bf006cda065b87f327a42986d714c0f22831cf1a343
Instruction ID: de783d1f73561f197f157915620a1349f574637bc5f248759cfb096d393aec72
Opcode Fuzzy Hash: fbbc4885a07fed5165496bf006cda065b87f327a42986d714c0f22831cf1a343
Instruction Fuzzy Hash:

Function 00461D2E Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69dd6761702e63d6a6c2a234b12257e0aaf314d1c63f1a083034c2d940b91a69
Instruction ID: a853f63a0802c1aab6a396938a4f41a61bb41d9a2e8c139f5902ff4731856bfa
Opcode Fuzzy Hash: 69dd6761702e63d6a6c2a234b12257e0aaf314d1c63f1a083034c2d940b91a69
Instruction Fuzzy Hash: FC125FB16047018FCB18CF19C99062BBBE6EFC9700F18896EE8858B355E775EC45CB96

Function 00461F7E Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b4ccc866a9e92abda67cf69a29e06b3a08d0b1c6cf5cb1870c09eca1a3e202
Instruction ID: 653f46f9fb9b237c7972e1266def86d3e2b0c3cf7d3985d50d52cc22614209f4
Opcode Fuzzy Hash: b5b4ccc866a9e92abda67cf69a29e06b3a08d0b1c6cf5cb1870c09eca1a3e202
Instruction Fuzzy Hash: CC125FB16047018FCB18CF19C99062BBBE6EFC9700F18896EE8858B355E775EC45CB96

Function 004AE55A Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdee3387b24dda78d44e629cdfb8b2ff4f890c72a9adfb7835d30c953870425d
Instruction ID: 473b7c0858397168da022a1fdcf26126382af07a2adc138b723f7f70f34a17e1
Opcode Fuzzy Hash: fdee3387b24dda78d44e629cdfb8b2ff4f890c72a9adfb7835d30c953870425d
Instruction Fuzzy Hash: 2FE11270D54209DEEB24DF97C4153FE7BB5AB32305F68042BD421AB292D37C8982DB5A

Function 00476037 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b70dd9cab3ecbc947052dacb93aaf79e37d198360882a44ffafc9cecf72a90e
Instruction ID: a239a1a3373763fa3e73fb075c3681711ee4a36dc525f037506bbb6979bbcae4
Opcode Fuzzy Hash: 0b70dd9cab3ecbc947052dacb93aaf79e37d198360882a44ffafc9cecf72a90e
Instruction Fuzzy Hash: 74D11D763086108FD314EF79E491A9B73E1ABC8B14F008C2FE586CB395D775A842CB95

Function 0045C130 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1008982b072d085ec10cc6531e9accb091682c531d7f6e279eb15a422e6556
Instruction ID: bac819763068886adbbed712739dd19afb5136e380fbfd49758c591aaa045122
Opcode Fuzzy Hash: 0d1008982b072d085ec10cc6531e9accb091682c531d7f6e279eb15a422e6556
Instruction Fuzzy Hash: F8C1212120A7824FDB198E6C94E96BBBFD1DB5A311B0881FEC9C5CB323D525940EC394

Function 0045C830 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7d6e5bdf9180fc249a7cdffd82ac3d4432134ef2b1545fd9ebd85a9bab015f
Instruction ID: 0d90bbead5075252d87e26d54c54a5458ee4fd103628c8e5a1f5398fa93df551
Opcode Fuzzy Hash: bd7d6e5bdf9180fc249a7cdffd82ac3d4432134ef2b1545fd9ebd85a9bab015f
Instruction Fuzzy Hash: B3D1C76150D7D28FD722CE2894A03A6FFD1AFA6305F188ADED8D44F347D266980DC396

Function 004541D0 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919e586aa5b97c90856df4e4a509eb189464da0d3c89c356621d08320a2e332d
Instruction ID: 40ad4948af455edc32aa9067fdd28526e7117abd0b78046908acbf3de85f742d
Opcode Fuzzy Hash: 919e586aa5b97c90856df4e4a509eb189464da0d3c89c356621d08320a2e332d
Instruction Fuzzy Hash: E6E117B5600A018FD334CF19C490A22FBF1EF89315B25C96EE99ACB761D735E845CB54

Function 0045AC10 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdb0e9a48f9cc5b8454a5ea312c92bd26660b050e477f45892fe8a81102f325
Instruction ID: 6e6c72b7cec238dcf990f8b9e43bc4a65ce52b8453421129e794eed24fd715e9
Opcode Fuzzy Hash: dcdb0e9a48f9cc5b8454a5ea312c92bd26660b050e477f45892fe8a81102f325
Instruction Fuzzy Hash: 3BD1C7356087828FC325CF29C4902A7FBE1FF99304F08866DE9D98B752D234D819CB96

Function 00429290 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6703c007e003a0c0642efa700d4a1d477b4240d2f112de0ae3d37c7339681250
Instruction ID: a25511f5cb6effa70b366d5d189994e1e8f149cf1c5aeb6fafa615ea21e14eda
Opcode Fuzzy Hash: 6703c007e003a0c0642efa700d4a1d477b4240d2f112de0ae3d37c7339681250
Instruction Fuzzy Hash: 0BC1C0327086A48FD725CE19E4603ABB7E2AF89744FD8445FE8C147392D3389D59C74A

Function 0046D770 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2cfd24bf9e050f241377462a68de46b627cc070a75655d7f76c31305d8c0592
Instruction ID: 711aefd8047274a97b206b639044b8ec4b9ba7ecaea6a38b65e10631e6275433
Opcode Fuzzy Hash: f2cfd24bf9e050f241377462a68de46b627cc070a75655d7f76c31305d8c0592
Instruction Fuzzy Hash: 46C19C72B087518FC718CF28D59012AFBE1FBD8310F194A6EE8DA93751D774A815CB8A

Function 00470260 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1db196fa67d0cdc0bf45c163848ddda3105165c7137449652c92379b33d130
Instruction ID: bccb916219195a24215a230f54e377562b26acd48cdbdd1fb359102de72c82bc
Opcode Fuzzy Hash: cc1db196fa67d0cdc0bf45c163848ddda3105165c7137449652c92379b33d130
Instruction Fuzzy Hash: 80D19B712092518FC319CF28E5D88E67BE1BFA8740F0E42F9C98A9B323D7719841CB55

Function 00462A90 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475f421b50620a97bdae8ea0bd49fe3c6d29aa349c425eb0dfbe551cf46c05d8
Instruction ID: 7439c522ee80e347df591c27a31939b87a282b5db2ea66b8cdf93e6b37e70ae7
Opcode Fuzzy Hash: 475f421b50620a97bdae8ea0bd49fe3c6d29aa349c425eb0dfbe551cf46c05d8
Instruction Fuzzy Hash: CCB13875214B418FD328CF29CA909A7B3E6FF89704B18892ED4CAC7B51EA75F841CB45

Function 0046EAB0 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5f6d9cafca4b6c24b41cc5f7d50e69081ce5b1075ce24fb2839c691b2bc076
Instruction ID: 7bb30ca09d508e12ee09ee7a50503c9c67519af6f8c0f315f55cec9a2f159cf3
Opcode Fuzzy Hash: bf5f6d9cafca4b6c24b41cc5f7d50e69081ce5b1075ce24fb2839c691b2bc076
Instruction Fuzzy Hash: 1BB13439214B418FD328CF29C9909A7B7E6BF89304B18892ED4DBC7B51E675F842CB45

Function 004AA7E6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: b2223029d7bfde7f7f54f15c083ff7a50c0a5079535cf0e9af85f4d51fe00b10
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 0DB18C71A0020ADFDB15CF04C5D0AA9BBE1BF69318F24C19EC85A5B342C735EE56CB90

Function 00488670 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e5c1c0ef2821c5366d8ebc7a4f7d3a5b5a8e4eb0c160e7b9a23b994a4e59c1
Instruction ID: 69ab4917d23a1ce13d7070b824c84269e8cdba510b571d1b5e61ae2140ec9637
Opcode Fuzzy Hash: 07e5c1c0ef2821c5366d8ebc7a4f7d3a5b5a8e4eb0c160e7b9a23b994a4e59c1
Instruction Fuzzy Hash: CB718F76B002064B8718EE1DCD9056FB3E7ABD83117A8CA3EE946CB745EE35ED118784

Function 004682D0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
Instruction ID: 0a8636140240dbe685ea5bb144d7ed9ee4a0dc4a4849c20135cb171f17353e3c
Opcode Fuzzy Hash: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
Instruction Fuzzy Hash: E1A11875A087418FC314CF29C49085AFBF2BFC8704F198A6EE99997325E771E945CB42

Function 0045C600 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4664e54bd8655df0b62760be2564d86677a0bae60cff444b8354291ceb51d8c8
Instruction ID: 0b376fbb5bf4598af3009288e2b13945ad405c775ce6d6475ceaf64cd54d9426
Opcode Fuzzy Hash: 4664e54bd8655df0b62760be2564d86677a0bae60cff444b8354291ceb51d8c8
Instruction Fuzzy Hash: BD71B53550C7828ED711CF28C484666FFE2ABAA305F0CC69EC8C99B357D666E90DC791

Function 0045A3D0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5b054a703e9329a57af955cc5df081ae588c81077d962a1e520935708f16c2
Instruction ID: 8ebdd635d69ed824e3f2120fcaaa7303c2948204c1ffceb21861081d3914205b
Opcode Fuzzy Hash: 0a5b054a703e9329a57af955cc5df081ae588c81077d962a1e520935708f16c2
Instruction Fuzzy Hash: 785123213083554FC305CE2D989416AFBD29BCA212F188FAED8D9C7713E66598198786

Function 0045D270 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2a5cb89f538be3aed4898336e9be1642ac6661ed529f4ba01bc5022ca0a72b
Instruction ID: 778379abd316c457d134b48084b1cbb82b4d7037fbc2a60ce1982470a4354cb5
Opcode Fuzzy Hash: 9f2a5cb89f538be3aed4898336e9be1642ac6661ed529f4ba01bc5022ca0a72b
Instruction Fuzzy Hash: A5418332B019410BC778DA2A94A02EFB793DFC6312B28C4ABCD9F8B726D5355449CB85

Function 00476597 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Global$AllocUnlock
String ID:
API String ID: 279960016-0
Opcode ID: 8d2a05f41c9f32cbd75aed1939fac8aee9542a1582067e4a875efac539dc6da0
Instruction ID: 9aa98b94fe74d22d0f87eb08009a0a8b712f2b2512ebf8c24079e38a445e41b8
Opcode Fuzzy Hash: 8d2a05f41c9f32cbd75aed1939fac8aee9542a1582067e4a875efac539dc6da0
Instruction Fuzzy Hash: 79E086754253808EC311DF7CC8C5ED0B770AF17714F08188DD0C42B012D731A458CB59

Function 0043DE31 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead14f3472a84404c2a4f289e2047c5c810870463b27eed14730eb0fe15ac197
Instruction ID: 392ad7653e4b10bc28128dae72aeaa13f499a7fe066f5334453727f266990d19
Opcode Fuzzy Hash: ead14f3472a84404c2a4f289e2047c5c810870463b27eed14730eb0fe15ac197
Instruction Fuzzy Hash: D8D0A772D4076912D225551568072DBAAA04F22225F04646BBE0166251C66EC9458A9D

Function 00444A30 Relevance: 95.0, APIs: 53, Strings: 1, Instructions: 459windowsleepCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00444A52

Part of subcall function 00492110: EnumDisplaySettingsA.USER32(00000000,000000FF,?), ref: 0049211F

SetStretchBltMode.GDI32(00000000,00000000), ref: 00444A65
CreateCompatibleDC.GDI32(00000000), ref: 00444A72
CreateCompatibleDC.GDI32(00000000), ref: 00444A77
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00444AC8
SelectObject.GDI32(00000000,00000000), ref: 00444ADC
SelectObject.GDI32(?,?), ref: 00444B06
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 00444B28
SelectObject.GDI32(?,?), ref: 00444B38
SelectObject.GDI32(?,?), ref: 00444B44
GetTickCount.KERNEL32 ref: 00444B92
SelectObject.GDI32(?,?), ref: 00444BCA
SelectObject.GDI32(00000000,00000000), ref: 00444BE6
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00444C0B
SelectObject.GDI32(00000000,?), ref: 00444C17
DeleteObject.GDI32(00000000), ref: 00444C1E
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00444C62
SelectObject.GDI32(00000000,00000000), ref: 00444C6E
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,00000000,00CC0020), ref: 00444C93
SelectObject.GDI32(00000000,?), ref: 00444C9F
SelectObject.GDI32(00000000,?), ref: 00444CA7
CreateCompatibleDC.GDI32(00000000), ref: 00444CBC
CreateCompatibleDC.GDI32(00000000), ref: 00444CC5
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00444CDB
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00444CF3
SelectObject.GDI32(00000000,?), ref: 00444D03
SelectObject.GDI32(00000000,?), ref: 00444D13
SetBkColor.GDI32(00000000,?), ref: 00444D25
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00444D46
SetBkColor.GDI32(00000000,?), ref: 00444D52
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00330008), ref: 00444D6F
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 00444D94
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 00444DB1
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00EE0086), ref: 00444DD6
SelectObject.GDI32(00000000,?), ref: 00444DE2
DeleteObject.GDI32(00000000), ref: 00444DE9
SelectObject.GDI32(00000000,?), ref: 00444DF5
DeleteObject.GDI32(00000000), ref: 00444DFC
DeleteDC.GDI32(00000000), ref: 00444E09
DeleteDC.GDI32(00000000), ref: 00444E0C
SelectObject.GDI32(00000000,?), ref: 00444E45
DeleteObject.GDI32(?), ref: 00444E4C
IsWindow.USER32(?), ref: 00444E56
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00444EBA
BitBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00444EE4
SelectObject.GDI32(?,?), ref: 00444EF4
Sleep.KERNEL32(0000000A), ref: 00444F40
GetTickCount.KERNEL32 ref: 00444F46
DeleteObject.GDI32(00000000), ref: 00444F73
DeleteDC.GDI32(00000000), ref: 00444F80
DeleteDC.GDI32(?), ref: 00444F87
ReleaseDC.USER32(?,00000000), ref: 00444F8E

Part of subcall function 00497F10: GetClientRect.USER32(?,?), ref: 00497F37
Part of subcall function 00497F10: __ftol.LIBCMT ref: 0049800E
Part of subcall function 00497F10: __ftol.LIBCMT ref: 00498021

Strings

|L, xrefs: 00444B4E

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Object$Select$Delete$Create$Compatible$Bitmap$ColorCountStretchTick__ftol$ClientDisplayEnumModeRectReleaseSettingsSleepWindow
String ID: |L
API String ID: 1975044605-2485112798
Opcode ID: de40936ecd89d120816bc9aca01b17188a45b46a8a195bc962f31f7b2e0388a5
Instruction ID: dca183c21d48e0a33e256ebf32cfff6fde1964fd29b03a9c8fbc53944287774a
Opcode Fuzzy Hash: de40936ecd89d120816bc9aca01b17188a45b46a8a195bc962f31f7b2e0388a5
Instruction Fuzzy Hash: 7502E4B4204700AFE360DB65CC85F6BB7E9FB88B04F14491DFA9693290CB74F8458B69

Function 004983C0 Relevance: 80.0, APIs: 53, Instructions: 459windowsleepCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 004983E2

Part of subcall function 00492110: EnumDisplaySettingsA.USER32(00000000,000000FF,?), ref: 0049211F

SetStretchBltMode.GDI32(00000000,00000000), ref: 004983F5
CreateCompatibleDC.GDI32(00000000), ref: 00498402
CreateCompatibleDC.GDI32(00000000), ref: 00498407
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00498458
SelectObject.GDI32(00000000,00000000), ref: 0049846C
SelectObject.GDI32(?,?), ref: 00498496
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 004984B8
SelectObject.GDI32(?,?), ref: 004984C8
SelectObject.GDI32(?,?), ref: 004984D4
GetTickCount.KERNEL32 ref: 00498522
SelectObject.GDI32(?,?), ref: 0049855A
SelectObject.GDI32(00000000,00000000), ref: 00498576
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0049859B
SelectObject.GDI32(00000000,?), ref: 004985A7
DeleteObject.GDI32(00000000), ref: 004985AE
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004985F2
SelectObject.GDI32(00000000,00000000), ref: 004985FE
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,00000000,00CC0020), ref: 00498623
SelectObject.GDI32(00000000,?), ref: 0049862F
SelectObject.GDI32(00000000,?), ref: 00498637
CreateCompatibleDC.GDI32(00000000), ref: 0049864C
CreateCompatibleDC.GDI32(00000000), ref: 00498655
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0049866B
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00498683
SelectObject.GDI32(00000000,?), ref: 00498693
SelectObject.GDI32(00000000,?), ref: 004986A3
SetBkColor.GDI32(00000000,?), ref: 004986B5
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 004986D6
SetBkColor.GDI32(00000000,?), ref: 004986E2
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00330008), ref: 004986FF
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 00498724
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 00498741
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00EE0086), ref: 00498766
SelectObject.GDI32(00000000,?), ref: 00498772
DeleteObject.GDI32(00000000), ref: 00498779
SelectObject.GDI32(00000000,?), ref: 00498785
DeleteObject.GDI32(00000000), ref: 0049878C
DeleteDC.GDI32(00000000), ref: 00498799
DeleteDC.GDI32(00000000), ref: 0049879C
SelectObject.GDI32(00000000,?), ref: 004987D5
DeleteObject.GDI32(?), ref: 004987DC
IsWindow.USER32(?), ref: 004987E6
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0049884A
BitBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00498874
SelectObject.GDI32(?,?), ref: 00498884
Sleep.KERNEL32(0000000A), ref: 004988D0
GetTickCount.KERNEL32 ref: 004988D6
DeleteObject.GDI32(00000000), ref: 00498903
DeleteDC.GDI32(00000000), ref: 00498910
DeleteDC.GDI32(?), ref: 00498917
ReleaseDC.USER32(?,00000000), ref: 0049891E

Part of subcall function 00497F10: GetClientRect.USER32(?,?), ref: 00497F37
Part of subcall function 00497F10: __ftol.LIBCMT ref: 0049800E
Part of subcall function 00497F10: __ftol.LIBCMT ref: 00498021

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Object$Select$Delete$Create$Compatible$Bitmap$ColorCountStretchTick__ftol$ClientDisplayEnumModeRectReleaseSettingsSleepWindow
String ID:
API String ID: 1975044605-0
Opcode ID: 7771dd362a57efba5ccf76c3288f216846910ba7a502244475dfba3299618626
Instruction ID: 1a9f33708510273779f842b6483f46d9963d5b973a1c98e2fbc2b6925b46499b
Opcode Fuzzy Hash: 7771dd362a57efba5ccf76c3288f216846910ba7a502244475dfba3299618626
Instruction Fuzzy Hash: 5802F5B5204700AFD360DB69CC85F2BB7E9FB89B04F10491DFA9693290CB74F8458B69

Function 00478D70 Relevance: 56.3, APIs: 8, Strings: 24, Instructions: 332COMMON

Download Yara Rule

APIs

Part of subcall function 00478D20: ClientToScreen.USER32(?,?), ref: 00478D43
Part of subcall function 00478D20: WindowFromPoint.USER32(?,?), ref: 00478D53

GetParent.USER32(00000000), ref: 00478DAB

Part of subcall function 004B345D: lstrlenA.KERNEL32(?,?,?,00420595,004E9FC0), ref: 004B346E

GetClassNameA.USER32(00000000,00000000,00000080), ref: 00478E17

Part of subcall function 004B313B: lstrlenA.KERNEL32(?,?,?,?,0042053D,004E9FE0), ref: 004B3165

Part of subcall function 004B30CD: InterlockedDecrement.KERNEL32 ref: 004B30E1

GetWindowTextA.USER32(00000000,?,00000080), ref: 00478E84
GetWindowLongA.USER32(00000000,000000F4), ref: 00478EFC
GetWindowLongA.USER32(00000000,000000F0), ref: 00478F26
GetWindowRect.USER32(00000000,?), ref: 00478F53
GetClassNameA.USER32(00000000,?,00000080), ref: 00479060
GetWindowTextA.USER32(00000000,?,00000080), ref: 004790E1

Part of subcall function 004B2E42: InterlockedIncrement.KERNEL32(-000000F4), ref: 004B2E57

Strings

<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>, xrefs: 00478FC7
</table></td>, xrefs: 00479027
(UO, xrefs: 0047900A
<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>, xrefs: 00479189
<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>, xrefs: 00478F9C
<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0x%08X</td></tr>, xrefs: 00478EDD, 0047914A
</td></tr>, xrefs: 00478E5D, 00478ECA, 00479019, 004790B6, 00479137
</table></td></tr></table>, xrefs: 004791C9
<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>, xrefs: 00478F07
N/A, xrefs: 004790A8, 00479129
<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0x%08X</td></tr>, xrefs: 00478F31
<tr><td bgcolor=buttonface>Class Name</td><td bgcolor=white>, xrefs: 00479043
<td><font color=darkblue>Window Owner</font><table border=1>, xrefs: 00479035
<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>, xrefs: 00478F71
<font color=darkblue>Mouse Cursor</font><table border=1>, xrefs: 00479174
<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>, xrefs: 004791AD
<tr><td bgcolor=buttonface>Class Name</td><td bgcolor=window>, xrefs: 00478DFE
<table>, xrefs: 00478DD2
<tr><td><font color=darkblue>Window</font><table border=1>, xrefs: 00478DE8
(UO, xrefs: 00479010, 0047901E, 0047902C, 0047903A, 00479048
Yes, xrefs: 00479003, 0047900F
<tr><td bgcolor=buttonface>Has Tooltip</td><td bgcolor=white>, xrefs: 00478FE3
</table>, xrefs: 00479166
<tr><td bgcolor=buttonface>Title</td><td bgcolor=white>, xrefs: 00478E6B, 004790C4

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$ClassInterlockedLongNameTextlstrlen$ClientDecrementFromIncrementParentPointRectScreen
String ID: (UO$(UO$</table>$</table></td>$</table></td></tr></table>$</td></tr>$<font color=darkblue>Mouse Cursor</font><table border=1>$<table>$<td><font color=darkblue>Window Owner</font><table border=1>$<tr><td bgcolor=buttonface>Class Name</td><td bgcolor=white>$<tr><td bgcolor=buttonface>Class Name</td><td bgcolor=window>$<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>$<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0x%08X</td></tr>$<tr><td bgcolor=buttonface>Has Tooltip</td><td bgcolor=white>$<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>$<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>$<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0x%08X</td></tr>$<tr><td bgcolor=buttonface>Title</td><td bgcolor=white>$<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>$<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>$<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>$<tr><td><font color=darkblue>Window</font><table border=1>$N/A$Yes
API String ID: 799831816-3860803107
Opcode ID: 43bbc497d40234afe5443f9a284690ea403bca9aad737ce38e0afd72c995e38a
Instruction ID: fb3c097474f2e7cacdd601c399d855d7574c389a63f12a0ffb539cfa477ff555
Opcode Fuzzy Hash: 43bbc497d40234afe5443f9a284690ea403bca9aad737ce38e0afd72c995e38a
Instruction Fuzzy Hash: 1EC19770108342AAC315EF62D942FEFB7D8AF94705F40491EB69552181EB78AA0CCB7B

Function 00411360 Relevance: 40.9, APIs: 27, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124fd4646b5c2db5eaad7ecf8ff49687ffdbd4c96a2ea12aab1ede2ed465b582
Instruction ID: 7a5f53ae13decd5bd2a2932d8d9f5091695b8c7178d2077fab647d3e90e953a7
Opcode Fuzzy Hash: 124fd4646b5c2db5eaad7ecf8ff49687ffdbd4c96a2ea12aab1ede2ed465b582
Instruction Fuzzy Hash: 79D18EB2704605AFD704CFA8E8C4DABB7A9FB88365B10892AF105C7351C735EC91CBA4

Function 00452640 Relevance: 38.0, APIs: 25, Instructions: 452windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000010), ref: 004526C8

Part of subcall function 004BBFC4: SetBkColor.GDI32(?,?), ref: 004BBFD3
Part of subcall function 004BBFC4: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004BC005

GetSysColor.USER32(00000014), ref: 00452700
InflateRect.USER32(?,000000FF,000000FF), ref: 00452732
GetSysColor.USER32(00000016), ref: 0045274B
GetSysColor.USER32(0000000F), ref: 0045275B
DrawEdge.USER32(?,?,00000002,0000000F), ref: 00452794
GetDeviceCaps.GDI32(?), ref: 0045299E
RealizePalette.GDI32(?), ref: 004529C1
GetSysColor.USER32(00000014), ref: 004529D9
GetSysColor.USER32(0000000F), ref: 004529EB
GetSysColor.USER32(0000000F), ref: 004526A1

Part of subcall function 004BBF9A: SetBkColor.GDI32(?,0047CB8D), ref: 004BBFA4
Part of subcall function 004BBF9A: ExtTextOutA.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004BBFBA

GetSysColor.USER32(0000000F), ref: 004527F8
InflateRect.USER32(?,000000FF,000000FF), ref: 00452831
GetSysColor.USER32(00000016), ref: 00452846
GetSysColor.USER32(0000000F), ref: 00452852
InflateRect.USER32(?,?,?), ref: 00452893
GetSysColor.USER32(00000010), ref: 00452897
Rectangle.GDI32(?,?,?,?,?), ref: 004528DE
DrawEdge.USER32(?,?,00000002,0000000F), ref: 00452919
DrawEdge.USER32(?,?,00000002,0000000F), ref: 00452A20
GetSysColor.USER32(00000010), ref: 00452A7D
CreatePen.GDI32(00000000,00000001,00000000), ref: 00452A84
InflateRect.USER32(?,?,?), ref: 00452AC3
Rectangle.GDI32(?,?,?,?,?), ref: 00452AE1
GetDeviceCaps.GDI32(?,00000026), ref: 00452B17

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Color$InflateRect$DrawEdge$CapsDeviceRectangleText$CreatePaletteRealize
String ID:
API String ID: 3119264602-0
Opcode ID: a0f60f2189f95325e89dab68f15992e3e0c0ae35385a2d26793ecb1ec7d7028d
Instruction ID: 3dfe09a29051f69b1d8a0e0391d5ba45a5340261350a998882de1f2f7b5fe92a
Opcode Fuzzy Hash: a0f60f2189f95325e89dab68f15992e3e0c0ae35385a2d26793ecb1ec7d7028d
Instruction Fuzzy Hash: 6CF14971204701AFD714DB65C985E6FB3E9FB88704F004A2EFA9687291DBB4E805CB66

Function 0048E3D0 Relevance: 36.3, APIs: 24, Instructions: 326windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 0048E3E5
CreateCompatibleDC.GDI32(?), ref: 0048E3F6
DeleteDC.GDI32(00000000), ref: 0048E3FF
CreateDIBSection.GDI32(00000000,00000000,00000000,?,00000000,00000000), ref: 0048E467
SelectObject.GDI32(00000000,00000000), ref: 0048E487
SelectObject.GDI32(00000000,?), ref: 0048E497
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00FF0062), ref: 0048E4D4
StretchBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0048E503
SelectObject.GDI32(00000000,?), ref: 0048E52C
SelectObject.GDI32(00000000,?), ref: 0048E538

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ObjectSelect$Create$Compatible$DeleteSectionStretch
String ID:
API String ID: 1655439153-0
Opcode ID: 25c19e861a793c89245da98cf832c39d59c31f79fa989f2def7db74047d548d3
Instruction ID: 851e1319eb830b278d850bc0a8382184299264f0f79725f6ca947409cfa0531c
Opcode Fuzzy Hash: 25c19e861a793c89245da98cf832c39d59c31f79fa989f2def7db74047d548d3
Instruction Fuzzy Hash: 71C1E5B0608300AFD354DF69D885E2FBBF8EB89704F04892EF98597350D774E9058B6A

Function 0048CC50 Relevance: 36.2, APIs: 24, Instructions: 180windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32 ref: 0048CC68
GetDC.USER32(00000000), ref: 0048CC78
CreateCompatibleDC.GDI32(00000000), ref: 0048CC8B
CreateCompatibleDC.GDI32(00000000), ref: 0048CC90
GetObjectA.GDI32(?,00000018,?), ref: 0048CCB9
CreateBitmap.GDI32(?,?,?,?,00000000), ref: 0048CCFE
SelectObject.GDI32(00000000,?), ref: 0048CD1C
SelectObject.GDI32(00000000,?), ref: 0048CD28
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0048CD4D
GetObjectA.GDI32(?,00000018,?), ref: 0048CD5F
CreateBitmap.GDI32(?,?,?,?,00000000), ref: 0048CD86
SelectObject.GDI32(00000000,?), ref: 0048CD9A
SelectObject.GDI32(00000000,?), ref: 0048CDA2
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0048CDC3
SelectObject.GDI32(00000000,?), ref: 0048CDCF
SelectObject.GDI32(00000000,?), ref: 0048CDD7
CreateIconIndirect.USER32(?), ref: 0048CDE6
DeleteObject.GDI32(00000000), ref: 0048CDFF
DeleteObject.GDI32(?), ref: 0048CE06
DeleteObject.GDI32(?), ref: 0048CE15
DeleteObject.GDI32(?), ref: 0048CE1C
DeleteDC.GDI32(00000000), ref: 0048CE25
DeleteDC.GDI32(00000000), ref: 0048CE28
ReleaseDC.USER32(00000000,00000000), ref: 0048CE2D

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Object$DeleteSelect$Create$BitmapCompatibleIconStretch$IndirectInfoRelease
String ID:
API String ID: 4115555686-0
Opcode ID: ec63c4a5da5ca8e19230f8456d406be63fb47aff9029c0ea98cb1dc4d634984e
Instruction ID: 383c5e706a862c250dfe52a04d4387c5a14123fa49673bc34537d491f4136f25
Opcode Fuzzy Hash: ec63c4a5da5ca8e19230f8456d406be63fb47aff9029c0ea98cb1dc4d634984e
Instruction Fuzzy Hash: 2C5116B1608705ABD210DB65DC84F2FBBECEBC9B40F04492DFA4197390DA74E8448BA6

Function 0048DF30 Relevance: 31.7, APIs: 21, Instructions: 230windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048C430: GetObjectA.GDI32(?,00000018,00000001), ref: 0048C449

CreateCompatibleDC.GDI32(?), ref: 0048DF6A
CreateCompatibleDC.GDI32(?), ref: 0048DF6F
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0048DF86
SelectObject.GDI32(00000000,?), ref: 0048DF96
SelectObject.GDI32(00000000,?), ref: 0048DFA6
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0048DFCF
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0048DFEE
SelectObject.GDI32(00000000,?), ref: 0048DFFA
DeleteObject.GDI32(?), ref: 0048E0F2
SelectObject.GDI32(00000000,?), ref: 0048E118
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,008800C6), ref: 0048E139
SelectObject.GDI32(00000000,?), ref: 0048E145
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00EE0086), ref: 0048E166
SelectObject.GDI32(00000000,?), ref: 0048E172
DeleteDC.GDI32(?), ref: 0048E183
DeleteDC.GDI32(00000000), ref: 0048E186
DeleteObject.GDI32(?), ref: 0048E18D
DeleteObject.GDI32(?), ref: 0048E190
DeleteObject.GDI32(?), ref: 0048E197
DeleteObject.GDI32(?), ref: 0048E19E
DeleteObject.GDI32(?), ref: 0048E1A5

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Object$Delete$Select$CompatibleCreate$BitmapStretch
String ID:
API String ID: 1616619681-0
Opcode ID: 36f75c9e4441a90a760cd3ee46a1f03c463e60fe6363e455ee608619779a42d3
Instruction ID: 90f1cf13a5c7eba306c613172a36fb61249baf7c3703d04e71815028c6e8abd1
Opcode Fuzzy Hash: 36f75c9e4441a90a760cd3ee46a1f03c463e60fe6363e455ee608619779a42d3
Instruction Fuzzy Hash: AD81F2B4608300AFD254DB59CC85E2FBBF9EBC9B40F54491DBA8593290CA74EC40CB6A

Function 0042D2C0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 183windowmemoryCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000F), ref: 0042D314
GetObjectA.GDI32(?,00000018,?), ref: 0042D327
SelectPalette.GDI32(?,00000000,00000000), ref: 0042D382
RealizePalette.GDI32(?), ref: 0042D38C
GlobalAlloc.KERNEL32(00000002,00000028), ref: 0042D396
SelectPalette.GDI32(?,?,00000000), ref: 0042D3AC
GlobalLock.KERNEL32(00000000), ref: 0042D3B4
GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 0042D3E3
GlobalUnlock.KERNEL32(00000000), ref: 0042D439
GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 0042D442
GlobalLock.KERNEL32(00000000), ref: 0042D44F
GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 0042D472
SelectPalette.GDI32(?,?,00000000), ref: 0042D485
GlobalUnlock.KERNEL32(00000000), ref: 0042D48C
GlobalFree.KERNEL32(00000000), ref: 0042D493

Part of subcall function 004B9B3D: __EH_prolog.LIBCMT ref: 004B9B42
Part of subcall function 004B9B3D: ReleaseDC.USER32(00000000,00000000), ref: 004B9B61

Strings

(, xrefs: 0042D33A

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Global$Palette$Select$AllocBitsLockObjectUnlock$FreeH_prologRealizeReleaseStock
String ID: (
API String ID: 3986717603-3887548279
Opcode ID: 68a4628a13ed195613a5aec3801bec945be84d08a8cc5c7b4fa1d6ac26e576ca
Instruction ID: cac75202f2de1c47aefeb9cbbf474cd91585f35d3874811cbd2f9dcf361709e1
Opcode Fuzzy Hash: 68a4628a13ed195613a5aec3801bec945be84d08a8cc5c7b4fa1d6ac26e576ca
Instruction Fuzzy Hash: 4D618C72A047509FC320DF64DC45B6FB7E8FB88710F54492DFA8597290CB78A805CBA6

Function 0048EA70 Relevance: 30.2, APIs: 20, Instructions: 173COMMON

Download Yara Rule

APIs

CreatePen.GDI32(?,?,?), ref: 0048EB08
SelectObject.GDI32(?,00000000), ref: 0048EB18
MoveToEx.GDI32(?,?,?,00000000), ref: 0048EB27
LineTo.GDI32(?,?,?), ref: 0048EB36
LineTo.GDI32(?,?,?), ref: 0048EB3F
MoveToEx.GDI32(?,00000000,?,00000000), ref: 0048EB5A
LineTo.GDI32(?,00000000,00000000), ref: 0048EB6D
LineTo.GDI32(?,?,?), ref: 0048EB82
SelectObject.GDI32(?,?), ref: 0048EB96
DeleteObject.GDI32(?), ref: 0048EBA1
CreatePen.GDI32(?,?,?), ref: 0048EBB6
SelectObject.GDI32(?,00000000), ref: 0048EBC2
MoveToEx.GDI32(?,?,?,00000000), ref: 0048EBD5
LineTo.GDI32(?,?,?), ref: 0048EBE6
LineTo.GDI32(?,?,?), ref: 0048EBEF
MoveToEx.GDI32(?,?,?,00000000), ref: 0048EC0D
LineTo.GDI32(?,?,?), ref: 0048EC24
LineTo.GDI32(?,?,?), ref: 0048EC2F
SelectObject.GDI32(?,?), ref: 0048EC37
DeleteObject.GDI32(?), ref: 0048EC42

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Line$Object$MoveSelect$CreateDelete
String ID:
API String ID: 3131041271-0
Opcode ID: 18a4dfe69a1caee465baaa74437c69157eaa2b543e2eb482fcc348dc591f1a0b
Instruction ID: d55863a400d8d52f9e1cb29ccf9148d1eb58c255727a540ae7fb3f002a0810fe
Opcode Fuzzy Hash: 18a4dfe69a1caee465baaa74437c69157eaa2b543e2eb482fcc348dc591f1a0b
Instruction Fuzzy Hash: 8C51E471608204AFD204DB65CC88E6FB7E8FBC9714F144A2EF98593250DB74E9468B66

Function 00446CB0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 331threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00446E1B
CreateSemaphoreA.KERNEL32(00000000,00000014,00000014,00000000), ref: 00446E30
InitializeCriticalSection.KERNEL32(?), ref: 00446E5B
CreateThread.KERNEL32(00000000,00000000,00447090,?,00000004,?), ref: 00446E90
EnterCriticalSection.KERNEL32(0050E860), ref: 00446EA2
LeaveCriticalSection.KERNEL32(0050E860,-000000FC,00000000,00000000), ref: 00447055
ResumeThread.KERNEL32(?), ref: 00447063
ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 00447075

Strings

xP, xrefs: 00446FE7
xP, xrefs: 00446F6F
data, xrefs: 00446D55
xP, xrefs: 00446F8F
xP, xrefs: 00446FC2
RIFF, xrefs: 00446CC4, 00446CD8
fmt , xrefs: 00446D34
WAVE, xrefs: 00446CF1, 00446D08
xP, xrefs: 00447012

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CreateCriticalSection$SemaphoreThread$EnterEventInitializeLeaveReleaseResume
String ID: RIFF$WAVE$data$fmt $xP$xP$xP$xP$xP
API String ID: 1802393137-2194504001
Opcode ID: c5166abdf689457c84d102de0d493f8c4a5868e9a559e5217589bcdf15463c45
Instruction ID: 12ae8a538376c555c5fd208951357e2c6a412731765c0351171de6872c671186
Opcode Fuzzy Hash: c5166abdf689457c84d102de0d493f8c4a5868e9a559e5217589bcdf15463c45
Instruction Fuzzy Hash: CDB1E4B5A003005BE714DF24DC46A2B77E5FB98308F158A2EF94697381E678E905CB9A

Function 00425200 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

SetWindowRgn.USER32(?,00000000,00000001), ref: 00425231
GetWindowRect.USER32(?,?), ref: 0042525E
BeginPath.GDI32(?), ref: 004252E7
MulDiv.KERNEL32(7FFF0000,?,00007FFF), ref: 00425300
MulDiv.KERNEL32(00000000,?,00007FFF), ref: 0042530F
MulDiv.KERNEL32(3FFF0000,?,00007FFF), ref: 00425337
MulDiv.KERNEL32(00000000,?,00007FFF), ref: 00425346
EndPath.GDI32(?), ref: 00425361
PathToRegion.GDI32(?), ref: 0042536C

Strings

gfff, xrefs: 0042543A
gfff, xrefs: 0042542A

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Path$Window$BeginRectRegion
String ID: gfff$gfff
API String ID: 3989698161-3084402119
Opcode ID: f7ea6e9545349feb59939977f898621ef80e54479036d8113172a6a6dcd53c6e
Instruction ID: 6ded5d4912e267c0d844d6630245310f4226b13f6e9a8d5e9ca157f2fba1f059
Opcode Fuzzy Hash: f7ea6e9545349feb59939977f898621ef80e54479036d8113172a6a6dcd53c6e
Instruction Fuzzy Hash: 6381D1B1A08741AFD314DF25DC45E6BBBE8EBD4344F44492EF58683390EA78AC44CB66

Function 0040C880 Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 211fileCOMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32 ref: 0040C9BD
GetTempPathA.KERNEL32(00000104,?), ref: 0040CA29
DeleteFileA.KERNEL32(00000000,?,00000000,00000000,?,?,?,ODBC;FILEDSN=,00000000), ref: 0040CB11

Part of subcall function 004B345D: lstrlenA.KERNEL32(?,?,?,00420595,004E9FC0), ref: 004B346E

Strings

;DATABASE=, xrefs: 0040C970
DATABASE=, xrefs: 0040C98B
TbN, xrefs: 0040CB20
TbN, xrefs: 0040CA11
;PWD=, xrefs: 0040C93E
;UID=, xrefs: 0040C8F1
;WSID=, xrefs: 0040C9D4
;DRIVER=SQL Server;SERVER=, xrefs: 0040C8B2
ODBC;FILEDSN=, xrefs: 0040CA8B
~sqlsrv.dsn, xrefs: 0040CA39
WSID=, xrefs: 0040C9F0
[ODBC]DRIVER=SQL ServerSERVER=, xrefs: 0040C8A4
UID=, xrefs: 0040C90C

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ComputerDeleteFileNamePathTemplstrlen
String ID: DATABASE=$UID=$WSID=$;DATABASE=$;DRIVER=SQL Server;SERVER=$;PWD=$;UID=$;WSID=$ODBC;FILEDSN=$TbN$TbN$[ODBC]DRIVER=SQL ServerSERVER=$~sqlsrv.dsn
API String ID: 4099024784-1045279871
Opcode ID: 38e1bd7e4238ff8e5c5c1d77c30b165f4af9cc39539965c3fe6117f4c5aab978
Instruction ID: f5ad974ddd901c28dec7ffbf0cb689b766eae0a8cf25aaa3a20d046b678d793d
Opcode Fuzzy Hash: 38e1bd7e4238ff8e5c5c1d77c30b165f4af9cc39539965c3fe6117f4c5aab978
Instruction Fuzzy Hash: 1F71E470504345ABC704EF62C982DEF73A8AF94749F004A2EB556531D1EF78EA0DCB6A

Function 0048E1C0 Relevance: 27.2, APIs: 18, Instructions: 184windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0048C3B0: GetIconInfo.USER32(?,?), ref: 0048C3DE
Part of subcall function 0048C3B0: DeleteObject.GDI32(?), ref: 0048C405
Part of subcall function 0048C3B0: DeleteObject.GDI32(?), ref: 0048C410

CopyIcon.USER32(?), ref: 0048E1FC
GetIconInfo.USER32(00000000,?), ref: 0048E218
CreateCompatibleDC.GDI32(?), ref: 0048E22B
SelectObject.GDI32(00000000,00000000), ref: 0048E257
DeleteObject.GDI32(?), ref: 0048E2FA
SetTextColor.GDI32(?,00000000), ref: 0048E321
SelectObject.GDI32(00000000,?), ref: 0048E331
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,008800C6), ref: 0048E34E
SelectObject.GDI32(00000000,?), ref: 0048E35A
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00EE0086), ref: 0048E377
SetTextColor.GDI32(?,?), ref: 0048E383
SelectObject.GDI32(00000000,?), ref: 0048E38F
DeleteDC.GDI32(00000000), ref: 0048E396
DeleteObject.GDI32(?), ref: 0048E3A3
DeleteObject.GDI32(?), ref: 0048E3AA
DestroyIcon.USER32(?,?,?,?,0000000B), ref: 0048E3B1
DeleteObject.GDI32(?), ref: 0048E3BC
DeleteObject.GDI32(?), ref: 0048E3C3

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Object$Delete$IconSelect$ColorInfoText$CompatibleCopyCreateDestroy
String ID:
API String ID: 3765579803-0
Opcode ID: a6e2c6a201adda9c27e7a9132ca30c7520bd5de51295eac627658a14cc585696
Instruction ID: 14a4b272576498c7b7c2ddc69b7783c090ca66dbf37dafc6ffcdd7e1c62ee811
Opcode Fuzzy Hash: a6e2c6a201adda9c27e7a9132ca30c7520bd5de51295eac627658a14cc585696
Instruction Fuzzy Hash: 7251F575608300AFD254EB55DC84E2FBBF9EFC9744F14891EFA8193250CA75EC418BA6

Function 004B6A0C Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B7375: GetWindowLongA.USER32(00000000,000000F0), ref: 004B7381

GetParent.USER32(?), ref: 004B6A37
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 004B6A5A
GetWindowRect.USER32(?,?), ref: 004B6A73
GetWindowLongA.USER32(00000000,000000F0), ref: 004B6A86
CopyRect.USER32(?,?), ref: 004B6AD3
CopyRect.USER32(?,?), ref: 004B6ADD
GetWindowRect.USER32(00000000,?), ref: 004B6AE6
CopyRect.USER32(?,?), ref: 004B6B02

Strings

(, xrefs: 004B6A9E
@, xrefs: 004B6A75

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: 88ef564ab97224386089a0450f9240edfe5fbcbdec6dd0b83b6a35ef4d0faff8
Instruction ID: 8bd3b569f8f484eae449a28f0afea25c3acb1edfa3894fe603b8c8b0a8c4c4a7
Opcode Fuzzy Hash: 88ef564ab97224386089a0450f9240edfe5fbcbdec6dd0b83b6a35ef4d0faff8
Instruction Fuzzy Hash: A2515471A04619AFDF10DBA8CC85EEE7BB9AF48314F154126E901F3290D638FD458B68

Function 0048C470 Relevance: 25.7, APIs: 17, Instructions: 241windowCOMMON

Download Yara Rule

APIs

BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 0048C4AF
CreateCompatibleDC.GDI32(?), ref: 0048C4C2
CreateDIBSection.GDI32(?,00000000,00000000,?,00000000,00000000), ref: 0048C52D
SelectObject.GDI32(00000000,00000000), ref: 0048C551
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 0048C576
SelectObject.GDI32(00000000,?), ref: 0048C582
CreateDIBSection.GDI32(?,00000000,00000000,?,00000000,00000000), ref: 0048C5DA

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Create$ObjectSectionSelect$Compatible
String ID:
API String ID: 1895892527-0
Opcode ID: 1f5f0d01911be2e9cf47c8edfcd9b99eee2a9a4c167cf11c91c2478e9a899524
Instruction ID: 8beb1bef00d9e59e7247f8d75114ba0ac1195e9e6fb7de94bbd9fdee403e2bc2
Opcode Fuzzy Hash: 1f5f0d01911be2e9cf47c8edfcd9b99eee2a9a4c167cf11c91c2478e9a899524
Instruction Fuzzy Hash: EB91F4B5618300AFC304DF59D885E2FBBF8EBC9700F14892EFA8597250D775E8458B6A

Function 0043C6E0 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 320windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0043C6FE
SetCapture.USER32(?,?,?,?,?,?,?,?,?,004C0E68,000000FF,0043BF3D,?,?,?,?), ref: 0043C71B

Part of subcall function 004B9ACB: __EH_prolog.LIBCMT ref: 004B9AD0
Part of subcall function 004B9ACB: GetDC.USER32(?), ref: 004B9AF9

Part of subcall function 0044FD00: GetWindowExtEx.GDI32(?,?), ref: 0044FD23

Part of subcall function 004B99F9: GetWindowExtEx.GDI32(?,?), ref: 004B9A0A
Part of subcall function 004B99F9: GetViewportExtEx.GDI32(?,?), ref: 004B9A17
Part of subcall function 004B99F9: MulDiv.KERNEL32(?,00000000,00000000), ref: 004B9A3C
Part of subcall function 004B99F9: MulDiv.KERNEL32(?,00000000,00000000), ref: 004B9A57

Part of subcall function 004B958A: SetMapMode.GDI32(?,?), ref: 004B95A3
Part of subcall function 004B958A: SetMapMode.GDI32(?,?), ref: 004B95B1

Part of subcall function 004B94FF: SetROP2.GDI32(?,?), ref: 004B9518
Part of subcall function 004B94FF: SetROP2.GDI32(?,?), ref: 004B9526

Part of subcall function 004B94A3: SetBkMode.GDI32(?,?), ref: 004B94BC
Part of subcall function 004B94A3: SetBkMode.GDI32(?,?), ref: 004B94CA

Part of subcall function 004B9DE0: __EH_prolog.LIBCMT ref: 004B9DE5
Part of subcall function 004B9DE0: CreatePen.GDI32(?,?,?), ref: 004B9E08

Part of subcall function 004B93C7: SelectObject.GDI32(0040E855,00000000), ref: 004B93E9
Part of subcall function 004B93C7: SelectObject.GDI32(0040E855,?), ref: 004B93FF

GetCapture.USER32 ref: 0043C7E1
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0043C800
DispatchMessageA.USER32(?), ref: 0043C841
DispatchMessageA.USER32(?), ref: 0043C85D
ScreenToClient.USER32(?,?), ref: 0043C8A4
GetCapture.USER32 ref: 0043C8CC
ReleaseCapture.USER32 ref: 0043C8F4
ReleaseCapture.USER32 ref: 0043C950
DPtoLP.GDI32 ref: 0043C994
InvalidateRect.USER32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,?,?), ref: 0043CA1D
InvalidateRect.USER32(?,00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0043CAAB

Strings

L, xrefs: 0043C915

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Capture$Mode$Message$DispatchH_prologInvalidateObjectRectReleaseSelectWindow$ClientCreateScreenViewport
String ID: L
API String ID: 453157188-1778183444
Opcode ID: 22d839b073218817aff8a0faacb18d2c5ed951c129e1bb6ee126302ecf26ee78
Instruction ID: 8e25fd5dd6ec80978ed133842b145103899c513758727a44e238f80f1eaee48d
Opcode Fuzzy Hash: 22d839b073218817aff8a0faacb18d2c5ed951c129e1bb6ee126302ecf26ee78
Instruction Fuzzy Hash: 0EB1A771208704AFD324EB65C885F6FB7E9BF88704F10191EF19693291DB38E945CB6A

Function 0049C1C4 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,0049C2A1,0047852B,0000004C,00000000,?,?,?,?), ref: 0049C1E6
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0049C1FE
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0049C20F
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0049C220
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0049C231
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0049C242
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0049C253

Strings

MonitorFromPoint, xrefs: 0049C22B
GetMonitorInfoA, xrefs: 0049C24D
MonitorFromRect, xrefs: 0049C21A
USER32, xrefs: 0049C1E1
GetSystemMetrics, xrefs: 0049C1F8
MonitorFromWindow, xrefs: 0049C209
EnumDisplayMonitors, xrefs: 0049C23C

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: 78059505d10dc56495c43515c1c2399c19a8526c745bdbbb3ac6240282ce9cf4
Instruction ID: e175f1990875e4636b578ea1407a4f0f93052cc68a08252708df44cae175126f
Opcode Fuzzy Hash: 78059505d10dc56495c43515c1c2399c19a8526c745bdbbb3ac6240282ce9cf4
Instruction Fuzzy Hash: 70115E74A40704BF87205FA5ACC056ABEE4B62AB09770193FE504D32E0DB78844EEB24

Function 004507B0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 372COMMON

Download Yara Rule

APIs

Part of subcall function 004B9C33: __EH_prolog.LIBCMT ref: 004B9C38
Part of subcall function 004B9C33: BeginPaint.USER32(?,?,?,?,0047CAE2), ref: 004B9C61

Part of subcall function 0044FD00: GetWindowExtEx.GDI32(?,?), ref: 0044FD23

MulDiv.KERNEL32(?,00000064,?), ref: 0045086B
GetClientRect.USER32(?,?), ref: 004508F9
DPtoLP.GDI32(?,?,00000002), ref: 0045090E
OffsetRect.USER32 ref: 0045095D
Rectangle.GDI32(?,?,?,?,?), ref: 0045099B
FillRect.USER32(?,?,?), ref: 004509F3
FillRect.USER32(?,00000032,?), ref: 00450A36
LPtoDP.GDI32(?,?,00000002), ref: 00450ADF
IsRectEmpty.USER32(?), ref: 00450AE6
CreateRectRgnIndirect.GDI32(?), ref: 00450B2A

Part of subcall function 004B97F4: SelectClipRgn.GDI32(?,00000000), ref: 004B9816
Part of subcall function 004B97F4: SelectClipRgn.GDI32(?,?), ref: 004B982C

LPtoDP.GDI32(?,?,00000001), ref: 00450B6A
DPtoLP.GDI32(?,?,00000001), ref: 00450B91

Strings

2, xrefs: 00450955

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$ClipFillSelect$BeginClientCreateEmptyH_prologIndirectOffsetPaintRectangleWindow
String ID: 2
API String ID: 2521159323-450215437
Opcode ID: 289ffc371516dd46a086ba5a065ed7deee31d97f37c81083d4967a4065070b8e
Instruction ID: bac5b0ede46df6cd7c2934bb9449d1e3b474186bd90a27a52605742ad498ba68
Opcode Fuzzy Hash: 289ffc371516dd46a086ba5a065ed7deee31d97f37c81083d4967a4065070b8e
Instruction Fuzzy Hash: C6E12AB56087409FD324DF69C880B6BB7E5BBC8704F408A2EF59A83351DB74E909CB56

Function 00435B50 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 279COMMON

Download Yara Rule

APIs

GetProfileStringA.KERNEL32(windows,device,,,,,?,000001F4), ref: 00435BCF
GetProfileStringA.KERNEL32(devices,00000000,0050E7C8,?,00001000), ref: 00435C03
GetProfileStringA.KERNEL32(devices,?,,,,,?,000000C8), ref: 00435C8A

Strings

none, xrefs: 00435CC0
devices, xrefs: 00435BFE, 00435C85
windows, xrefs: 00435BCA
,,,, xrefs: 00435BC0, 00435C7F
device, xrefs: 00435BC5

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ProfileString
String ID: ,,,$device$devices$none$windows
API String ID: 1468043044-528626633
Opcode ID: 8dc41ff667c4b2e5facc0307605fd54249b4874e9430e3cc25b24f5a35e297d1
Instruction ID: 06bac7c222642ade258abe82d88ac1f53fdfd233176d38cde191eddeb0f9e833
Opcode Fuzzy Hash: 8dc41ff667c4b2e5facc0307605fd54249b4874e9430e3cc25b24f5a35e297d1
Instruction Fuzzy Hash: D3B1B8701087819FD320DF65C881FEFB7E4AF99758F504A1EF89583291DB789A08CB66

Function 004966E0 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 263windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 00496756
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00496776
CreateCompatibleDC.GDI32(?), ref: 004967B2
CreateCompatibleBitmap.GDI32(?,?,?), ref: 004967CF
FillRect.USER32(?,?,?), ref: 00496831
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 0049688B
BitBlt.GDI32(?,?,?,?,?,?,?,?,008800C6), ref: 004968CB

Part of subcall function 004B9474: SetBkColor.GDI32(?,?), ref: 004B948E
Part of subcall function 004B9474: SetBkColor.GDI32(?,?), ref: 004B949C

Part of subcall function 004B955B: SetTextColor.GDI32(?,?), ref: 004B9575
Part of subcall function 004B955B: SetTextColor.GDI32(?,?), ref: 004B9583

BitBlt.GDI32(?,?,?,?,?,?,?,?,008800C6), ref: 0049691A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 0049693C
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00496970

Strings

l>M, xrefs: 00496724
`>M, xrefs: 0049683F
`>M, xrefs: 004969A0

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ColorCreate$Compatible$BitmapText$FillRect
String ID: `>M$`>M$l>M
API String ID: 3528690866-756582174
Opcode ID: 1c6e3069ddba88819c9595304cbfd1785f7c9b52cb4b0e7be6860f09b1be8da8
Instruction ID: 7fb312780262128484bff419a4d9e8414e4a745bf506d0b536bf64f2ffbab6ce
Opcode Fuzzy Hash: 1c6e3069ddba88819c9595304cbfd1785f7c9b52cb4b0e7be6860f09b1be8da8
Instruction Fuzzy Hash: A7A16DB1208740AFD314DB65C885F6BB7E9EF89704F148A1DF69683291DB78EC04CB66

Function 004446E0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0044471E
FillRect.USER32(?,?,?), ref: 00444782
FillRect.USER32(?,?,?), ref: 004447EE
FillRect.USER32(?,?,?), ref: 00444867
CreateCompatibleDC.GDI32(?), ref: 00444893
SelectObject.GDI32(00000000,?), ref: 004448A9
SetStretchBltMode.GDI32(?,00000000), ref: 004448DD
StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00444914
BitBlt.GDI32(?,00000000,?,?,?,00000000,00000000,00000000,00CC0020), ref: 00444943

Part of subcall function 004B9E30: __EH_prolog.LIBCMT ref: 004B9E35
Part of subcall function 004B9E30: CreateSolidBrush.GDI32(?), ref: 004B9E52

SelectObject.GDI32(00000000,00000000), ref: 0044494B
DeleteDC.GDI32(00000000), ref: 00444958

Strings

|L, xrefs: 00444790
|L, xrefs: 00444875

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$Fill$CreateObjectSelectStretch$BrushClientCompatibleDeleteH_prologModeSolid
String ID: |L$|L
API String ID: 1645634290-3469970416
Opcode ID: c5afad0268a254c2f3b55b6c5f2f0f2d43189ebfe237c2e789bf925984cf2c23
Instruction ID: 2d5b1881bb5c3ff676288c264c483d3fe5e33e3f19912dd5d5a1bc3a82a66070
Opcode Fuzzy Hash: c5afad0268a254c2f3b55b6c5f2f0f2d43189ebfe237c2e789bf925984cf2c23
Instruction Fuzzy Hash: AF711EB52047419FE760DF64C884F6BB7E8FB99304F204A1EF59A93250D778E845CB26

Function 004B0DDD Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 119windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004BD003: TlsGetValue.KERNEL32(00540F94,00000000,?,004B36DD,004BC39A,?,?,004B36BA,?,0040BC52,000007DD,?,00000000), ref: 004BD042

RegisterWindowMessageA.USER32(commdlg_LBSelChangedNotify,004BC39A), ref: 004B0E35
RegisterWindowMessageA.USER32(commdlg_ShareViolation), ref: 004B0E41
RegisterWindowMessageA.USER32(commdlg_FileNameOK), ref: 004B0E4D
RegisterWindowMessageA.USER32(commdlg_ColorOK), ref: 004B0E59
RegisterWindowMessageA.USER32(commdlg_help), ref: 004B0E65
RegisterWindowMessageA.USER32(commdlg_SetRGBColor), ref: 004B0E71

Part of subcall function 004B7232: SetWindowLongA.USER32(?,000000FC,00000000), ref: 004B7261

SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 004B0F64

Strings

commdlg_ShareViolation, xrefs: 004B0E37
commdlg_SetRGBColor, xrefs: 004B0E67
commdlg_FileNameOK, xrefs: 004B0E43
commdlg_LBSelChangedNotify, xrefs: 004B0E30
commdlg_help, xrefs: 004B0E5B
commdlg_ColorOK, xrefs: 004B0E4F

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageWindow$Register$LongSendValue
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 2377901579-3888057576
Opcode ID: e7da1820701d27383cfd2696ec3780a3a1f803a006a845340280db5064cbd4c8
Instruction ID: f1e0db97ebf885512cb2e8a6a3e4091dab8af65a442e350314035953869e6618
Opcode Fuzzy Hash: e7da1820701d27383cfd2696ec3780a3a1f803a006a845340280db5064cbd4c8
Instruction Fuzzy Hash: 9641BC34A046049BCF319F66DC44BEF3AA1FB54345F10046BF809973A0D7B89890DBAD

Function 00442390 Relevance: 22.8, APIs: 15, Instructions: 255windowCOMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 004423C6

Part of subcall function 004B9E30: __EH_prolog.LIBCMT ref: 004B9E35
Part of subcall function 004B9E30: CreateSolidBrush.GDI32(?), ref: 004B9E52

FillRect.USER32(?,?,00000000), ref: 00442404
GetSystemMetrics.USER32(0000002E), ref: 0044242D
GetSystemMetrics.USER32(0000002D), ref: 00442433
DrawFrameControl.USER32(?,?,00000003,?), ref: 004424A6
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 004424B9
InflateRect.USER32(?,00FFFFFD,00000001), ref: 004424D4
GetSysColor.USER32(0000000F), ref: 004424F8
Rectangle.GDI32(?,?,?,?,?), ref: 0044254B
OffsetRect.USER32(?,00000001,00000001), ref: 004425B5
GetSysColor.USER32(00000014), ref: 004425BB
OffsetRect.USER32(?,000000FF,000000FF), ref: 004425E3
GetSysColor.USER32(00000010), ref: 004425E9
InflateRect.USER32(?,000000FF,000000FF), ref: 00442632
DrawFocusRect.USER32(?,?), ref: 00442641

Part of subcall function 004B54D0: GetWindowTextLengthA.USER32(?), ref: 004B54DD
Part of subcall function 004B54D0: GetWindowTextA.USER32(?,00000000,00000000), ref: 004B54F5

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$ColorDraw$InflateMetricsOffsetSystemTextWindow$BrushControlCopyCreateEdgeFillFocusFrameH_prologLengthRectangleSolid
String ID:
API String ID: 4239342997-0
Opcode ID: 994e4a80ab1712b96ca048284b599da9de12645fe5e30a35c254fbaac075f762
Instruction ID: d20240a9b4fca00a53753a6c855ac533d5a0b7121aae8bc8353c2d8bd3970917
Opcode Fuzzy Hash: 994e4a80ab1712b96ca048284b599da9de12645fe5e30a35c254fbaac075f762
Instruction Fuzzy Hash: 62A15674208745AFD304DF64C888E6ABBE8FF88714F404A1DFA9587390DBB4E945CB66

Function 00441CB0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9C33: __EH_prolog.LIBCMT ref: 004B9C38
Part of subcall function 004B9C33: BeginPaint.USER32(?,?,?,?,0047CAE2), ref: 004B9C61

GetClientRect.USER32(?,?), ref: 00441CED
CreateCompatibleBitmap.GDI32 ref: 00441D22
CreateCompatibleDC.GDI32(?), ref: 00441D52

Part of subcall function 004B9374: SelectObject.GDI32(?,?), ref: 004B937C

PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00441D8A
GetObjectA.GDI32(00000000,00000018,?), ref: 00441DA5
CreateCompatibleDC.GDI32(?), ref: 00441DB0
SelectObject.GDI32(00000000,00000000), ref: 00441DC0
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00441DE3
SelectObject.GDI32(00000000,?), ref: 00441DEF
DeleteDC.GDI32(00000000), ref: 00441DF2
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00441E1B

Strings

@L, xrefs: 00441D66, 00441D70

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Object$CompatibleCreateSelect$BeginBitmapClientDeleteH_prologPaintRect
String ID: @L
API String ID: 1593221388-4040071769
Opcode ID: 1c15999551a9d737b034acaeffed4fcd7a89dc79875e37632e33dea8a1e53f9a
Instruction ID: c0cce446d69dce5a9b3359a8c0eb7acfd7999632ee3d180baabd5350eb4dc7f1
Opcode Fuzzy Hash: 1c15999551a9d737b034acaeffed4fcd7a89dc79875e37632e33dea8a1e53f9a
Instruction Fuzzy Hash: 22518E75208341AFD350DFA5CC49F6FBBE8EBC9704F444A2DB68583281DB78A8048B66

Function 004727B0 Relevance: 20.0, APIs: 13, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ad1c91478ad87ce4902977bb7ebdc28d78493d576627d1f9be65e46c69fbf3
Instruction ID: 1b0c083f5a3998621cadfa2b0665fe0348a6f82f66bde3465c50683a9ab6bfa7
Opcode Fuzzy Hash: f2ad1c91478ad87ce4902977bb7ebdc28d78493d576627d1f9be65e46c69fbf3
Instruction Fuzzy Hash: 94E16CB23007059FD320DF69D880AABB3E8EB84315F10892FF59ACB351D7B5E8558B65

Function 0040EB60 Relevance: 19.9, APIs: 13, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe0d72469c2d04f7ebc37fe96083ec8a3ace3e44275a0adf6e2375c1f6d306c
Instruction ID: eeb8bfc3133b352606f80735bf789c0b9e6be27cdf421f7f5dc404d167e97ba7
Opcode Fuzzy Hash: cfe0d72469c2d04f7ebc37fe96083ec8a3ace3e44275a0adf6e2375c1f6d306c
Instruction Fuzzy Hash: B1D17970205A019FD720CB25C880E2BB7E5EB48318F104D3FE55AE7B91E739E885CB5A

Function 00472370 Relevance: 19.9, APIs: 13, Instructions: 371windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001036,00000000,00000000), ref: 00472598
SendMessageA.USER32(?,00001003,00000000,00000124), ref: 004725F2
SendMessageA.USER32(?,00001003,00000002,0000012C), ref: 00472638
ImageList_SetBkColor.COMCTL32(?,00000000), ref: 004726A1
SendMessageA.USER32(?,00001208,00000000,00000000), ref: 004726D1
SendMessageA.USER32(?,00001024,00000000,?), ref: 004726E8
IsWindow.USER32(00000000), ref: 0047265D

Part of subcall function 0040DE80: GetSysColor.USER32(0000000F), ref: 0040DE8D

SendMessageA.USER32(?,00001026,00000000,00000000), ref: 00472702
SendMessageA.USER32(?,00001001,00000000,00000000), ref: 0047271C
LoadCursorA.USER32(00000000,00007F89), ref: 0047274C
LoadCursorA.USER32(?,000007D8), ref: 00472763
LoadCursorA.USER32(00000000,00007F00), ref: 00472770
SendMessageA.USER32(?,0000103E,00000000,00000000), ref: 0047277E

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$CursorLoad$Color$ImageList_Window
String ID:
API String ID: 1757432420-0
Opcode ID: c2d810a607b4c245ff259fb9247f2912af2e95164a448414551afc3654541785
Instruction ID: 0cac0be1ab1cafbc12b94d738b4235ef7661c98e32dc7271d2ae7e8e692b4de4
Opcode Fuzzy Hash: c2d810a607b4c245ff259fb9247f2912af2e95164a448414551afc3654541785
Instruction Fuzzy Hash: 2BC18170700705ABE724DF75CD81FA7B3E8AB44744F44892EF95AC7381EBA8E8418769

Function 00420890 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 310libraryregistryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,0050DDC0,00000000), ref: 00420974
LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,004E9DA8,?,?,?,?,?,?,00000000,0050DDC0,00000000), ref: 004209B1
GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 004209E7
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,0050DDC0,00000000), ref: 004209F2
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,0050DDC0,00000000), ref: 00420A00
LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00420B0D
RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 00420B42
CLSIDFromString.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,0050DDC0,00000000), ref: 00420C07
UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 00420C23

Strings

DllUnregisterServer, xrefs: 004209E0, 004209E5
DllRegisterServer, xrefs: 004209D9

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Library$LoadType$FreeRegister$AddressFromProcString
String ID: DllRegisterServer$DllUnregisterServer
API String ID: 2476498075-2931954178
Opcode ID: caea901107bd5322a909f93f1c7802b12f57daf318e7df48b6d64de8973639ec
Instruction ID: 81443bcc7144a41fdfb30dcd8c3737b298e4087c9e5f8929e73095326ff2cc4e
Opcode Fuzzy Hash: caea901107bd5322a909f93f1c7802b12f57daf318e7df48b6d64de8973639ec
Instruction Fuzzy Hash: DBB1C471A00219ABDB14DFA5D845FEFB7A8EF04318F50811EFC15A7282DB78AE05CB65

Function 00439440 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 004394B7
IsRectEmpty.USER32(?), ref: 004394C2
GetClientRect.USER32(00000000,?), ref: 00439501
DPtoLP.GDI32(?,?,00000002), ref: 00439513
LPtoDP.GDI32(?,?,00000002), ref: 00439550
CreateRectRgnIndirect.GDI32(?), ref: 00439568
OffsetRect.USER32(?,?,?), ref: 0043958D
LPtoDP.GDI32(?,?,00000002), ref: 0043959F

Part of subcall function 004B9DE0: __EH_prolog.LIBCMT ref: 004B9DE5
Part of subcall function 004B9DE0: CreatePen.GDI32(?,?,?), ref: 004B9E08

Part of subcall function 004B93C7: SelectObject.GDI32(0040E855,00000000), ref: 004B93E9
Part of subcall function 004B93C7: SelectObject.GDI32(0040E855,?), ref: 004B93FF

Part of subcall function 004B938B: GetStockObject.GDI32(?), ref: 004B9394
Part of subcall function 004B938B: SelectObject.GDI32(0040E855,00000000), ref: 004B93AE
Part of subcall function 004B938B: SelectObject.GDI32(0040E855,00000000), ref: 004B93B9

Part of subcall function 004B94FF: SetROP2.GDI32(?,?), ref: 004B9518
Part of subcall function 004B94FF: SetROP2.GDI32(?,?), ref: 004B9526

Rectangle.GDI32(?,?,?,?,?), ref: 00439613

Part of subcall function 004B97F4: SelectClipRgn.GDI32(?,00000000), ref: 004B9816
Part of subcall function 004B97F4: SelectClipRgn.GDI32(?,?), ref: 004B982C

Part of subcall function 004B9DCA: DeleteObject.GDI32(00000000), ref: 004B9DD9

Part of subcall function 004B9B3D: __EH_prolog.LIBCMT ref: 004B9B42
Part of subcall function 004B9B3D: ReleaseDC.USER32(00000000,00000000), ref: 004B9B61

Strings

L, xrefs: 0043962D
8L, xrefs: 00439578, 00439580

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ObjectSelect$Rect$ClipCreateH_prolog$ClientCopyDeleteEmptyIndirectOffsetRectangleReleaseStock
String ID: L$8L
API String ID: 2841338838-285489818
Opcode ID: 46ec6e0692d38404486b936f20e3c322027d28f5d07f6c08bd605d51bb5b2bf8
Instruction ID: 29c39c96a35da86db0b3639721e13cba5cf39de75bbf28c74abab271adbfcc8b
Opcode Fuzzy Hash: 46ec6e0692d38404486b936f20e3c322027d28f5d07f6c08bd605d51bb5b2bf8
Instruction Fuzzy Hash: C1614E71108740AFC314DF65C885EABB7E9EFC8718F408A1DF69683291DB78E905CB66

Function 00415B20 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130stringprocessCOMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,?), ref: 00415BB8
lstrcatA.KERNEL32(?,\shell\open\command,80000000,.htm,?,?,?,?), ref: 00415BF7
lstrlenA.KERNEL32(?), ref: 00415C4C
lstrcatA.KERNEL32(00000000,004E9DBC), ref: 00415C95
lstrcatA.KERNEL32(00000000,?), ref: 00415C9D
WinExec.KERNEL32(?,?), ref: 00415CA5

Part of subcall function 004B30CD: InterlockedDecrement.KERNEL32 ref: 004B30E1

Strings

"%1", xrefs: 00415C1B
.htm, xrefs: 00415BD0
mailto:, xrefs: 00415B86
open, xrefs: 00415BB1
\shell\open\command, xrefs: 00415BF1

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: lstrcat$DecrementExecExecuteInterlockedShelllstrlen
String ID: "%1"$.htm$\shell\open\command$mailto:$open
API String ID: 51986957-2182632014
Opcode ID: 4f636e146deacb5f57a88e3c7657900d28fafeebb1d16a6c581f26d5c7163927
Instruction ID: 580a88e95afa87b46adc6e8aad3090fb5086324eaf754469cc24b8a730c76b39
Opcode Fuzzy Hash: 4f636e146deacb5f57a88e3c7657900d28fafeebb1d16a6c581f26d5c7163927
Instruction Fuzzy Hash: 55410072144752ABC320DF26CC80FEBB7A4ABC4751F104A1EF95593280F738AD45CBAA

Function 0048C730 Relevance: 18.2, APIs: 12, Instructions: 173windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0048C73D
CreateCompatibleDC.GDI32(00000000), ref: 0048C750
CreateCompatibleDC.GDI32(00000000), ref: 0048C759
SelectObject.GDI32(00000000,?), ref: 0048C765
CreateDIBSection.GDI32(?,00000000,00000000,?,00000000,00000000), ref: 0048C7CA
SelectObject.GDI32(?,00000000), ref: 0048C7EE
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0048C811
SelectObject.GDI32(?,?), ref: 0048C8D6
SelectObject.GDI32(?,?), ref: 0048C8E2
DeleteDC.GDI32(?), ref: 0048C8EB
DeleteDC.GDI32(?), ref: 0048C8EE
ReleaseDC.USER32(00000000,?), ref: 0048C8F7

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ObjectSelect$Create$CompatibleDelete$ReleaseSection
String ID:
API String ID: 1540106726-0
Opcode ID: ff91902f285b1184dbad8fe578f2754287500dca579ee94758f045fdc79268fe
Instruction ID: 21c24925d06acf3a1f8ab3cada17f348f889323c0ea0d94f9fd06794be2d59e6
Opcode Fuzzy Hash: ff91902f285b1184dbad8fe578f2754287500dca579ee94758f045fdc79268fe
Instruction Fuzzy Hash: BA5117B1644300AFD350EF29D885B2FB7E8EF88744F04492EF98593351D778E9448B6A

Function 0042ECD0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 405COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,?,?), ref: 0042ED76

Part of subcall function 0042EAA0: SetRect.USER32(?,00000000,00000032,00000032,?), ref: 0042EB89
Part of subcall function 0042EAA0: OffsetRect.USER32(?,?,?), ref: 0042EB96
Part of subcall function 0042EAA0: IntersectRect.USER32(?,?,?), ref: 0042EBB2
Part of subcall function 0042EAA0: IsRectEmpty.USER32(?), ref: 0042EBBD

InflateRect.USER32(?,?,?), ref: 0042EDE9
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042EFED
GetClipRgn.GDI32(?,00000000), ref: 0042EFFC
CreatePolygonRgn.GDI32 ref: 0042F07A
SelectClipRgn.GDI32(?,?), ref: 0042F15D
CreatePolygonRgn.GDI32(?,00000005,00000002), ref: 0042F180
SelectClipRgn.GDI32(?,?), ref: 0042F201
DeleteObject.GDI32(?), ref: 0042F217

Strings

gfff, xrefs: 0042EEDD

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$ClipCreate$InflatePolygonSelect$DeleteEmptyIntersectObjectOffset
String ID: gfff
API String ID: 1105800552-1553575800
Opcode ID: 68d8d635f08498ad732703892fb25b18f996386275a0094b78112d9b50ebf5f3
Instruction ID: a93c406a2983a8ac85c77596ca4f546132855f2e0da12759bf0e0de8d5cb3f93
Opcode Fuzzy Hash: 68d8d635f08498ad732703892fb25b18f996386275a0094b78112d9b50ebf5f3
Instruction Fuzzy Hash: 93F117B46083419FD364CF29D980B6BBBE5BFC8704F548A2EF98987350DB74A805CB56

Function 004262F0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 387windowCOMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 00426328
GetParent.USER32(?), ref: 004263B9
IsWindow.USER32(?), ref: 004264EB
IsWindowVisible.USER32(?), ref: 004264FD

Part of subcall function 004B7504: IsWindowEnabled.USER32(?), ref: 004B750E

GetParent.USER32(?), ref: 0042654E
IsChild.USER32(?,?), ref: 0042656E
GetParent.USER32(?), ref: 00426717
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00426734
IsWindow.USER32(?), ref: 0042678F

Part of subcall function 0041CA40: IsChild.USER32(?,?), ref: 0041CABD
Part of subcall function 0041CA40: GetParent.USER32(?), ref: 0041CAD7

Strings

hB, xrefs: 0042640E

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ParentWindow$Child$EnabledMessageSendVisible
String ID: hB
API String ID: 2452671399-4076494561
Opcode ID: b9937014ff0d3c6699cabf3acc29929076778e59db350b0a8eeaa43dae9cd438
Instruction ID: 4f8e91db79e7bf8a2292278471a79a607c3d00b7dd278a48086ff59ce1ef4582
Opcode Fuzzy Hash: b9937014ff0d3c6699cabf3acc29929076778e59db350b0a8eeaa43dae9cd438
Instruction Fuzzy Hash: 49E1BF716043619FC724DF25D880B6BB7E4BF94704F814A2EF98697381DB38E845CB9A

Function 004964E0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00496507

Part of subcall function 004B9E30: __EH_prolog.LIBCMT ref: 004B9E35
Part of subcall function 004B9E30: CreateSolidBrush.GDI32(?), ref: 004B9E52

AVIStreamGetFrame.AVIFIL32(?,?,?), ref: 00496533
CreateCompatibleDC.GDI32(?), ref: 0049656C
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00496596
FillRect.USER32(?,?,?), ref: 004965DA
DrawDibDraw.MSVFW32(?,?,?,?,?,?,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000), ref: 0049661C
FillRect.USER32(?,?,?), ref: 004966A7

Strings

`>M, xrefs: 004966BD
l>M, xrefs: 004965AA, 004965B4
`>M, xrefs: 00496658

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CreateRect$CompatibleDrawFill$BitmapBrushClientFrameH_prologSolidStream
String ID: `>M$`>M$l>M
API String ID: 2197082588-756582174
Opcode ID: b02d912a63d2e0f454b100421b85a7a7171c2cd5c9ea89ea21dc19a863d0bab4
Instruction ID: 480e9f2f9dfba54e4c147a5208841bf1fca326a4fdef8e41d92e84074c6bef05
Opcode Fuzzy Hash: b02d912a63d2e0f454b100421b85a7a7171c2cd5c9ea89ea21dc19a863d0bab4
Instruction Fuzzy Hash: 13515DB1208745AFC704DF69C885E6BB7E8FB89704F104A1EF69683290D778ED05CB66

Function 0047E840 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 00484CC0: DestroyIcon.USER32(?,00000000,?,0047E853,00000000,00000000,?,?,76C1EBD0), ref: 00484CDB

ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,?), ref: 0047E86E

Part of subcall function 0047E950: RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,00000000,00000000), ref: 0047E96A
Part of subcall function 0047E950: RegQueryValueA.ADVAPI32 ref: 0047E98E
Part of subcall function 0047E950: lstrcpyA.KERNEL32(?,00000000), ref: 0047E9A1
Part of subcall function 0047E950: RegCloseKey.ADVAPI32(?), ref: 0047E9AC

lstrcatA.KERNEL32(?,\shell\open\command,80000000,.htm,?), ref: 0047E8AD
lstrlenA.KERNEL32(?,?,?,?,?), ref: 0047E8FE
lstrcatA.KERNEL32(00000000,004F60A4,?,?), ref: 0047E913
lstrcatA.KERNEL32(00000000,?), ref: 0047E91E
WinExec.KERNEL32(?,?), ref: 0047E926

Strings

\shell\open\command, xrefs: 0047E8A7
open, xrefs: 0047E867
"%1", xrefs: 0047E8CD
.htm, xrefs: 0047E884

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: lstrcat$CloseDestroyExecExecuteIconOpenQueryShellValuelstrcpylstrlen
String ID: "%1"$.htm$\shell\open\command$open
API String ID: 384806968-1533145997
Opcode ID: cf271667840865421f44c1fd07b0f757f73e832686496596fef6aed6abafee9c
Instruction ID: 78e2cc7272e2b4a0f86a0d430d7b27dbf096f80ba0917dc90532baf85d3cb408
Opcode Fuzzy Hash: cf271667840865421f44c1fd07b0f757f73e832686496596fef6aed6abafee9c
Instruction Fuzzy Hash: 622135B32403056BC360EB51DC45FBF7398EB98745F104A2EFB4493180E768A90983A9

Function 0042D610 Relevance: 16.8, APIs: 11, Instructions: 265windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0042D64D
MulDiv.KERNEL32(?,?,00000064), ref: 0042D682
MulDiv.KERNEL32(?,?,00000064), ref: 0042D6AD
GetDeviceCaps.GDI32 ref: 0042D6E7
GetSystemPaletteEntries.GDI32(?,00000000,000000FF,00000004), ref: 0042D721
CreatePalette.GDI32(00000000), ref: 0042D72C
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0042D78C
CreateCompatibleDC.GDI32(?), ref: 0042D7BF
CreateCompatibleDC.GDI32(?), ref: 0042D7F8
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0042D85B
GlobalFree.KERNEL32(00000000), ref: 0042D923

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Create$Compatible$Palette$BitmapCapsDeviceEntriesFreeGlobalObjectStretchSystem
String ID:
API String ID: 3563226738-0
Opcode ID: ff5019d6de00094095d6fe56d026eef31e925723c56034c7c8ee455bacd738d7
Instruction ID: a63cc7a02376967b692dbfddff5ebe89591ca2f07bf1fe16b5a56bb20adfe881
Opcode Fuzzy Hash: ff5019d6de00094095d6fe56d026eef31e925723c56034c7c8ee455bacd738d7
Instruction Fuzzy Hash: 8691A0716083449FC310EB65D845F6FB7E8AB85704F504A1EF69583281DB78ED04CB6A

Function 00452120 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

GetTextExtentPoint32A.GDI32(?,?,?,00000090), ref: 0045219F
GetTextExtentPoint32A.GDI32(?,?,?,00000090), ref: 004521C4
GetWindowRect.USER32(?,?), ref: 0045224E
SetRect.USER32(00000080,?,?,?,?), ref: 00452283
SetRect.USER32(00000070,?,?,?,?), ref: 004522C8
SetRect.USER32(00000060,?,?,?,?), ref: 0045233B
GetSystemMetrics.USER32(00000001), ref: 00452366
GetSystemMetrics.USER32(00000000), ref: 0045236C
OffsetRect.USER32(00000080,00000000,00000000), ref: 00452384
OffsetRect.USER32(00000080,00000000,00000000), ref: 00452392
OffsetRect.USER32(00000080,00000000,00000000), ref: 004523A4

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$Offset$ExtentMetricsPoint32SystemText$Window
String ID:
API String ID: 1551820068-0
Opcode ID: 3569ff714b595fb036b1a9e05299b3d5e8a1a2f73a816d23a7e4ae9de582f611
Instruction ID: dd203fdd4ecd19e98409cfa518837485c625dac543d7e6ce0b623cbf51ecc188
Opcode Fuzzy Hash: 3569ff714b595fb036b1a9e05299b3d5e8a1a2f73a816d23a7e4ae9de582f611
Instruction Fuzzy Hash: C7913474200B059FD318CF29C985E6AF7E6FB88700F048A2DA95AC7755EB74FC098B64

Function 004980A0 Relevance: 16.7, APIs: 11, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004980DE
FillRect.USER32(?,?,?), ref: 00498142
FillRect.USER32(?,?,?), ref: 004981AE
FillRect.USER32(?,?,?), ref: 00498227
CreateCompatibleDC.GDI32(?), ref: 00498253
SelectObject.GDI32(00000000,?), ref: 00498269
SetStretchBltMode.GDI32(?,00000000), ref: 0049829D
StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 004982D4
BitBlt.GDI32(?,00000000,?,?,?,00000000,00000000,00000000,00CC0020), ref: 00498303

Part of subcall function 004B9E30: __EH_prolog.LIBCMT ref: 004B9E35
Part of subcall function 004B9E30: CreateSolidBrush.GDI32(?), ref: 004B9E52

SelectObject.GDI32(00000000,00000000), ref: 0049830B
DeleteDC.GDI32(00000000), ref: 00498318

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$Fill$CreateObjectSelectStretch$BrushClientCompatibleDeleteH_prologModeSolid
String ID:
API String ID: 1645634290-0
Opcode ID: 53e54b1943038123a59a5918fad3e89287d078057ec24101f29d58fb0fa2c57b
Instruction ID: 1808c51d41138ae8d44f604e32428238077854f729c7a6e36e51b57fe2ccebfc
Opcode Fuzzy Hash: 53e54b1943038123a59a5918fad3e89287d078057ec24101f29d58fb0fa2c57b
Instruction Fuzzy Hash: D47121B52047409FDB20DF68C885F6BBBE8FB99704F104A2EF59A93250DB74E845CB25

Function 0049D185 Relevance: 16.7, APIs: 11, Instructions: 185stringCOMMON

Download Yara Rule

APIs

#45.ODBC32 ref: 0049D1A1
#45.ODBC32(?,00000050,?,00000004,?), ref: 0049D1D8
#45.ODBC32(?,0000002E,?,00000002,?), ref: 0049D208
#45.ODBC32(?,00000017,?,00000002,?), ref: 0049D236
#45.ODBC32(?,00000018,?,00000002,?), ref: 0049D259
#45.ODBC32(?,00000052,?,00000004,?), ref: 0049D27D
#45.ODBC32(?,00000051,?,00000004,?), ref: 0049D299
#45.ODBC32(?,00000019,?,0000000A,?), ref: 0049D2CD
lstrcmpA.KERNEL32(?,004D7084), ref: 0049D2EE
#50.ODBC32(?,00000065,00000001), ref: 0049D30C
#45.ODBC32(?,0000001D,?,00000002,?,?,00000065,00000001), ref: 0049D31F

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: fa3869ca5064f8a9221138b7173846d1310e364d2340518b871544e2242bff26
Instruction ID: 06553f628eb458b7d073d438fa98baa7de1f3b70119ef1ce6c252c617136947f
Opcode Fuzzy Hash: fa3869ca5064f8a9221138b7173846d1310e364d2340518b871544e2242bff26
Instruction Fuzzy Hash: 93617171A00609AFEF21DFA1C846FAFBBBCAF09704F00446EE542A6191D778D945CB95

Function 0041A0E0 Relevance: 16.7, APIs: 11, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetCurrentObject.GDI32(?,00000001), ref: 0041A119
GetCurrentObject.GDI32(?,00000002), ref: 0041A163
GetCurrentObject.GDI32(?,00000006), ref: 0041A1AD
GetTextColor.GDI32(?), ref: 0041A1EC
GetBkMode.GDI32(?), ref: 0041A216
GetBkColor.GDI32(?), ref: 0041A235
GetBkMode.GDI32(?), ref: 0041A258
GetBkColor.GDI32(?), ref: 0041A277
GetROP2.GDI32(?), ref: 0041A29F
GetStretchBltMode.GDI32(?), ref: 0041A2C0
GetPolyFillMode.GDI32(?), ref: 0041A2EC

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Mode$ColorCurrentObject$FillPolyStretchText
String ID:
API String ID: 544274770-0
Opcode ID: 1fe36255a411c7ea20b0ca2fac7547daf4930abee5b2ea6792feb6d0720bcf99
Instruction ID: a3b749601110d371f8959c5dc3e69f5bdbefcf10c63d990f2aaead9d9c17884c
Opcode Fuzzy Hash: 1fe36255a411c7ea20b0ca2fac7547daf4930abee5b2ea6792feb6d0720bcf99
Instruction Fuzzy Hash: 41514C71211B01ABC764DB70C988FEBB3A5FF84301F140A1DE66B87261DB38B895CB59

Function 0046DC90 Relevance: 16.6, APIs: 11, Instructions: 108networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000102,?), ref: 0046DCDC
gethostname.WS2_32(?,00000064), ref: 0046DD12
gethostbyname.WS2_32(?), ref: 0046DD1C
WSACleanup.WS2_32 ref: 0046DD25

Part of subcall function 004B30CD: InterlockedDecrement.KERNEL32 ref: 004B30E1

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CleanupDecrementInterlockedStartupgethostbynamegethostname
String ID:
API String ID: 3948619351-0
Opcode ID: f412c9128eb4439f83ff029d25d78eadde3c42f2364cd2361f239fade1fdd8f0
Instruction ID: 90ae2fe92c8c9083e9cb7a68a28aeabde610866dd043825f4e8112d37631ff25
Opcode Fuzzy Hash: f412c9128eb4439f83ff029d25d78eadde3c42f2364cd2361f239fade1fdd8f0
Instruction Fuzzy Hash: 3441B371604340AAC724FFB6D886BAFB7E4EFC8714F508B1EF45547281EB7895048B6A

Function 0049C72E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 171stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0049C733

Part of subcall function 004BD098: __EH_prolog.LIBCMT ref: 004BD09D

#10.ODBC32(?,00000001,?,?,?,?,000001FF,?,004BD8C6,?), ref: 0049C796
lstrcmpA.KERNEL32(?,00000,?,?,00000001,?,?,?,?,000001FF,?,004BD8C6,?), ref: 0049C7C5
wsprintfA.USER32 ref: 0049C7EE
#10.ODBC32(00000001,?,?,?,?,?,000001FF,?,00000000,?,?,004D704C,00000000,?,State:,?), ref: 0049C904

Part of subcall function 004B320A: lstrlenA.KERNEL32(?,?,?,004B0928,?), ref: 004B321B

Strings

State:, xrefs: 0049C893
,Native:%ld,Origin:, xrefs: 0049C7E8
LpM, xrefs: 0049C7A9
00000, xrefs: 0049C7BD

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: H_prolog$lstrcmplstrlenwsprintf
String ID: ,Native:%ld,Origin:$00000$LpM$State:
API String ID: 2705029906-2587881299
Opcode ID: 796d36e59410a2c666945b0f888aebac18dc1dfcf0870c5d20414ae1c06e165f
Instruction ID: 33b9b488ae9158954e9dc29f232064a02866bb7292f063c5827edbffe1bec629
Opcode Fuzzy Hash: 796d36e59410a2c666945b0f888aebac18dc1dfcf0870c5d20414ae1c06e165f
Instruction Fuzzy Hash: B9616B72C01109AACF05EFE1C985EEFBBB8AF18305F14406BE511A3182EB785B08CB75

Function 004196C0 Relevance: 15.3, APIs: 10, Instructions: 316windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004196FF
CreateCompatibleBitmap.GDI32 ref: 0041975B
CreateCompatibleDC.GDI32(?), ref: 0041978B
CreateRectRgn.GDI32(00000000,00000000,00000001,?), ref: 00419820
SetRect.USER32(?,00000000,00000000,00000001,?), ref: 00419849

Part of subcall function 00412800: __ftol.LIBCMT ref: 00412925
Part of subcall function 00412800: __ftol.LIBCMT ref: 00412932

FillRgn.GDI32(?,?,?), ref: 004198C6
PatBlt.GDI32(?,00000000,00000000,00000001,?,00F00021), ref: 00419939

Part of subcall function 0040DE80: GetSysColor.USER32(0000000F), ref: 0040DE8D

Part of subcall function 004B9E30: __EH_prolog.LIBCMT ref: 004B9E35
Part of subcall function 004B9E30: CreateSolidBrush.GDI32(?), ref: 004B9E52

GetObjectA.GDI32(?,00000018,?), ref: 004199B5
CreateCompatibleDC.GDI32(?), ref: 004199F3
BitBlt.GDI32(?,00000000,00000000,00000001,?,?,00000000,00000000,00CC0020), ref: 00419A52

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Create$CompatibleRect$__ftol$BitmapBrushClientColorFillH_prologObjectSolid
String ID:
API String ID: 2289681609-0
Opcode ID: db3eff02ce472da78508243a0faf2b5313839077bc9940a753fe1e9bd94b63b8
Instruction ID: d974d81ef98eb8755e3f2b6bc5b89e8b6c3cd3710955b44a9ff1c155253da557
Opcode Fuzzy Hash: db3eff02ce472da78508243a0faf2b5313839077bc9940a753fe1e9bd94b63b8
Instruction Fuzzy Hash: 1CC1BE712083419FD324DB65C895FABB7E8AF88744F04491EF18AC3291DB78EC48CB66

Function 0042C3D0 Relevance: 15.3, APIs: 10, Instructions: 288COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(00FFFFFF), ref: 0042C52F
GetWindowRect.USER32(?), ref: 0042C559
GetStockObject.GDI32(00000005), ref: 0042C587
LoadCursorA.USER32(00000000,00007F00), ref: 0042C595
GetWindowRect.USER32(?,?), ref: 0042C603
GetWindowRect.USER32(?,?), ref: 0042C614
GetWindowRect.USER32(?,?), ref: 0042C629
GetSystemMetrics.USER32(00000001), ref: 0042C63F
GetWindowRect.USER32(?,?), ref: 0042C6CA
OffsetRect.USER32(?,00000000,?), ref: 0042C6E4

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$Window$BrushCreateCursorLoadMetricsObjectOffsetSolidStockSystem
String ID:
API String ID: 3805611468-0
Opcode ID: d1ea06bbbf816e1850280b2dac2b0c10475054b10be789779dab364287e40a90
Instruction ID: b7d5dc099ee9f6595f2bfbd9f5489dd99fed04fe08310046f0f5194e78c50cce
Opcode Fuzzy Hash: d1ea06bbbf816e1850280b2dac2b0c10475054b10be789779dab364287e40a90
Instruction Fuzzy Hash: 37A1BF70304B01AFD324EF65D895B7FB7E5ABC4708F50492EF25687281DB78E8058B69

Function 004200F0 Relevance: 15.3, APIs: 10, Instructions: 281libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,004FD980), ref: 00420157
LoadLibraryA.KERNEL32(?,?,0050DF90), ref: 00420247
LoadLibraryA.KERNEL32(?,?), ref: 0042028D
LoadLibraryA.KERNEL32(?,?,0050DE98,00000001), ref: 004202D5
LoadLibraryA.KERNEL32(00000001), ref: 004202EB
GetProcAddress.KERNEL32(00000000,?), ref: 004202FD
FreeLibrary.KERNEL32(00000000), ref: 00420390

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Library$Load$AddressProc$Free
String ID:
API String ID: 3120990465-0
Opcode ID: 6320ec5dcea72e9e239ee787f0f4dd6a6932958f9e5ff8018b9f971ade88bc95
Instruction ID: 02fa0085f96d897d81d089cfcb643f0bf314616db0a9fb857d4425d2d0fcd3a4
Opcode Fuzzy Hash: 6320ec5dcea72e9e239ee787f0f4dd6a6932958f9e5ff8018b9f971ade88bc95
Instruction Fuzzy Hash: DAA1BE71600751AFC314EF65D880BABB3E4FF98714F44462EF81987352DB38AA05CBA9

Function 004192B0 Relevance: 15.2, APIs: 10, Instructions: 198windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9C33: __EH_prolog.LIBCMT ref: 004B9C38
Part of subcall function 004B9C33: BeginPaint.USER32(?,?,?,?,0047CAE2), ref: 004B9C61

Part of subcall function 004B97E4: GetClipBox.GDI32(?,?), ref: 004B97EB

GetClientRect.USER32(?,?), ref: 004192FE
IntersectRect.USER32(?,?,?), ref: 00419316
IsRectEmpty.USER32(?), ref: 00419346
GetObjectA.GDI32(?,00000018,?), ref: 0041937D
CreateCompatibleDC.GDI32(?), ref: 004193A3
IntersectRect.USER32(?,?,?), ref: 004193F8
IsRectEmpty.USER32(?), ref: 00419403
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 00419441
DPtoLP.GDI32(?,?,00000002), ref: 004194C6
IsWindow.USER32(?), ref: 00419528

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$EmptyIntersect$BeginClientClipCompatibleCreateH_prologObjectPaintWindow
String ID:
API String ID: 29348440-0
Opcode ID: 5df492181be499524f008764141ad7bfb874b06182a37c8c68291f45a717a3f2
Instruction ID: add4f6b1bcacd9c85a8a975a71813dd69bcc4c17aeb22f2ad955059291e4eb55
Opcode Fuzzy Hash: 5df492181be499524f008764141ad7bfb874b06182a37c8c68291f45a717a3f2
Instruction Fuzzy Hash: 93812BB15087459FC324CF25C884EABB7E9FBC8704F408E2EF59A83250DB34A905CB66

Function 0042ACA0 Relevance: 15.2, APIs: 10, Instructions: 179COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0042ACBD
GetWindowRect.USER32(?,?), ref: 0042ACCC
IntersectRect.USER32(?,?,?), ref: 0042AD25
EqualRect.USER32(?,?), ref: 0042AD55
GetWindowRect.USER32(?,?), ref: 0042AD73
OffsetRect.USER32(?,?,?), ref: 0042ADEA
OffsetRect.USER32(?,?,00000000), ref: 0042AE04
OffsetRect.USER32(?,?,00000000), ref: 0042AE1C
OffsetRect.USER32(?,00000000,?), ref: 0042AE36
OffsetRect.USER32(?,00000000,?), ref: 0042AE4E

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$Offset$Window$EqualIntersect
String ID:
API String ID: 2638238157-0
Opcode ID: 995ffc1a4b74bd4887caf349fc3024f6cb3ee149dde634538451d48e4fb3c3cb
Instruction ID: 21b62f3046ff2fa7af46ac3aa26956e8b4adca96a92ca0528d1b9b1ad507339f
Opcode Fuzzy Hash: 995ffc1a4b74bd4887caf349fc3024f6cb3ee149dde634538451d48e4fb3c3cb
Instruction Fuzzy Hash: AC511BB17183129FC708CF28D98496FBBEAABC8744F404A2EF985D3354DA74ED458B52

Function 00442740 Relevance: 15.1, APIs: 10, Instructions: 86COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000002E), ref: 00442751
GetSystemMetrics.USER32(0000002D), ref: 00442757
GetSystemMetrics.USER32(0000000A), ref: 0044275D
GetSystemMetrics.USER32(0000000A), ref: 00442768
GetSystemMetrics.USER32(00000009), ref: 00442776
GetSystemMetrics.USER32(00000009), ref: 00442782
GetWindowRect.USER32(?,?), ref: 004427A7
GetParent.USER32(?), ref: 004427AD
GetWindowRect.USER32(?,00000000), ref: 004427D2
SetRect.USER32(?,?,00000000,?,?), ref: 00442804

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MetricsSystem$Rect$Window$Parent
String ID:
API String ID: 3457858938-0
Opcode ID: 673b3df08fb6b4499dbdf2474eb9e2d0a27607ebc33ddac8f850d29a927e8a94
Instruction ID: 1babd5646b8901664cea4e1634fdc90c4a8cfcda2eabef80975a4a92bd8d9f09
Opcode Fuzzy Hash: 673b3df08fb6b4499dbdf2474eb9e2d0a27607ebc33ddac8f850d29a927e8a94
Instruction Fuzzy Hash: F32180B1604306ABD704DF78DD8496F77A9EBC4700F40092EF945D3281DBB4ED098BA6

Function 004B8FD9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 004B8FF5
GetStockObject.GDI32(0000000D), ref: 004B8FFD
GetObjectA.GDI32(00000000,0000003C,?), ref: 004B900A
GetDC.USER32(00000000), ref: 004B9019
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004B9030
MulDiv.KERNEL32(?,00000048,00000000), ref: 004B903C
ReleaseDC.USER32(00000000,00000000), ref: 004B9047

Strings

System, xrefs: 004B8FEE, 004B905D

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 0e11662f33c1a7fb4476e0b2f25ae3e82dc1d70f9096148ab646cd45213d6647
Instruction ID: a986a8a82a6d98b738f542393ef378ca7bb4b09bdbd11dec8afb71d7bc5349f5
Opcode Fuzzy Hash: 0e11662f33c1a7fb4476e0b2f25ae3e82dc1d70f9096148ab646cd45213d6647
Instruction Fuzzy Hash: 6E118671A00318ABEB50ABA5DC49FAE3B78AB55784F44402AFA05E6290D774AD41C7B8

Function 004ADA22 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,004A68F0,?,Microsoft Visual C++ Runtime Library,00012010,?,004D7884,?,004D78D4,?,?,?,Runtime Error!Program: ), ref: 004ADA34
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004ADA4C
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004ADA5D
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004ADA6A

Strings

MessageBoxA, xrefs: 004ADA46
user32.dll, xrefs: 004ADA2F
GetLastActivePopup, xrefs: 004ADA5F
GetActiveWindow, xrefs: 004ADA57

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 05f03c1fc595cad2998fce59328dd1abab8db3fb99ddf25733219cb7d11d6105
Instruction ID: 23e7623dccb78e308bd688503434b80a0412fc949a9e5871ab0b3a8c70c51733
Opcode Fuzzy Hash: 05f03c1fc595cad2998fce59328dd1abab8db3fb99ddf25733219cb7d11d6105
Instruction Fuzzy Hash: C7018875B087125F8710DFF59C80A6B7BE897BA784715043BF506C2621DB78C844EB6C

Function 00494F90 Relevance: 13.8, APIs: 9, Instructions: 282COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 00494FBC
__ftol.LIBCMT ref: 00494FC8
__ftol.LIBCMT ref: 00494FF8
__ftol.LIBCMT ref: 00495006
GetClientRect.USER32(?,?), ref: 0049502C

Part of subcall function 00491F30: IntersectRect.USER32(?,?,?), ref: 00491FC3
Part of subcall function 00491F30: IsRectEmpty.USER32(?), ref: 00491FEE

IsWindow.USER32(?), ref: 0049515C
__ftol.LIBCMT ref: 004951DE
__ftol.LIBCMT ref: 004951E7
IsWindow.USER32(?), ref: 004952B9

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: __ftol$Rect$Window$ClientEmptyIntersect
String ID:
API String ID: 4092543106-0
Opcode ID: 36f334157bc5afd43db9f19e9d28279b9879132cd579cce7c0b51cffbc6e5e30
Instruction ID: ec8eab76cc8df95e1a0ffccbfd796f439c4e4806b54de0c02b9f3c0bef74fdac
Opcode Fuzzy Hash: 36f334157bc5afd43db9f19e9d28279b9879132cd579cce7c0b51cffbc6e5e30
Instruction Fuzzy Hash: AAA138B16087059FDB14DF69D880A2BBBE5BFC8704F244A2EF98987351DB38E805CB55

Function 00412800 Relevance: 13.8, APIs: 9, Instructions: 272COMMON

Download Yara Rule

APIs

Part of subcall function 0042F6D0: CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0042F75C
Part of subcall function 0042F6D0: CreateCompatibleDC.GDI32(?), ref: 0042F76E
Part of subcall function 0042F6D0: CreateCompatibleDC.GDI32(?), ref: 0042F777
Part of subcall function 0042F6D0: SelectObject.GDI32(00000000,?), ref: 0042F786
Part of subcall function 0042F6D0: CreateCompatibleBitmap.GDI32(?,?,?), ref: 0042F799
Part of subcall function 0042F6D0: SelectObject.GDI32(?,00000000), ref: 0042F7A9
Part of subcall function 0042F6D0: BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0042F7C9
Part of subcall function 0042F6D0: SelectObject.GDI32(00000000,?), ref: 0042F7D5
Part of subcall function 0042F6D0: DeleteDC.GDI32(00000000), ref: 0042F7E2
Part of subcall function 0042F6D0: SelectObject.GDI32(?,?), ref: 0042F7EA
Part of subcall function 0042F6D0: DeleteDC.GDI32(?), ref: 0042F7F1

__ftol.LIBCMT ref: 00412925
__ftol.LIBCMT ref: 00412932
CreateRectRgn.GDI32(00000000,?,00000000,?), ref: 004129A4
CombineRgn.GDI32(?,?,004CCE08,00000004), ref: 004129CA
SetRect.USER32(?,00000000,?,?,?), ref: 00412A16
IntersectRect.USER32(?,?,?), ref: 00412A2E
IsRectEmpty.USER32(?), ref: 00412A59
CreateRectRgn.GDI32(00000000,?,?,00000000), ref: 00412AFE
CombineRgn.GDI32(?,?,004CCE08,00000004), ref: 00412B24

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Create$Rect$ObjectSelect$Compatible$BitmapCombineDelete__ftol$EmptyIntersect
String ID:
API String ID: 909876544-0
Opcode ID: d694f40222ef19d806b609f017460e8db42a86432bec50af8cc20d782304441e
Instruction ID: a8ef7cce5e17dab5a5e0b172ef211b03c28a1950a9deccad9028500fe7c91032
Opcode Fuzzy Hash: d694f40222ef19d806b609f017460e8db42a86432bec50af8cc20d782304441e
Instruction Fuzzy Hash: 1CA18CB16087419FC320DF29C984A9BBBE9FBC8740F504A2DF595C3250EB74E848CB96

Function 004AE262 Relevance: 13.7, APIs: 9, Instructions: 221COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,004D7B0C,00000001,004D7B0C,00000001,00000000,025511DC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,004A19A0), ref: 004AE2A0
CompareStringA.KERNEL32(00000000,00000000,004D7B08,00000001,004D7B08,00000001), ref: 004AE2BD
CompareStringA.KERNEL32(00460576,00000000,00000000,00000000,004A19A0,00000000,00000000,025511DC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,004A19A0), ref: 004AE31B
GetCPInfo.KERNEL32(00000000,00000000,00000000,025511DC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,004A19A0,00000000), ref: 004AE36C
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000), ref: 004AE3EB
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 004AE44C
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 004AE45F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 004AE4AB
CompareStringW.KERNEL32(00460576,00000000,00000000,00000000,?,00000000,?,00000000), ref: 004AE4C3

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: e5653a951a5adb9f318630f716bd0d99df2b3906c5cead7fc3ac980c07f87be5
Instruction ID: a9f400757650de66f3e2f251a0b73a24c04db6727763f7ae689ee30e23e09f05
Opcode Fuzzy Hash: e5653a951a5adb9f318630f716bd0d99df2b3906c5cead7fc3ac980c07f87be5
Instruction Fuzzy Hash: F071A132900149EFCF219F568C819EF7FBAEB6A314F14452BF925A3260D3398C91DB59

Function 00498D90 Relevance: 13.7, APIs: 9, Instructions: 183COMMON

Download Yara Rule

APIs

#3.ODBC32(?,?), ref: 00498DBE
#19.ODBC32(?,?,000000FD,?,00000000,?,?,?), ref: 00498E07
#72.ODBC32(?,?,00000001,00000001,000000FF,00000000,00000000,?,00000000,FFFFFFFD,?,?,00000001,000000FE,000000FC,00000001), ref: 00498E6E
#72.ODBC32(?,?,00000001,000000FE,000000FC,00000001,00000000,?,00000001,00000001,?,00000000,?,?,?,000000FD), ref: 00498E8F
#12.ODBC32(?,?,00000000,?,?,?,000000FD,?,00000000,?,?,?), ref: 00498E9E

Part of subcall function 0049C622: __EH_prolog.LIBCMT ref: 0049C627

#18.ODBC32(?,?,?,00000000,?,?,?,00000000,?,?,?,000000FD,?,00000000,?,?), ref: 00498ECF
#13.ODBC32(?,?,?,?,00000000,?,?,?,00000000,?,?,?,000000FD,?,00000000,?), ref: 00498EE5
#61.ODBC32(?,?,?,?,00000000,?,?,?,00000000,?,?,?,000000FD,?,00000000,?), ref: 00498F0B
#16.ODBC32(?,00000001,?,00000000,?,?,?,?,?,00000000,?,?,?,00000000,?,?), ref: 00498F3F

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4cbcca0a9245ab1a9316afe14fb7b87a0fa23f8b02ed5fec53061743eb63d6e8
Instruction ID: 578dee8b68bd28bb4d6b628b371bbd46e88b151cee4234854fac336bec845deb
Opcode Fuzzy Hash: 4cbcca0a9245ab1a9316afe14fb7b87a0fa23f8b02ed5fec53061743eb63d6e8
Instruction Fuzzy Hash: C151D871900115ABDF20EBA9CC85EBF7B79DF56724F20422EF415A7281CA389D01C775

Function 004A9C84 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,004D7B0C,00000001,00000000,00000000,?,?,?), ref: 004A9CC6
LCMapStringA.KERNEL32(00000000,00000100,004D7B08,00000001,00000000,00000000), ref: 004A9CE2
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?), ref: 004A9D2B
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,?,?,?), ref: 004A9D63
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,?,00000000), ref: 004A9DBB
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 004A9DD1
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 004A9E04
LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 004A9E6C

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: af8e04ff0b9ab353b5b6ee8cd29ac577016ab147e9c56b230aff7e5dd71277a0
Instruction ID: 62664269229d0b17e33011252718220418c33f6d5ff532ad24a0f2bf075ebf2f
Opcode Fuzzy Hash: af8e04ff0b9ab353b5b6ee8cd29ac577016ab147e9c56b230aff7e5dd71277a0
Instruction Fuzzy Hash: 7C518F31500609ABCF21CF54CC45EEF7FB4FBAA754F24411AF815A12A1D3399D61EB68

Function 0042AA40 Relevance: 13.6, APIs: 9, Instructions: 118COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0042AA46
ClientToScreen.USER32(?,?), ref: 0042AA83
OffsetRect.USER32(?,?,?), ref: 0042AAAC
GetParent.USER32(?), ref: 0042AAB2

Part of subcall function 004B9939: ScreenToClient.USER32(?,?), ref: 004B994D
Part of subcall function 004B9939: ScreenToClient.USER32(?,?), ref: 004B9956

GetClientRect.USER32(?,?), ref: 0042AAD5
OffsetRect.USER32(?,?,00000000), ref: 0042AAF3
OffsetRect.USER32(?,?,00000000), ref: 0042AB0B
OffsetRect.USER32(?,00000000,?), ref: 0042AB29
OffsetRect.USER32(?,00000000,?), ref: 0042AB49

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$Offset$Client$Screen$CaptureParent
String ID:
API String ID: 838496554-0
Opcode ID: 4c8a45724b4363d8c0de228d13fc9bebad7fed08a3db5ca49bc031bfe77570f7
Instruction ID: b3063bee737d7b23ecc670a1bf0cea638672b6d6aebc600af0ce7302d588270f
Opcode Fuzzy Hash: 4c8a45724b4363d8c0de228d13fc9bebad7fed08a3db5ca49bc031bfe77570f7
Instruction Fuzzy Hash: 774109B5208301AFD718DF68D984D6FB7E9EBC8704F408A1DF986C3251DA74ED44CA66

Function 00428140 Relevance: 13.6, APIs: 9, Instructions: 85windowCOMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,?,00000001,?,?,?,?), ref: 0042815A
GetTopWindow.USER32(?), ref: 00428160
IsWindowVisible.USER32(00000000), ref: 00428171
GetWindowLongA.USER32(00000000,000000EC), ref: 00428182
GetClientRect.USER32(00000000,?), ref: 004281D5
IntersectRect.USER32(?,?,?), ref: 004281EA
IsRectEmpty.USER32(?), ref: 004281F5
InvalidateRect.USER32(00000000,00000000,00000000,?,?,?,?), ref: 00428206
GetWindow.USER32(00000000,00000002), ref: 0042820B

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$Window$Invalidate$ClientEmptyIntersectLongVisible
String ID:
API String ID: 938479747-0
Opcode ID: 94c4e5c0b3b6c2658382a968dc5bf048cc00cc648fe79dc172405eedb4473c9d
Instruction ID: 2288de502393c81bae184fbc9d1d7921e801dd2a20b2d1c7861b7b0cd4957835
Opcode Fuzzy Hash: 94c4e5c0b3b6c2658382a968dc5bf048cc00cc648fe79dc172405eedb4473c9d
Instruction Fuzzy Hash: 2B219CB1205B16AFD310DF55DC84DAFB7ACFF98304B404A2DF54593240DB38E9498BAA

Function 004B09B5 Relevance: 13.6, APIs: 9, Instructions: 80windowstringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,0000000C,?,?,0042C859,?,-00000001,00000000,?,?,?,004EED40), ref: 004B09BF
GetFocus.USER32 ref: 004B09DA

Part of subcall function 004B501F: UnhookWindowsHookEx.USER32(?), ref: 004B5044

IsWindowEnabled.USER32(?), ref: 004B0A03
EnableWindow.USER32(?,00000000), ref: 004B0A15
GetOpenFileNameA.COMDLG32(?,?), ref: 004B0A40
GetSaveFileNameA.COMDLG32(?,?), ref: 004B0A47
EnableWindow.USER32(?,00000001), ref: 004B0A5E
IsWindow.USER32(?), ref: 004B0A64
SetFocus.USER32(?), ref: 004B0A72

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$EnableFileFocusName$EnabledHookOpenSaveUnhookWindowslstrlen
String ID:
API String ID: 3606897497-0
Opcode ID: 1e967080e8c62ae396f74dc39ba4d6f57717f652e7101cb39bc8a1c6dec03f6e
Instruction ID: 2fcb3e922ca23bc96ef34f96cdb82730e404cf90e3aa56c79178ebc565826376
Opcode Fuzzy Hash: 1e967080e8c62ae396f74dc39ba4d6f57717f652e7101cb39bc8a1c6dec03f6e
Instruction Fuzzy Hash: A821A471200700ABD720AF72EC4AFAF77E4EF94305F00482EF59686292DB79E8558779

Function 0049E48F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0049E494
#11.ODBC32(000000FF,?,000000FD,?,?,?,?,?,?,?,State:S1C00), ref: 0049E4BA
#19.ODBC32(00000001,?,000000FD,?,?,00000000,?,?,0049A6C6,000000FF,00000000,00000000,?), ref: 0049E4D0
#51.ODBC32(000000FF,00000007,00000001,?,?,?,?,?,?,?,State:S1C00), ref: 0049E588
#12.ODBC32(00000001,?,00000000,?,?,0049A6C6,000000FF,00000000,00000000,?), ref: 0049E5C8
#46.ODBC32(00000001,00000007,?,?,00000000,?,?,0049A6C6,000000FF,00000000,00000000,?), ref: 0049E606

Strings

State:S1C00, xrefs: 0049E52D

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: H_prolog
String ID: State:S1C00
API String ID: 3519838083-3597892918
Opcode ID: 05a7a9408a441ced9cf15adf0616fb61b6f0a8b58ba83d6f65149e08dfafa9b8
Instruction ID: c3d07aa83795e67e73a510398ea3cc36c2631a47a7db087baa39f4248fbafc30
Opcode Fuzzy Hash: 05a7a9408a441ced9cf15adf0616fb61b6f0a8b58ba83d6f65149e08dfafa9b8
Instruction Fuzzy Hash: 6351B231200600AFDF24DFA6C845BAFBBE6AF54718F15093FE056D72A0DB78AD019B19

Function 0042CE50 Relevance: 12.4, APIs: 8, Instructions: 368windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 0042CFCE
AppendMenuA.USER32(?,?,00000000,?), ref: 0042D131
AppendMenuA.USER32(?,00000000,00000000,?), ref: 0042D169
ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 0042D187
AppendMenuA.USER32(?,?,00000000,?), ref: 0042D1E5
ModifyMenuA.USER32(?,?,?,?,?), ref: 0042D20A
AppendMenuA.USER32(?,?,?,?), ref: 0042D252
ModifyMenuA.USER32(?,?,?,?,?), ref: 0042D277

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Menu$Append$Modify$CreatePopup
String ID:
API String ID: 3846898120-0
Opcode ID: 7cbc9e9bad142f737e87d189621cd776070e0abb25f1e3d2374e39574c78842f
Instruction ID: 73af250225f3992f8e505edaea350d14a4512e73759031e451cb56b81d020b18
Opcode Fuzzy Hash: 7cbc9e9bad142f737e87d189621cd776070e0abb25f1e3d2374e39574c78842f
Instruction Fuzzy Hash: F7D1CB71A043618BC718DF19D880A6BBBE4FF89754F54492EF88993350D738ED05CB9A

Function 004A67CC Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 004A6839
GetStdHandle.KERNEL32(000000F4,004D7884,00000000,?,00000000,?), ref: 004A690F
WriteFile.KERNEL32(00000000), ref: 004A6916

Strings

Microsoft Visual C++ Runtime Library, xrefs: 004A68E5
<program name unknown>, xrefs: 004A6849
..., xrefs: 004A688B
Runtime Error!Program: , xrefs: 004A689F

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: cd7bdc27a97440946c9db14606d5f6faea1219470df42bf4b375bda26e0311e8
Instruction ID: c8393c5aecbaedb68f82df14d7276be9afe25bd35aeceafdc6398a0117e18cbc
Opcode Fuzzy Hash: cd7bdc27a97440946c9db14606d5f6faea1219470df42bf4b375bda26e0311e8
Instruction Fuzzy Hash: A731F672A002086EEF20AA61CC49FAB736CEB56704F14046BF141E2150E6BC9A80CB5D

Function 0049EADE Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0049EAE3

Part of subcall function 0049EC37: __EH_prolog.LIBCMT ref: 0049EC3C
Part of subcall function 0049EC37: lstrlenA.KERNEL32(?,00000000,?,75570440,004D6FF4,0049A674,?,?,?,?,0049EAD3,0049A674), ref: 0049ED11

Strings

ORDER BY , xrefs: 0049EB49
UNION , xrefs: 0049EB29
FROM , xrefs: 0049EAFD
GROUP BY , xrefs: 0049EB18
WHERE , xrefs: 0049EB3C

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: H_prolog$lstrlen
String ID: FROM $ GROUP BY $ ORDER BY $ UNION $ WHERE
API String ID: 3243491680-4124641992
Opcode ID: 8f6448385a6285b80e4c81d2952b6eefa6433ab8ce47a2f1a827d447cb6b014e
Instruction ID: a8d4b8372ca1f2c09f019b9cf0d7e986698077e4369ff1f21b3a09944f7c3608
Opcode Fuzzy Hash: 8f6448385a6285b80e4c81d2952b6eefa6433ab8ce47a2f1a827d447cb6b014e
Instruction Fuzzy Hash: 3E319E31500219ABCF11EF66CC51FEF7F68AF10758F10413FF812A6291EB79AE4586A8

Function 00434030 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93networkCOMMON

Download Yara Rule

APIs

accept.WS2_32 ref: 00434074

Strings

P, xrefs: 0043406C
%s:%d, xrefs: 004340EE

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: accept
String ID: %s:%d$P
API String ID: 3005279540-612342447
Opcode ID: 2cab8da359a4a19f107319068ef1410285ab2f3f69cd20a3652a3172efb1babe
Instruction ID: eb65a2c3db8887db267035c53e2d8ab2f0f06ea9a7ee16b7c1a59e66e638373d
Opcode Fuzzy Hash: 2cab8da359a4a19f107319068ef1410285ab2f3f69cd20a3652a3172efb1babe
Instruction Fuzzy Hash: D2316131104A019FE724EB28DC98DAFB3E8FFD4325F504A2EF5A1D22D0E674A9498B55

Function 00416AB0 Relevance: 12.3, APIs: 8, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd319a2e95af577846532b248b245345f34cfb63142fc56a95db30b870bca29
Instruction ID: d97034561c883b415132a7759398ed9e784abd69646dac38031029a9905dce74
Opcode Fuzzy Hash: 9dd319a2e95af577846532b248b245345f34cfb63142fc56a95db30b870bca29
Instruction Fuzzy Hash: B4C1A2B16087419FD334DF29C845AABB7F5EF85314F104A2EE59687781C738E888CB66

Function 004BDE09 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 004BDE37
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 004BDE5A
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 004BDE79
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004BDE89
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004BDE93

Strings

hu, xrefs: 004BDE7E
software, xrefs: 004BDE21

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CloseCreate$Open
String ID: hu$software
API String ID: 1740278721-1536618987
Opcode ID: 328003cd211aae7b1446f1c6053b47989441e8ccbcf47302f22f0721f764878c
Instruction ID: adb2e8fc8a34a6e0c8d8a05076f7ef146d34e8beb56560195020a7869abc2df8
Opcode Fuzzy Hash: 328003cd211aae7b1446f1c6053b47989441e8ccbcf47302f22f0721f764878c
Instruction Fuzzy Hash: 2611E672D00158FBDB21DB96CC88DEFFFBCEF99704B1000AAA504A2121E2719A40DBA4

Function 0046CCB0 Relevance: 12.3, APIs: 8, Instructions: 306COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0046D008
__ftol.LIBCMT ref: 0046D025
__ftol.LIBCMT ref: 0046D041
__ftol.LIBCMT ref: 0046D05B
__ftol.LIBCMT ref: 0046D079
__ftol.LIBCMT ref: 0046D097
__ftol.LIBCMT ref: 0046D0B3
__ftol.LIBCMT ref: 0046D0CD

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: __ftol
String ID:
API String ID: 495808979-0
Opcode ID: 1781033fd3b3dce726b3f0126b69e602e4a864de51b913cebd712899f08978cc
Instruction ID: 64132c318f3f32835c3f46d20683741564325f71b04cae657f5bc484b15e68fc
Opcode Fuzzy Hash: 1781033fd3b3dce726b3f0126b69e602e4a864de51b913cebd712899f08978cc
Instruction Fuzzy Hash: E6D15372A09342DFD3019F21D08965ABFB0FFD5744FAA0999E0D56626AE3308578CF86

Function 00429A40 Relevance: 12.2, APIs: 8, Instructions: 181windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9C33: __EH_prolog.LIBCMT ref: 004B9C38
Part of subcall function 004B9C33: BeginPaint.USER32(?,?,?,?,0047CAE2), ref: 004B9C61

Part of subcall function 004B97E4: GetClipBox.GDI32(?,?), ref: 004B97EB

IsRectEmpty.USER32(?), ref: 00429A8D
GetSysColor.USER32(0000000F), ref: 00429A9E

Part of subcall function 004B9E30: __EH_prolog.LIBCMT ref: 004B9E35
Part of subcall function 004B9E30: CreateSolidBrush.GDI32(?), ref: 004B9E52

Part of subcall function 004B93C7: SelectObject.GDI32(0040E855,00000000), ref: 004B93E9
Part of subcall function 004B93C7: SelectObject.GDI32(0040E855,?), ref: 004B93FF

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00429AE8
GetClientRect.USER32(?,?), ref: 00429B01
LoadBitmapA.USER32(?,?), ref: 00429B38
GetObjectA.GDI32(?,00000018,?), ref: 00429B87
CreateCompatibleDC.GDI32(?), ref: 00429BAD
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00429C3F

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Object$CreateH_prologRectSelect$BeginBitmapBrushClientClipColorCompatibleEmptyLoadPaintSolid
String ID:
API String ID: 1390316934-0
Opcode ID: 0aa0057d8ec80548b57b04858511ebe9fd5a00eff98c6d064e760cd40958b01f
Instruction ID: 24670a7c458ea1a42096b7c08d855a48a50f22fdd1ba95cb98d1e15d43de78b7
Opcode Fuzzy Hash: 0aa0057d8ec80548b57b04858511ebe9fd5a00eff98c6d064e760cd40958b01f
Instruction Fuzzy Hash: B8615D712187819FD314DB65C845FAFBBE8FBD5704F048A2DF59983280DB78A904CB66

Function 004A6205 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,004A1119), ref: 004A6220
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,004A1119), ref: 004A6234
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,004A1119), ref: 004A6260
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,004A1119), ref: 004A6298
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,004A1119), ref: 004A62BA
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,004A1119), ref: 004A62D3
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,004A1119), ref: 004A62E6
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004A6324

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: f2660ec5e90ec61ba2e469ed93fd699158c2e5fbb2009b8c1a4784adf75cd366
Instruction ID: 18265c6d805ebcf5cbf6fcd4dc00d70e24c14227af294e50e0405b7006b2004d
Opcode Fuzzy Hash: f2660ec5e90ec61ba2e469ed93fd699158c2e5fbb2009b8c1a4784adf75cd366
Instruction Fuzzy Hash: 4231D2739052255F9B203F785C8493FBA9CEA7731871B05BBF951C3200E6299C82976E

Function 0048EC70 Relevance: 12.1, APIs: 8, Instructions: 86COMMON

Download Yara Rule

APIs

CreatePen.GDI32(00000000,004824E6,?), ref: 0048ECC9
SelectObject.GDI32(?,00000000), ref: 0048ECD9
MoveToEx.GDI32(?,?,?,00000000), ref: 0048ECF0
LineTo.GDI32(?,?,?), ref: 0048ED01
MoveToEx.GDI32(?,?,?,00000000), ref: 0048ED31
LineTo.GDI32(?,?,?), ref: 0048ED3E
SelectObject.GDI32(?,?), ref: 0048ED4A
DeleteObject.GDI32(?), ref: 0048ED55

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Object$LineMoveSelect$CreateDelete
String ID:
API String ID: 1619934446-0
Opcode ID: 031483d82ce46da6a5269922eadc1e86776764178d1cdb0c3b299491752e731a
Instruction ID: 5dd1895028cd7784cc74deac584749395b123cd0ad2311e701c72d1452344df2
Opcode Fuzzy Hash: 031483d82ce46da6a5269922eadc1e86776764178d1cdb0c3b299491752e731a
Instruction Fuzzy Hash: D4214871608204AFD3009B66DC48E2FBBE9FBC9754F144A2EF541D3250D778AD818BAA

Function 00441BD0 Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 00441CA1

Part of subcall function 004B7504: IsWindowEnabled.USER32(?), ref: 004B750E

GetClientRect.USER32(?,?), ref: 00441BF7
PtInRect.USER32(?,?,?), ref: 00441C0C
ClientToScreen.USER32(?,?), ref: 00441C1D
WindowFromPoint.USER32(?,?), ref: 00441C2D
ReleaseCapture.USER32 ref: 00441C47
GetCapture.USER32 ref: 00441C61
SetCapture.USER32(?), ref: 00441C6C

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Capture$ClientRectReleaseWindow$EnabledFromPointScreen
String ID:
API String ID: 3076215760-0
Opcode ID: af5b70d593223f43a3de26fb35ccffa61677d44b225b841de76117e0e4b7f92e
Instruction ID: 31fda57ae1d91f03da758fa37fde512b6b842b4e86b72755296d8784ae944407
Opcode Fuzzy Hash: af5b70d593223f43a3de26fb35ccffa61677d44b225b841de76117e0e4b7f92e
Instruction Fuzzy Hash: 7121F8352406009FE310EB28DC89E7F73E6AFC4314F44491EF98582361EB39E8858B69

Function 00415A70 Relevance: 12.1, APIs: 8, Instructions: 55COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00415A8C
PtInRect.USER32(?,?,?), ref: 00415AA1
ReleaseCapture.USER32 ref: 00415AB1
InvalidateRect.USER32(?,00000000,00000000), ref: 00415ABF
GetCapture.USER32 ref: 00415ACF
SetCapture.USER32(?), ref: 00415ADA
InvalidateRect.USER32(?,00000000,00000000), ref: 00415AFB
SetCapture.USER32(?), ref: 00415B05

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CaptureRect$Invalidate$ClientRelease
String ID:
API String ID: 3559558096-0
Opcode ID: 3c38aa3d912e24a91bd56f3efdecd3533f51aafb5af7cdedd9e329a1a73db2b4
Instruction ID: 40e28243fb69392cdf44d5b2be3f604ac0f85d39ab81416f42f84dfaffbbc294
Opcode Fuzzy Hash: 3c38aa3d912e24a91bd56f3efdecd3533f51aafb5af7cdedd9e329a1a73db2b4
Instruction Fuzzy Hash: BA111C75600B109FD760EB64DC89FDB77B8BB94701F408A1EF58686250EB34F8858B58

Function 0041C430 Relevance: 10.8, APIs: 7, Instructions: 268windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0041C46D
GetParent.USER32(?), ref: 0041C47F
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 0041C4A7
GetWindowRect.USER32(?,?), ref: 0041C531
InvalidateRect.USER32(?,?,00000001,?), ref: 0041C554
GetWindowRect.USER32(?,?), ref: 0041C71C
InvalidateRect.USER32(?,?,00000001,?), ref: 0041C73D

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$Window$Invalidate$MessageParentSend
String ID:
API String ID: 236041146-0
Opcode ID: bdbec4a5c70d5d55323728e218b801435281d95a9804e2e6097e99e1f800cdbd
Instruction ID: f10c4b6368722a18b1e7aac54f4fce7e71cfb649eccd3e857400991f85ef87cb
Opcode Fuzzy Hash: bdbec4a5c70d5d55323728e218b801435281d95a9804e2e6097e99e1f800cdbd
Instruction Fuzzy Hash: 6491F4716443029BD724EF25CC80FAB73E4AF84758F04461EF9599B392DB38ED818B99

Function 004510B0 Relevance: 10.8, APIs: 7, Instructions: 260windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004510DD
GetParent.USER32(?), ref: 004510E9
GetClientRect.USER32(?,?), ref: 004510FA

Part of subcall function 004B9975: ClientToScreen.USER32(0040FF58,?), ref: 004B9989
Part of subcall function 004B9975: ClientToScreen.USER32(0040FF58,?), ref: 004B9992

GetParent.USER32(?), ref: 0045110C

Part of subcall function 004B9939: ScreenToClient.USER32(?,?), ref: 004B994D
Part of subcall function 004B9939: ScreenToClient.USER32(?,?), ref: 004B9956

Part of subcall function 004B9ACB: __EH_prolog.LIBCMT ref: 004B9AD0
Part of subcall function 004B9ACB: GetDC.USER32(?), ref: 004B9AF9

SendMessageA.USER32 ref: 0045113F

Part of subcall function 004B93C7: SelectObject.GDI32(0040E855,00000000), ref: 004B93E9
Part of subcall function 004B93C7: SelectObject.GDI32(0040E855,?), ref: 004B93FF

GetTextExtentPoint32A.GDI32(?,004F12B8,00000001,?), ref: 0045116C
EqualRect.USER32(?,?), ref: 0045132A

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Client$Screen$Rect$ObjectParentSelect$EqualExtentH_prologMessagePoint32SendText
String ID:
API String ID: 98060165-0
Opcode ID: 2b75b9cde109254bd4c781ba847240818e5f7ca0df6f1d53e3a7b4eed64d7e24
Instruction ID: 548020527967e4a1d2c9d0cda20dd20aaa2722023fda6adbf633e557e5666522
Opcode Fuzzy Hash: 2b75b9cde109254bd4c781ba847240818e5f7ca0df6f1d53e3a7b4eed64d7e24
Instruction Fuzzy Hash: 4C917C712087419FC718CF29C881B6BB7E5ABC8305F144A2EF996C3362D778E949CB56

Function 00492810 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 004B9C33: __EH_prolog.LIBCMT ref: 004B9C38
Part of subcall function 004B9C33: BeginPaint.USER32(?,?,?,?,0047CAE2), ref: 004B9C61

GetClientRect.USER32(?,?), ref: 0049285E
SetDIBitsToDevice.GDI32(?,?,?,?,?,?,?,00000000,?,?,00000028,00000000), ref: 00492A32
Rectangle.GDI32(?,?,?,?,?), ref: 00492AB9

Strings

, xrefs: 00492A27
(, xrefs: 004929FE
$<M, xrefs: 00492AD1

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: BeginBitsClientDeviceH_prologPaintRectRectangle
String ID: $$<M$(
API String ID: 1653000045-4233050320
Opcode ID: 4a220ebb0f912f3a13a96f87986976f3774ad4f8e90e085f65783634d92ecdd8
Instruction ID: eeb372ef65cabfac017b60a3efc1c8648862335bbaf1bdf069ca052a5d53a997
Opcode Fuzzy Hash: 4a220ebb0f912f3a13a96f87986976f3774ad4f8e90e085f65783634d92ecdd8
Instruction Fuzzy Hash: B291BC71204706AFD728CF25C884BABB7E5FBC8704F108A2DF59987290D774E805CBA6

Function 00474C70 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00474C95

Part of subcall function 004B54D0: GetWindowTextLengthA.USER32(?), ref: 004B54DD
Part of subcall function 004B54D0: GetWindowTextA.USER32(?,00000000,00000000), ref: 004B54F5

GetCurrentObject.GDI32(?,00000006), ref: 00474D05
OffsetRect.USER32(?,00000001,00000001), ref: 00474DCC

Part of subcall function 004B30CD: InterlockedDecrement.KERNEL32 ref: 004B30E1

Strings

|0M, xrefs: 00474CEA

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: RectTextWindow$ClientCurrentDecrementInterlockedLengthObjectOffset
String ID: |0M
API String ID: 2119403043-1971405816
Opcode ID: 8a4dc391ab7bb1956d640b90160989df0db90d5dd632720fe13cd1121369145f
Instruction ID: 0744fe7eb2f29e518e9d5cc64d670669133effc866d362d2ccd9fd439eef4530
Opcode Fuzzy Hash: 8a4dc391ab7bb1956d640b90160989df0db90d5dd632720fe13cd1121369145f
Instruction Fuzzy Hash: 398126B52083409FC724DF55C884AAEB7E9BFC8710F108A1EF99987390C778E945CB66

Function 004961D0 Relevance: 10.7, APIs: 7, Instructions: 210COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004961F0
AVIStreamInfoA.AVIFIL32(?,?,0000008C), ref: 00496204
__ftol.LIBCMT ref: 004962C8
__ftol.LIBCMT ref: 004962D8
GetWindowRect.USER32(?,?), ref: 00496354
GetParent.USER32(?), ref: 0049635E
OffsetRect.USER32(00000000,00000000,00000000), ref: 004963AD

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$__ftol$ClientInfoOffsetParentStreamWindow
String ID:
API String ID: 1727993661-0
Opcode ID: d14576237ca593283202490ef10c5ebf6195b874601597d52c08e3b14cafa2b4
Instruction ID: 852fdd75d5b8d589cdd3ad3febc22ccedfdb736bf2d9716376118d2f42813749
Opcode Fuzzy Hash: d14576237ca593283202490ef10c5ebf6195b874601597d52c08e3b14cafa2b4
Instruction Fuzzy Hash: 3B619EB16087019FD724DF7DC984A2BBBE5EBC8340F454A3EF985C3650EA35E8058B56

Function 0040C290 Relevance: 10.7, APIs: 7, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0040C424
TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C483
DestroyMenu.USER32(00000000), ref: 0040C48A
SetForegroundWindow.USER32(?), ref: 0040C4A0
TrackPopupMenu.USER32(00000000,00000008,?,?,00000000,?,00000000), ref: 0040C4C1
PostMessageA.USER32(?,00000000,00000000,00000000), ref: 0040C4D1
DestroyMenu.USER32(00000000), ref: 0040C4D8

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Menu$DestroyPopupTrack$CursorForegroundMessagePostWindow
String ID:
API String ID: 1044074573-0
Opcode ID: 3549215a117a1639944df91f0337281cfecd716cce22744f3154b4d7b4fc15a1
Instruction ID: 71f00ccd9088fa2ba5815b7f68471144f0f9310dc842aaba63b12a1e85ac090f
Opcode Fuzzy Hash: 3549215a117a1639944df91f0337281cfecd716cce22744f3154b4d7b4fc15a1
Instruction Fuzzy Hash: 4461B171644601ABC314EF15CC91F6BB3E9FF88704F44462DF949AB282D738E9058BEA

Function 004767C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 004AFA65: EnterCriticalSection.KERNEL32(00541748,?,?,?,004894BD,?,?,?,?,?,?,?,00000000,0047C210,?,?), ref: 004AFAD7

SetRectEmpty.USER32 ref: 00476958
GetSysColor.USER32(00000018), ref: 00476984
GetSysColor.USER32(00000017), ref: 00476994
GetClassInfoA.USER32(?,CPPToolTip,?), ref: 00476A31
LoadCursorA.USER32(?,00007F00), ref: 00476A62

Part of subcall function 004B56A5: __EH_prolog.LIBCMT ref: 004B56AA
Part of subcall function 004B56A5: GetClassInfoA.USER32(?,?,?), ref: 004B56C5
Part of subcall function 004B56A5: RegisterClassA.USER32(?), ref: 004B56D0

Strings

CPPToolTip, xrefs: 00476A2B, 00476A79

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Class$ColorInfo$CriticalCursorEmptyEnterH_prologLoadRectRegisterSection
String ID: CPPToolTip
API String ID: 2235078592-2052495831
Opcode ID: 7e5817aa13398d62e1377550da85ed2c86ac7ced8ebabebc50347ff0c3bfe4fd
Instruction ID: cb13acca07d4a83543f7d186ed00dd92b2ecd7d0560f9c308bfd963e0b3c661d
Opcode Fuzzy Hash: 7e5817aa13398d62e1377550da85ed2c86ac7ced8ebabebc50347ff0c3bfe4fd
Instruction Fuzzy Hash: 9A81A3B0605B419FD311DF2A8881B9EFBE4BF99704F40482EF19E97391CBB86905CB59

Function 0042EAA0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

SetRect.USER32(?,00000000,00000032,00000032,?), ref: 0042EB89
OffsetRect.USER32(?,?,?), ref: 0042EB96
IntersectRect.USER32(?,?,?), ref: 0042EBB2
IsRectEmpty.USER32(?), ref: 0042EBBD
OffsetRect.USER32(?,?,?), ref: 0042EBFA

Strings

2, xrefs: 0042EB46

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$Offset$EmptyIntersect
String ID: 2
API String ID: 765610062-450215437
Opcode ID: 4a1fd75257bf4e90f81646308af612225b45df39cb162d713e4d2519ecb2f643
Instruction ID: 2c1e0986392c38748a10c4788715218937eb101ae39ec72ecbe3d2cee91589dd
Opcode Fuzzy Hash: 4a1fd75257bf4e90f81646308af612225b45df39cb162d713e4d2519ecb2f643
Instruction Fuzzy Hash: 676124B52083419FD718CF6AD88496BBBE5BFC8314F548A2EF58987320D730E905CB56

Function 00478A60 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

CreateRoundRectRgn.GDI32(00000000,00000000,?,?,?,?), ref: 00478BAD
CreatePolygonRgn.GDI32(?,00000003,00000001), ref: 00478BD8
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00478BE8
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00478BF4
CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 00478BFD
DeleteObject.GDI32(00000000), ref: 00478C0E
DeleteObject.GDI32(00000000), ref: 00478C15

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Create$Rect$DeleteObject$CombinePolygonRound
String ID:
API String ID: 821209521-0
Opcode ID: 1924df5e0320a5eccd6d6fa0a291f313686aafa77edb0c405e1c3efa5afa3e2c
Instruction ID: 31f96929484692738e1df7beee21b7087becffc3912b6411aa6de9aa3d8c850f
Opcode Fuzzy Hash: 1924df5e0320a5eccd6d6fa0a291f313686aafa77edb0c405e1c3efa5afa3e2c
Instruction Fuzzy Hash: DC513B706847029FC355CF39C989B6BBBE8FB88700F44493EB699D7341DA74AA018B59

Function 004B6D17 Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004B6D4B
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004B6D74
UpdateWindow.USER32(?), ref: 004B6D90
SendMessageA.USER32(?,00000121,00000000,?), ref: 004B6DB6
SendMessageA.USER32(?,0000036A,00000000,00000001), ref: 004B6DD5
UpdateWindow.USER32(?), ref: 004B6E18
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004B6E4B

Part of subcall function 004B7375: GetWindowLongA.USER32(00000000,000000F0), ref: 004B7381

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 78b3fdc48cbb9db551fb9de7abd59ac29f0a2eb5e8524e2be8a75da57b8ac546
Instruction ID: 67cb3bcf46c14a9fdc16e824bb54d5e8fa46a65a3237c8f0396a9afe16e27edc
Opcode Fuzzy Hash: 78b3fdc48cbb9db551fb9de7abd59ac29f0a2eb5e8524e2be8a75da57b8ac546
Instruction Fuzzy Hash: F641AC307047419BD7209F26C848E9BBAF8EFC0B44F14092FF48586291D77ED945CBAA

Function 0049CBC1 Relevance: 10.6, APIs: 7, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0049CBC6
#3.ODBC32(00000002,?,?,?,00000000), ref: 0049CBDD
#11.ODBC32(?,?,000000FD,?,00000000,?,00000002,?,?,?,00000000), ref: 0049CC1F
#16.ODBC32(?,00000001,?,00000000,?,?,?,?,?,00000000,?,?,?,000000FD,?,00000000), ref: 0049CCA8

Part of subcall function 0049C622: __EH_prolog.LIBCMT ref: 0049C627

#18.ODBC32(?,?,?,00000000,?,?,?,000000FD,?,00000000,?,00000002,?,?,?,00000000), ref: 0049CC4C
#13.ODBC32(?,?,?,?,00000000,?,?,?,000000FD,?,00000000,?,00000002,?,?), ref: 0049CC60
#61.ODBC32(?,?,?,?,00000000,?,?,?,000000FD,?,00000000,?,00000002,?,?), ref: 0049CC83

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e0d84b3f049371c97978e050f6b0fca29e25a517e0bb055068d7a94ce80e0a8b
Instruction ID: 1fafc264e5aa28515824bbb8258741a28b865c15dcc095d1447c2ab82d97489b
Opcode Fuzzy Hash: e0d84b3f049371c97978e050f6b0fca29e25a517e0bb055068d7a94ce80e0a8b
Instruction Fuzzy Hash: 51318132900105AFDF21ABA1CE85DBF7EB6EF45714F10403BF50572261D73A8E02DA6A

Function 0049CA4F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0049CA54
lstrlenA.KERNEL32(ODBC;), ref: 0049CA8D
lstrlenA.KERNEL32(ODBC;), ref: 0049CAA9

Part of subcall function 004B02F0: __EH_prolog.LIBCMT ref: 004B02F5

Part of subcall function 004B30CD: InterlockedDecrement.KERNEL32 ref: 004B30E1

lstrlenA.KERNEL32(?,00000000,?,?), ref: 0049CADD

Part of subcall function 004B345D: lstrlenA.KERNEL32(?,?,?,00420595,004E9FC0), ref: 004B346E

Strings

;DSN=, xrefs: 0049CAE3
ODBC;, xrefs: 0049CA87, 0049CA8C, 0049CA90, 0049CAA5

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: lstrlen$H_prolog$DecrementInterlocked
String ID: ;DSN=$ODBC;
API String ID: 2745093148-38295566
Opcode ID: 51f17233b78324ed29fd9fd04bb1cbf711d699b13d9bff377899846c9c19073b
Instruction ID: 3d942bab39d97db2515304d6fbd3f0a2c076b2691922f634c316586a7700da5f
Opcode Fuzzy Hash: 51f17233b78324ed29fd9fd04bb1cbf711d699b13d9bff377899846c9c19073b
Instruction Fuzzy Hash: D2319F7190012AABCF15DFA5DC81AEFBB74BF15745F00452BF811A3290DB78AE04CBA9

Function 0049C3AB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0049C3E9
GetSystemMetrics.USER32(00000000), ref: 0049C401
GetSystemMetrics.USER32(00000001), ref: 0049C408
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0049C42C

Strings

DISPLAY, xrefs: 0049C426
B, xrefs: 0049C3CA

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: 86d17a6485d86c035f5e52fc57c4aea4ac94423da690f4f5081b5b6ab3e11f23
Instruction ID: f94e806cb9ff5b3ab8c03dc0464f3295913710c785e08965bd82d49404051109
Opcode Fuzzy Hash: 86d17a6485d86c035f5e52fc57c4aea4ac94423da690f4f5081b5b6ab3e11f23
Instruction Fuzzy Hash: D111E071601320ABCF219F248DC4AABBFA8FF09750B808033FC059E152D2B9D941CBE8

Function 00484C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52librarywindowCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000104,0000017C,00000048,0000017C,00000000,004C2ED8,000000FF,0047CFA8), ref: 00484C4D

Part of subcall function 004B3500: lstrlenA.KERNEL32(?,?,004B0760,000000FF,?,?,?), ref: 004B3513

LoadLibraryA.KERNEL32(00000140,\winhlp32.exe,000000FF), ref: 00484C71
LoadCursorA.USER32(00000000,0000006A), ref: 00484C80
CopyIcon.USER32(00000000), ref: 00484C8B
FreeLibrary.KERNEL32(00000000), ref: 00484C98

Strings

\winhlp32.exe, xrefs: 00484C5E

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: LibraryLoad$CopyCursorDirectoryFreeIconWindowslstrlen
String ID: \winhlp32.exe
API String ID: 3065524718-695620452
Opcode ID: a282769ad1d92c6b184b0fe776d14dd74e4d805914fa0eb7c0e9ae55c0755be7
Instruction ID: 7c48ccbcea9501414cd3971f68f9237b0b3cae0eabb023f2f5d07ac72e8fbb0d
Opcode Fuzzy Hash: a282769ad1d92c6b184b0fe776d14dd74e4d805914fa0eb7c0e9ae55c0755be7
Instruction Fuzzy Hash: 42110671105B02ABC304EF25DC45FAEBBA8FF44721F504A1EF465932E0DB78A544CB99

Function 004B906A Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 004B9076
GetSysColor.USER32(00000010), ref: 004B907D
GetSysColor.USER32(00000014), ref: 004B9084
GetSysColor.USER32(00000012), ref: 004B908B
GetSysColor.USER32(00000006), ref: 004B9092
GetSysColorBrush.USER32(0000000F), ref: 004B909F
GetSysColorBrush.USER32(00000006), ref: 004B90A6

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 8b59bfd28fd24f20b509bd02e3b07424c4c100b20b54f5bf4927659341d8d6f4
Instruction ID: 7f2a25d7896d02ad7809af7f62cf1a8d0b9daa01554de3a8bef4f5bf45e58b71
Opcode Fuzzy Hash: 8b59bfd28fd24f20b509bd02e3b07424c4c100b20b54f5bf4927659341d8d6f4
Instruction Fuzzy Hash: 32F0F871A407489BE760AB729D09B4BBAE0EFC4B10F02092AD2858BA90E6B5B4409F44

Function 004BC2B5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25registrywindowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 004BC2C2
GetVersion.KERNEL32 ref: 004BC2CD
GetVersion.KERNEL32 ref: 004BC2D5
GetVersion.KERNEL32 ref: 004BC2DB
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 004BC2E8

Strings

MSWHEEL_ROLLMSG, xrefs: 004BC2E3

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: 254b6debc0daceda42b61cf53a069b838003e1792f5b31d77af26bb1a27e1c00
Instruction ID: 9c36192961317aae788beac89e5bc3a63b83a624e70113a3ea9e6b217b7c61e5
Opcode Fuzzy Hash: 254b6debc0daceda42b61cf53a069b838003e1792f5b31d77af26bb1a27e1c00
Instruction Fuzzy Hash: E8E0D839C0051796DB1417A46CC07EA3AD45769396F1040BBAE01A27549B7C04C75ABE

Function 00492150 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 497COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0049247A
__ftol.LIBCMT ref: 00492498
__ftol.LIBCMT ref: 0049259A
__ftol.LIBCMT ref: 004925A5

Strings

Z, xrefs: 004926E7

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: __ftol
String ID: Z
API String ID: 495808979-1505515367
Opcode ID: 35b341c3013833cb40b7db121f3420b05a7ab5f6b642dbd91be71bc4f94ae351
Instruction ID: 6b9d401891aac42ee96d13b15ae926b91de4c4c492c95138929905b9b1b7bc95
Opcode Fuzzy Hash: 35b341c3013833cb40b7db121f3420b05a7ab5f6b642dbd91be71bc4f94ae351
Instruction Fuzzy Hash: AE129BB0A087029BCB14DF29D68461ABBF0FFC8740F10896EE5D597354EBB9D819CB46

Function 00426880 Relevance: 9.2, APIs: 6, Instructions: 176windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004268D1
IsWindow.USER32(?), ref: 004268E6
IsChild.USER32(?,?), ref: 004268F7
SetFocus.USER32(?), ref: 00426908
IsWindow.USER32(?), ref: 00426A00
IsWindowVisible.USER32(?), ref: 00426A0E

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$ChildFocusVisible
String ID:
API String ID: 372613587-0
Opcode ID: 05ae5aeca52d0f1ed4070bd077582883d7483e4f1f33e091e51152ee6c94c30d
Instruction ID: 543826410dd85323d378c9038617d0c7e619373cbe2342f1232557643858160f
Opcode Fuzzy Hash: 05ae5aeca52d0f1ed4070bd077582883d7483e4f1f33e091e51152ee6c94c30d
Instruction Fuzzy Hash: FB5190B16003129FC320EF69D880D6BB3E8FF85348F55892EF84597251DB38E945CBA9

Function 00494220 Relevance: 9.2, APIs: 6, Instructions: 152COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0049422D
__ftol.LIBCMT ref: 00494238
__ftol.LIBCMT ref: 00494246
__ftol.LIBCMT ref: 00494252
IsWindow.USER32(00000000), ref: 0049430A

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: __ftol$Window
String ID:
API String ID: 709141348-0
Opcode ID: 47ba66d8c3b54832aefda06066a3f41d748a518af8be3bc6a8d40575318c357b
Instruction ID: 14cd8b20de86c5b335fc66851bd074fcc3c57144d447ae463a8a30a092865a7e
Opcode Fuzzy Hash: 47ba66d8c3b54832aefda06066a3f41d748a518af8be3bc6a8d40575318c357b
Instruction Fuzzy Hash: D2519E756083018FC724DF69D480A5BBBE4EBC8354F00893FF99583351D779E8498BA6

Function 00439700 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 00439742
IsRectEmpty.USER32(?), ref: 00439773
OffsetRect.USER32(?,00000000,?), ref: 004397C3
LPtoDP.GDI32(?,?,00000002), ref: 004397F8
GetClientRect.USER32(?,?), ref: 00439807
IntersectRect.USER32(?,?,?), ref: 0043981C

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$ClientCopyEmptyIntersectOffset
String ID:
API String ID: 1743551499-0
Opcode ID: 4dc047c064e511429fd51c9ba1557152b4b73463f850017d8777f4a9cf5c0ae6
Instruction ID: 62e447f9abe8e941227f4a39f96426e140f0c9b90ed115a35148b58c599ee1df
Opcode Fuzzy Hash: 4dc047c064e511429fd51c9ba1557152b4b73463f850017d8777f4a9cf5c0ae6
Instruction Fuzzy Hash: C641F8B66086019FC318CF69D880D6BB7E9BBC8710F048A2EF556C7250DB74E945CB62

Function 004AD220 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,004D7B0C,00000001,-00000030,004B04AE,00000000,-00000030,?,004B04AB,00000000,?,?,?), ref: 004AD25F
GetStringTypeA.KERNEL32(00000000,00000001,004D7B08,00000001,?,?,?,?), ref: 004AD279
GetStringTypeA.KERNEL32(-00000030,?,?,00000000,004B04AB,004B04AE,00000000,-00000030,?,004B04AB,00000000,?,?,?), ref: 004AD2AD
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,00000000,004B04AE,00000000,-00000030,?,004B04AB,00000000,?,?,?), ref: 004AD2E5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004AD33B
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004AD34D

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: d5ca330e626ff715139a4f3977e89da54d575eb4d5339ec62f806e02491c07ad
Instruction ID: a55fde04606d7919669bfc7a9ef65a77fbb7b3b50b09c670fe7d3528284bb433
Opcode Fuzzy Hash: d5ca330e626ff715139a4f3977e89da54d575eb4d5339ec62f806e02491c07ad
Instruction Fuzzy Hash: 7D419E76A00219AFCF109F94CC85EEF7BB8EB2A754F104526F912D2260D339D990DF99

Function 0042E960 Relevance: 9.1, APIs: 6, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0042E8D0: CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0042E94B

CreateCompatibleDC.GDI32(?), ref: 0042E9BA
DeleteObject.GDI32(00000000), ref: 0042E9CF

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Create$BitmapCompatibleDeleteObject
String ID:
API String ID: 3709961035-0
Opcode ID: 517565b8b11aa8ad6ab3e2553ea7e12308ffa1e5617940ad6755dd4c271605a1
Instruction ID: 8bd8b1bdb326e185032bb92e46d0676353fbf7d8e69b1a5241caa31e069314c6
Opcode Fuzzy Hash: 517565b8b11aa8ad6ab3e2553ea7e12308ffa1e5617940ad6755dd4c271605a1
Instruction Fuzzy Hash: F0318F766047019FC314DF69D884F5BB7E8FB88720F444A2EF55983381CB38A805CB66

Function 004BCE26 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00540F94,00540F84,00000000,?,00540F94,?,004BD073,00540F84,00000000,?,?,004B36BA,?,0040BC52,000007DD), ref: 004BCE31
EnterCriticalSection.KERNEL32(00540FB0,00000010,?,00540F94,?,004BD073,00540F84,00000000,?,?,004B36BA,?,0040BC52,000007DD,?,00000000), ref: 004BCE80
LeaveCriticalSection.KERNEL32(00540FB0,00000000,?,00540F94,?,004BD073,00540F84,00000000,?,?,004B36BA,?,0040BC52,000007DD,?,00000000), ref: 004BCE93
LocalAlloc.KERNEL32(00000000,00000004,?,00540F94,?,004BD073,00540F84,00000000,?,?,004B36BA,?,0040BC52,000007DD,?,00000000), ref: 004BCEA9
LocalReAlloc.KERNEL32(?,00000004,00000002,?,00540F94,?,004BD073,00540F84,00000000,?,?,004B36BA,?,0040BC52,000007DD), ref: 004BCEBB
TlsSetValue.KERNEL32(00540F94,00000000), ref: 004BCEF7

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 7dab14ffe63dce63588b3f747b4b9ebb3d78324f1313a0ec3809034981a08305
Instruction ID: ffe608302c1ec042ff0730aac6760cc94ff5c5dc04ed459d2653b0c4c656999b
Opcode Fuzzy Hash: 7dab14ffe63dce63588b3f747b4b9ebb3d78324f1313a0ec3809034981a08305
Instruction Fuzzy Hash: 43316971100605EFD724DF15C8C9FAAB7E8FB44759F00892AE41ACB650DB74F905CB69

Function 004B5840 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B5845
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 004B5892
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 004B58B4
GetCapture.USER32 ref: 004B58C6
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004B58D5
WinHelpA.USER32(?,?,?,?), ref: 004B58E9

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: dd64285251b202ab2e9653fc77cb8157e125d4dde1f4120aed87107a90cc2d20
Instruction ID: f8ca41edda9e70151e4aea6375e9b83451853b706d4d7b01794a69a9ceed8fe4
Opcode Fuzzy Hash: dd64285251b202ab2e9653fc77cb8157e125d4dde1f4120aed87107a90cc2d20
Instruction Fuzzy Hash: BC219571640609BFEB20AF65CC86FAEB7B9EF44754F11452DB2519B1E2CBB49C009B24

Function 0043C3D0 Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0043C3F2
ScreenToClient.USER32(00000001,?), ref: 0043C401

Part of subcall function 0043C480: DPtoLP.GDI32(?,?,00000001), ref: 0043C597

LoadCursorA.USER32(00000000,00007F85), ref: 0043C431
SetCursor.USER32(00000000), ref: 0043C438
LoadCursorA.USER32(00000000,00007F84), ref: 0043C457
SetCursor.USER32(00000000), ref: 0043C45E

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Cursor$Load$ClientScreen
String ID:
API String ID: 789353160-0
Opcode ID: 6a38ca852b3e0009193ca7992a36fe09790de1901bca85ee353e90834c785513
Instruction ID: 5df7ed57b91580cceaaf1f9f35484ca8609ea4bf512d558b394bba5f348743bb
Opcode Fuzzy Hash: 6a38ca852b3e0009193ca7992a36fe09790de1901bca85ee353e90834c785513
Instruction Fuzzy Hash: 9811C0316443019BC710DF64DD95EAF73A4ABA4B15F40452EF146961C0DA74E948C7B7

Function 00415530 Relevance: 9.1, APIs: 6, Instructions: 54windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000002,?), ref: 0041554B
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 0041555D
SendMessageA.USER32(?,0000110A,00000002,?), ref: 0041556B
SendMessageA.USER32(?,0000110A,00000001,?), ref: 0041557D
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 0041558F
SendMessageA.USER32(?,0000110A,00000001,?), ref: 0041559D

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: db08f6a1f686fd56e8bc157af40793d55ee530a7379c51024367d3956409a5b2
Instruction ID: 6311fbe50c8584c89ba5fdf6e4f7768e37393d5905c1949c3cc5f69f40a2c8b6
Opcode Fuzzy Hash: db08f6a1f686fd56e8bc157af40793d55ee530a7379c51024367d3956409a5b2
Instruction Fuzzy Hash: 6F0186B2B507057EF534D6658CC2FE7A2AE9FD8B91F018619B701DB2C4C5E5EC814634

Function 004BA71B Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 004BA71E

Part of subcall function 004BA5C0: GetWindowLongA.USER32(00000000,000000F0), ref: 004BA5D1

GetParent.USER32(00000000), ref: 004BA745

Part of subcall function 004BA5C0: GetClassNameA.USER32(00000000,?,0000000A), ref: 004BA5EC
Part of subcall function 004BA5C0: lstrcmpiA.KERNEL32(?,combobox), ref: 004BA5FB

GetWindowLongA.USER32(?,000000F0), ref: 004BA760
GetParent.USER32(?), ref: 004BA76E
GetDesktopWindow.USER32 ref: 004BA772
SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 004BA786

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: c66081d5c24abb5ddb143e31e3697a9f7da9a9efd9675b83784c093a6989e0e8
Instruction ID: 517dcf410985a84939fcb25443dd1baf9e411649a3551e164b025d889faf6c79
Opcode Fuzzy Hash: c66081d5c24abb5ddb143e31e3697a9f7da9a9efd9675b83784c093a6989e0e8
Instruction Fuzzy Hash: 8DF0A432205A2036D33226365C8CFEF66785F85B61F550226F914A73C5AF1CDC5141BF

Function 004BA635 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004BA644
GetWindow.USER32(?,00000005), ref: 004BA655
GetDlgCtrlID.USER32(00000000), ref: 004BA65E
GetWindowLongA.USER32(00000000,000000F0), ref: 004BA66D
GetWindowRect.USER32(00000000,?), ref: 004BA67F
PtInRect.USER32(?,?,?), ref: 004BA68F

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: ebce0676aee165c0e3e4866baa2c59e3e495782ad970e820e41e6abcb4fcb89c
Instruction ID: 240d21e3f429db80ae78c1aead235cdc652c866f83da230082ecb5719988d569
Opcode Fuzzy Hash: ebce0676aee165c0e3e4866baa2c59e3e495782ad970e820e41e6abcb4fcb89c
Instruction Fuzzy Hash: EC01A272100519BBDB129F64DC08EEF376DEF54310F484032F915D5164E734E9628BAD

Function 004861F0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000000,00000064), ref: 0048626D

Strings

$, xrefs: 004864ED

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 5a6c0e02f23aa342c350aab8ec27131cba36814bb89b39e37e86caa4706af247
Instruction ID: b53905177cd9f86943081e093fa31291d3e49e4c5be9450fe23f485b5183d690
Opcode Fuzzy Hash: 5a6c0e02f23aa342c350aab8ec27131cba36814bb89b39e37e86caa4706af247
Instruction Fuzzy Hash: BE81CF716082409BC354EB29C986B6FB3E4EF95714F04492EFA4197390EB39ED08CB5A

Function 0043D540 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0043D57F
CreateFontIndirectA.GDI32(00000028), ref: 0043D5E8
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0043D62F

Strings

,L, xrefs: 0043D5FF, 0043D603
(, xrefs: 0043D5D4

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CreateExtentFontIndirectPoint32Textwsprintf
String ID: ($,L
API String ID: 3175173087-2536315053
Opcode ID: 47007c099340d4d661b3d37efae5cee1abb8a81da643f71a2b39269df5c434c6
Instruction ID: bf7b5d824d34b047c2254c1287aaf529d148d51fae3f8da193d9dc1e60403b6b
Opcode Fuzzy Hash: 47007c099340d4d661b3d37efae5cee1abb8a81da643f71a2b39269df5c434c6
Instruction Fuzzy Hash: AD51D2706083458FC324CF28C885B6FB7E5FBC8314F144A1EE59A83381DBB5A949CB96

Function 00444240 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004442A9
SendMessageA.USER32(?,00000111,?,?), ref: 00444369

Strings

HP, xrefs: 00444399
HP, xrefs: 00444353
HP, xrefs: 00444314

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSendWindow
String ID: HP$HP$HP
API String ID: 701072176-530379939
Opcode ID: 1cf97c5797941dbd98c9f825a41bf0d4ec9faf85f0401d8ad1bb21c9f2a68a0b
Instruction ID: 8e83476d20211c51e7a77d63330b9e6953d38827a51469dda2a9f19f336a63be
Opcode Fuzzy Hash: 1cf97c5797941dbd98c9f825a41bf0d4ec9faf85f0401d8ad1bb21c9f2a68a0b
Instruction Fuzzy Hash: BA41D4327402015BE7149E2A9C81BBFB3E5EBC4725F68453EFD05C7381DA6DE8498365

Function 0047CAB0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9C33: __EH_prolog.LIBCMT ref: 004B9C38
Part of subcall function 004B9C33: BeginPaint.USER32(?,?,?,?,0047CAE2), ref: 004B9C61

GetClientRect.USER32(?,?), ref: 0047CAEF
CreateCompatibleDC.GDI32(?), ref: 0047CB14
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0047CB4A

Part of subcall function 004B9374: SelectObject.GDI32(?,?), ref: 004B937C

Part of subcall function 0040DE80: GetSysColor.USER32(0000000F), ref: 0040DE8D

Part of subcall function 004BBF9A: SetBkColor.GDI32(?,0047CB8D), ref: 004BBFA4
Part of subcall function 004BBF9A: ExtTextOutA.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004BBFBA

BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0047CC26

Strings

d7M, xrefs: 0047CB51

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ColorCompatibleCreate$BeginBitmapClientH_prologObjectPaintRectSelectText
String ID: d7M
API String ID: 3108668125-687155191
Opcode ID: 90a67339314feeb80db2acc650e5c7a13229bea3a4e324128f9a337f0689a91c
Instruction ID: 30a6ef1cdbba7f477814f59d12e5c5750976ffd6aa782b83615cddf6fb7490ca
Opcode Fuzzy Hash: 90a67339314feeb80db2acc650e5c7a13229bea3a4e324128f9a337f0689a91c
Instruction Fuzzy Hash: C7517FB1D00109AFDB04DFA9D895EEEB7B9EB48304F10815EF41AA3281DB386E05CB65

Function 004A65EE Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 004A660D
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004A6642
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004A66A2

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 004A667C
__MSVCRT_HEAP_SELECT, xrefs: 004A663D

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 7b6c264a3eb42b51207d4dd1f2c63fb5700b5b3c979091f94763ab9024e2ca33
Instruction ID: e9510f6707f97f00698f9cb7df57fa70b4ab0f4d8c421e3e891e598f81c66517
Opcode Fuzzy Hash: 7b6c264a3eb42b51207d4dd1f2c63fb5700b5b3c979091f94763ab9024e2ca33
Instruction Fuzzy Hash: 85315B758152886DEB3186745C51BEF77689B33308F1D00EBE085D5292EA3D9EC58B2D

Function 004B522D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 004B52E6
GetWindowLongA.USER32(?,000000FC), ref: 004B52F7
GetWindowLongA.USER32(?,000000FC), ref: 004B5307
SetWindowLongA.USER32(?,000000FC,?), ref: 004B5323

Strings

(, xrefs: 004B52D1

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: aa10db53a3ecbfd3b67b9c886b4dc39dcd4cc66e758ecdb20b230dae8379d009
Instruction ID: 0d3bbff09c75c8dbee45812a954a078ece91edce7d62e6ff4110b4c99156d656
Opcode Fuzzy Hash: aa10db53a3ecbfd3b67b9c886b4dc39dcd4cc66e758ecdb20b230dae8379d009
Instruction Fuzzy Hash: 7B31C131601B049FDB25AFA5D884BAEBBE4BF48314F14026EE54197791DB78E8008FA8

Function 004BD959 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 004BD98A

Part of subcall function 004BDA76: lstrlenA.KERNEL32(00000104,00000000,?,004BD9BA), ref: 004BDAAD

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004BDA2B
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004BDA58

Strings

.INI, xrefs: 004BDA52
.HLP, xrefs: 004BDA25

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 6c4368ea94c09f531e1943ddda3328bb454f12ab926661f7ef20324cd47399d6
Instruction ID: aa4e81e7dfadde576ce0641f1ceeb6c606372386b8b369ff70d5a4e3e65c9824
Opcode Fuzzy Hash: 6c4368ea94c09f531e1943ddda3328bb454f12ab926661f7ef20324cd47399d6
Instruction Fuzzy Hash: 5A3194B18047189FDB20DF71C885BCBB7FCAB18304F1049ABE595D2151EBB4A9C4CB64

Function 0049D046 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 004BAE13: GetParent.USER32(?), ref: 004BAE46
Part of subcall function 004BAE13: GetLastActivePopup.USER32(?), ref: 004BAE55
Part of subcall function 004BAE13: IsWindowEnabled.USER32(?), ref: 004BAE6A
Part of subcall function 004BAE13: EnableWindow.USER32(?,00000000), ref: 004BAE7D

GetDesktopWindow.USER32 ref: 0049D063
#41.ODBC32(?,00000000,?,000000FD,?,00000200,?,00000001,00000000,?), ref: 0049D09D
EnableWindow.USER32(00000000,00000001), ref: 0049D0AF

Strings

d, xrefs: 0049D0B5
ODBC;, xrefs: 0049D0DA

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$Enable$ActiveDesktopEnabledLastParentPopup
String ID: ODBC;$d
API String ID: 4196746923-2206015736
Opcode ID: d79d6c7dcaf031073322ddb5a18a05993cb33d5dd46037aaaffe83d0a453bedd
Instruction ID: 4f3fa5fc0d5b82e6bd4abe315d7b2bbcd68c7f4191a16f5245509a1fb54a95ed
Opcode Fuzzy Hash: d79d6c7dcaf031073322ddb5a18a05993cb33d5dd46037aaaffe83d0a453bedd
Instruction Fuzzy Hash: 88113A717002047BDF209B65CC49FAF7BA99F94708F10813AF5419A1D1DAB8AD468754

Function 0042D500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 0042D540
GlobalSize.KERNEL32(?), ref: 0042D563
GlobalSize.KERNEL32(?), ref: 0042D593
GlobalUnlock.KERNEL32(?), ref: 0042D5A3

Strings

BM, xrefs: 0042D55D

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Global$Size$LockUnlock
String ID: BM
API String ID: 2233901773-2348483157
Opcode ID: 1decffbee335600de1645ecf5134e5e3b505dc9a4b929683141f34afbd784b4a
Instruction ID: 786dcd38569730efdfc25cfaa4603a41095ba6e790ea16bc664d719473731898
Opcode Fuzzy Hash: 1decffbee335600de1645ecf5134e5e3b505dc9a4b929683141f34afbd784b4a
Instruction Fuzzy Hash: 6E21B676A00658ABC710DFA9D841BDEBBB8FF48724F10416AE819E3381D7785944C7A9

Function 00474860 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00474940: GetTopWindow.USER32(76C21AC0), ref: 0047494D
Part of subcall function 00474940: IsWindowVisible.USER32(00000000), ref: 00474962
Part of subcall function 00474940: GetTopWindow.USER32(00000000), ref: 0047496D
Part of subcall function 00474940: GetWindow.USER32(00000000,00000002), ref: 00474988

GetWindowRect.USER32(?,?), ref: 004748C8
IntersectRect.USER32(?,?,?), ref: 004748D5
IsRectEmpty.USER32(?), ref: 004748E0

Part of subcall function 004B9939: ScreenToClient.USER32(?,?), ref: 004B994D
Part of subcall function 004B9939: ScreenToClient.USER32(?,?), ref: 004B9956

RedrawWindow.USER32(?,00000705,00000000,00000705,?,?,?,?,?,76C21AC0,?,?,004C21D8,000000FF,00474846,?), ref: 00474909

Strings

p0M, xrefs: 00474921

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$Rect$ClientScreen$EmptyIntersectRedrawVisible
String ID: p0M
API String ID: 1303225554-2090580636
Opcode ID: 465d3eb08b902b3f7e38c81210a6562df8f983e33ca6a482da6f088d1bcac394
Instruction ID: 136599b8e3a7a14e8e38afd7a27c2822342d1d93ef513eeadf1e11b9532f66ab
Opcode Fuzzy Hash: 465d3eb08b902b3f7e38c81210a6562df8f983e33ca6a482da6f088d1bcac394
Instruction Fuzzy Hash: 8421A1B1108745ABC300DF54D845FAFB3A8FBC4714F404A1EF28597290E778AA48CBA6

Function 004B5746 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004B577C
wsprintfA.USER32 ref: 004B5798
GetClassInfoA.USER32(?,-00000058,?), ref: 004B57A7

Strings

Afx:%x:%x:%x:%x:%x, xrefs: 004B5792
Afx:%x:%x, xrefs: 004B5776

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: wsprintf$ClassInfo
String ID: Afx:%x:%x$Afx:%x:%x:%x:%x:%x
API String ID: 845911565-79760390
Opcode ID: b561376ee0ba7f4db86f2ab0a80339e6ba41abc360155c4cbb8800f1fe37282e
Instruction ID: be78814f9b3432147f3b6ba965934ed1c4ed35570842c565698ac999d6ef55fe
Opcode Fuzzy Hash: b561376ee0ba7f4db86f2ab0a80339e6ba41abc360155c4cbb8800f1fe37282e
Instruction Fuzzy Hash: 54212F71A01609EF8B00DF99DC80ADEBBB9FF48354F50402BF905E2201D77499518BB9

Function 00425130 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconA.SHELL32(00000001,?,?,00000058), ref: 004251A9
DestroyIcon.USER32(?,?,?,00000058), ref: 004251B6
Shell_NotifyIconA.SHELL32(?,?,00000000,00000058), ref: 004251E9

Strings

X, xrefs: 00425147
d, xrefs: 00425159

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Icon$NotifyShell_$Destroy
String ID: X$d
API String ID: 944232879-651813629
Opcode ID: 5e09662a696b5b18543f6299b58cb5b400b64e9654f1a681ed3153d7384e302f
Instruction ID: 259d0ef591418fa70c017757ca38584a64ae1b99909c00aa684a9a09ea501006
Opcode Fuzzy Hash: 5e09662a696b5b18543f6299b58cb5b400b64e9654f1a681ed3153d7384e302f
Instruction Fuzzy Hash: C8216D756047009FE310DF15D804BABBBE4AFD5705F00891EF9C892340DBB5A5588B96

Function 00486690 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(0000004B,?,00000064), ref: 004866B5
MulDiv.KERNEL32(0000007D,?,00000064), ref: 004866DD

Strings

thin, xrefs: 00486696
thick, xrefs: 004866C2
medium, xrefs: 004866EA

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: medium$thick$thin
API String ID: 0-2705061876
Opcode ID: dd904464e266e7381fce48a5bb2bbaed3c72c28c830ca119b9046c7ee03cfce7
Instruction ID: 65bc154314a6bf2602deba000e4372b4286616031ebc4b2e47b2ddb0ac49ecec
Opcode Fuzzy Hash: dd904464e266e7381fce48a5bb2bbaed3c72c28c830ca119b9046c7ee03cfce7
Instruction Fuzzy Hash: 2901927274434067D780EA59EC06F6F6398ABE5701F050C2FFB8097280D6A8A819C7B9

Function 004B5193 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B5198

Strings

@YM, xrefs: 004B51BC
@YM, xrefs: 004B51C4
@YM, xrefs: 004B51CC
@YM, xrefs: 004B51B4

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: H_prolog
String ID: @YM$@YM$@YM$@YM
API String ID: 3519838083-1199357859
Opcode ID: 30ff526225295d2832ee333116e65ba6a911b35552bd44f965f1ac7f2feabbe4
Instruction ID: 563215ed7305bffbebb6c2cebcc313d79d97d2a9034299cb4d3ee0c06dc299a3
Opcode Fuzzy Hash: 30ff526225295d2832ee333116e65ba6a911b35552bd44f965f1ac7f2feabbe4
Instruction Fuzzy Hash: 7C01D431D00A109BCB349F0C82547EEF6E0AF00715F145A2FA856577D0C7B88D00DF69

Function 0047E950 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,00000000,00000000), ref: 0047E96A
RegQueryValueA.ADVAPI32 ref: 0047E98E
lstrcpyA.KERNEL32(?,00000000), ref: 0047E9A1
RegCloseKey.ADVAPI32(?), ref: 0047E9AC

Strings

hu, xrefs: 0047E9AC

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CloseOpenQueryValuelstrcpy
String ID: hu
API String ID: 534897748-423011080
Opcode ID: 1f78801fd02e1c41d60f6031f2196dc8f738ef8ce7d037ec8a352e62ae1df01d
Instruction ID: d1588fdee948dfe3b6362720c99cb08c485cdfb08d76db295b05ea553d8dafe7
Opcode Fuzzy Hash: 1f78801fd02e1c41d60f6031f2196dc8f738ef8ce7d037ec8a352e62ae1df01d
Instruction Fuzzy Hash: 3AF04FB9104301BFD320DB10DC88EAFBBA8EBC4754F00C91DB98882250D670E885CBE2

Function 00490120 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71adca49e9004e154f2aebf04c71b8eae491e736bba411a401a11affd5b1a21
Instruction ID: aa0f19ec01fa7bce67f16f2706eee9da8d2811ab0288738e50e1a917d7ed7c98
Opcode Fuzzy Hash: f71adca49e9004e154f2aebf04c71b8eae491e736bba411a401a11affd5b1a21
Instruction Fuzzy Hash: B27139723096004FE760CE28EC91B5BB7E5FB84718F104A2EF582CB391D666EC44CBA5

Function 00439F90 Relevance: 7.7, APIs: 5, Instructions: 229COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 0043A019
GetClientRect.USER32(00000000,?), ref: 0043A052
DPtoLP.GDI32 ref: 0043A0A8
GetClientRect.USER32(00000000,?), ref: 0043A17C
DPtoLP.GDI32 ref: 0043A1D2

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$Client$Copy
String ID:
API String ID: 472922470-0
Opcode ID: 3c5979b64b8de3701e057abfb5f8a6119f027edf23cb7066aa0ed2d6e7b25033
Instruction ID: dcf39a15f76730d3f6ab302ee8e97f8499e8632fba92dfb82249cf4adac12ad9
Opcode Fuzzy Hash: 3c5979b64b8de3701e057abfb5f8a6119f027edf23cb7066aa0ed2d6e7b25033
Instruction Fuzzy Hash: 8281BE712483449FC724DF69C880A6FB3E5BBC8308F105A1EF19A83381DB79A8058B67

Function 0048D2EC Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

_rand.LIBCMT ref: 0048D317
_rand.LIBCMT ref: 0048D325
_rand.LIBCMT ref: 0048D33B
_rand.LIBCMT ref: 0048D358
_rand.LIBCMT ref: 0048D471

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: _rand
String ID:
API String ID: 1172538735-0
Opcode ID: d0818ba59d90d97e98a336d39fe24dfeba292284d8c478c19a7a03dec7051a3a
Instruction ID: f2c13e3a967e296253f2e709c283a4d75aba70957c8a90ba557bf4d036b68bf3
Opcode Fuzzy Hash: d0818ba59d90d97e98a336d39fe24dfeba292284d8c478c19a7a03dec7051a3a
Instruction Fuzzy Hash: A4512B756093458FC304EF6EC89056FF7E2ABD8314F14992EF494C7345D678E8098B46

Function 004190B0 Relevance: 7.7, APIs: 5, Instructions: 159windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 004190D2
CreateRectRgn.GDI32 ref: 00419154
GetClientRect.USER32(?,?), ref: 0041917D
FillRgn.GDI32(?,?,?), ref: 004191F6
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041926C

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$ClientCreateEmptyFill
String ID:
API String ID: 97219908-0
Opcode ID: dc35ec68f10c7445216cf7728fbce94d2774a3f2f54a9401f9ba96a191e7cc8c
Instruction ID: f7a2a6fac34d0bc93cbd53d4271a41f339f33d22c3988e34879b29bea243a8fa
Opcode Fuzzy Hash: dc35ec68f10c7445216cf7728fbce94d2774a3f2f54a9401f9ba96a191e7cc8c
Instruction Fuzzy Hash: 2C513C71204602AFD714DF65C895EABB7E9FF88704F04892DF95A83240D738EC49CBA6

Function 004A6337 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 004A6395
GetFileType.KERNEL32(?,?,00000000), ref: 004A6440
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 004A64A3
GetFileType.KERNEL32(00000000,?,00000000), ref: 004A64B1
SetHandleCount.KERNEL32 ref: 004A64E8

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 90a0e79d82e606da62a549522e1df4d8cfe222bb675f1c778d663ce0c0dd1890
Instruction ID: 2c2e44dc03a0756adbd8dfb2e9292e91b73aa5d54c9cb6cab2eb2d28659569e9
Opcode Fuzzy Hash: 90a0e79d82e606da62a549522e1df4d8cfe222bb675f1c778d663ce0c0dd1890
Instruction Fuzzy Hash: 905126715046158FC710CF28C88466A3BE0EB37368F2E466ED592DB3E0D738984ADB1D

Function 00479640 Relevance: 7.6, APIs: 5, Instructions: 121windowCOMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?,00000000,?,?,76C1EBD0,?,?,?,?), ref: 0047968A
ScreenToClient.USER32(?,?), ref: 004796DC
SendMessageA.USER32(?,00000418,00000000,00000000), ref: 004796F5
SendMessageA.USER32(?,0000041D,00000000,?), ref: 00479713
PtInRect.USER32(?,?,?), ref: 00479728

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$ClientFromPointRectScreenWindow
String ID:
API String ID: 3817995947-0
Opcode ID: 970a9b8e510172b4e491aa22c0a9290f15628bec7cf9f03d950aba5365de8164
Instruction ID: 540bd447a8f40380064d6fe35c14404f1dbb632a52778986a77f151e9e09a67a
Opcode Fuzzy Hash: 970a9b8e510172b4e491aa22c0a9290f15628bec7cf9f03d950aba5365de8164
Instruction Fuzzy Hash: 85414CB56047019FC314DF29C880EABB7F4EB88710F108A2EF55A87355EB74E8058B65

Function 00425E10 Relevance: 7.6, APIs: 5, Instructions: 104windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00425EE0
WinHelpA.USER32(?,00000000,00000002,00000000), ref: 00425EFB
GetMenu.USER32(?), ref: 00425F0B
SetMenu.USER32(?,00000000), ref: 00425F18
DestroyMenu.USER32(00000000), ref: 00425F23

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Menu$DestroyHelpWindow
String ID:
API String ID: 427501538-0
Opcode ID: cfd7007fc9760b28f408c0aa75d6fb090a237a66dda2f82d7a3f383f4634baf9
Instruction ID: e6590fdfeb0bdfae749803cfd5eee3e35c5b40ba9d82604cfa5fa49dc07203eb
Opcode Fuzzy Hash: cfd7007fc9760b28f408c0aa75d6fb090a237a66dda2f82d7a3f383f4634baf9
Instruction Fuzzy Hash: 5431C271700A19ABC314AFA6DC85E6FB7ACFF45348F85461EF84593240DB39B9408BA9

Function 004322E0 Relevance: 7.6, APIs: 5, Instructions: 103synchronizationCOMMON

Download Yara Rule

APIs

midiStreamStop.WINMM(?,00000000,?,00000000,00431E4A,00000000,0050DDC0,00428316,0050DDC0,?,00422F6F,0050DDC0,00420F36,00000001,00000000,000000FF), ref: 00432315
midiOutReset.WINMM(?,?,00422F6F,0050DDC0,00420F36,00000001,00000000,000000FF), ref: 00432333
WaitForSingleObject.KERNEL32(?,000007D0,?,00422F6F,0050DDC0,00420F36,00000001,00000000,000000FF), ref: 00432356
midiStreamClose.WINMM(?,?,00422F6F,0050DDC0,00420F36,00000001,00000000,000000FF), ref: 00432393
midiStreamClose.WINMM(?,?,00422F6F,0050DDC0,00420F36,00000001,00000000,000000FF), ref: 004323C7

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: midi$Stream$Close$ObjectResetSingleStopWait
String ID:
API String ID: 3142198506-0
Opcode ID: 007cc1b59f8dc9913eb931676c05307f2458782d91f191b296c2d42b02875e78
Instruction ID: dda775a22080bab205f500ccc2fd9ef9ef2946d8d134b7780e2d68dde46e4211
Opcode Fuzzy Hash: 007cc1b59f8dc9913eb931676c05307f2458782d91f191b296c2d42b02875e78
Instruction Fuzzy Hash: 40315E72700B01CBD7209F65D98492FB7E9BF98715F205A3FE586C6600C7BCE8858B98

Function 00422080 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004220F0
GetMenu.USER32(?), ref: 004220FF
DestroyAcceleratorTable.USER32(?), ref: 0042214C
SetMenu.USER32(?,00000000), ref: 00422161
DestroyMenu.USER32(?,?,?,0041E544,?), ref: 00422171

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Menu$Destroy$AcceleratorTableWindow
String ID:
API String ID: 1240299919-0
Opcode ID: 684558542d6f3c76672873f1de95eb6dcbb4422a3439782dd11ff6e701fcbe5e
Instruction ID: e9f4d952c95af6d48a00362f298fa4df223bf1c5fca5b1ed1abca2b1641c346c
Opcode Fuzzy Hash: 684558542d6f3c76672873f1de95eb6dcbb4422a3439782dd11ff6e701fcbe5e
Instruction Fuzzy Hash: 6931C4766002066FC720EF65DC84DAB77A9EF84358F41852DF90597251EB38F805CBE4

Function 004B0A90 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B0A95
GetParent.USER32(?), ref: 004B0AD2
SendMessageA.USER32(?,00000464,00000104,00000000), ref: 004B0AFA
GetParent.USER32(?), ref: 004B0B23
SendMessageA.USER32(?,00000465,00000104,00000000), ref: 004B0B40

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageParentSend$H_prolog
String ID:
API String ID: 1056721960-0
Opcode ID: 797d1608b642848017e4091f2b7bd6325a46ad38a65f02823e26791c3296060e
Instruction ID: 877231c1eec776b761d79f266295fd408e61b574df493a30b54c3d60dbff1cfd
Opcode Fuzzy Hash: 797d1608b642848017e4091f2b7bd6325a46ad38a65f02823e26791c3296060e
Instruction Fuzzy Hash: 85317270900215ABCB14EFA6CC95EEFB774FF41329F10452EE421A71D1DB38AA05CB68

Function 00496C40 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00496C58
WindowFromPoint.USER32(?,?), ref: 00496C68
GetActiveWindow.USER32 ref: 00496C9A
InvalidateRect.USER32 ref: 00496CCD
_TrackMouseEvent.COMCTL32(?,00000000), ref: 00496CF8

Part of subcall function 00496C10: InvalidateRect.USER32 ref: 00496C2D

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: InvalidateRectWindow$ActiveClientEventFromMousePointScreenTrack
String ID:
API String ID: 508830376-0
Opcode ID: 0fb494898d45a3faf6858f9d97367c5e0f8b44843a76c8fe6485f4fd8672b73b
Instruction ID: b9dba9068aafb039abcb1247a05196b5ae9b827d0631b06080b00bac4b732a3c
Opcode Fuzzy Hash: 0fb494898d45a3faf6858f9d97367c5e0f8b44843a76c8fe6485f4fd8672b73b
Instruction Fuzzy Hash: 1B217F713007009BDB20EF65D844F6BBBE9EB84708F01492EF585C7341EB79E90587A9

Function 0049CF8A Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 004BD098: __EH_prolog.LIBCMT ref: 004BD09D

Part of subcall function 004BDD72: EnterCriticalSection.KERNEL32(00541120,?,00000000,?,00000000,004BD0B9,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDDAD
Part of subcall function 004BDD72: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,004BD0B9,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDDBF
Part of subcall function 004BDD72: LeaveCriticalSection.KERNEL32(00541120,?,00000000,?,00000000,004BD0B9,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDDC8
Part of subcall function 004BDD72: EnterCriticalSection.KERNEL32(00000000,00000000,?,00000000,004BD0B9,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDDDA

#2.ODBC32(00000000,0000000F,004BD8C6,?,?,?,?,0049CB7E,?,?), ref: 0049CFBF

Part of subcall function 004BDDE2: LeaveCriticalSection.KERNEL32(?,004BD0D0,00000010,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDDFA

#1.ODBC32(00000000,00000000,0000000F,004BD8C6,?,?,?,?,0049CB7E,?,?), ref: 0049CFE0
#50.ODBC32(00000000,00000067,?,0000000F,?,?,?,?,0049CB7E,?,?), ref: 0049D013
#50.ODBC32(00000000,00000065,00000001,00000067), ref: 0049D027
#50.ODBC32(00000000,0000006E,00000001,00000067), ref: 0049D038

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CriticalSection$EnterLeave$H_prologInitialize
String ID:
API String ID: 2329730096-0
Opcode ID: 15be72c5e60787c3b73dbebb57161c00b9ec2491349564dff7919cd2206048e0
Instruction ID: feeee29e12a19a6e6ffd85c546df42975218f2d5cfc3f9a286b5dcea55f1c1e0
Opcode Fuzzy Hash: 15be72c5e60787c3b73dbebb57161c00b9ec2491349564dff7919cd2206048e0
Instruction Fuzzy Hash: 4711A530640304AFEB307FA2CC45FAABBA9EF54B08F10447EF54459592DBB9A8558B68

Function 004747A0 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004B7375: GetWindowLongA.USER32(00000000,000000F0), ref: 004B7381

GetParent.USER32(?), ref: 004747C4
GetClientRect.USER32(?,?), ref: 004747DD
InvalidateRect.USER32(?,?,00000001,?,?), ref: 0047482C
UpdateWindow.USER32(?), ref: 00474832
InvalidateRect.USER32(?,00000000,00000000), ref: 00474851

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$InvalidateWindow$ClientLongParentUpdate
String ID:
API String ID: 529115757-0
Opcode ID: 0f5242ce0e21262f9e4e1f1ad8588f797b67b98e4607045c93577a855ae46668
Instruction ID: 96b734e3b4c072010653518dfb5efc741ad50b9486de339f85e8ef29569a5d8f
Opcode Fuzzy Hash: 0f5242ce0e21262f9e4e1f1ad8588f797b67b98e4607045c93577a855ae46668
Instruction Fuzzy Hash: 42212CB5604305AFD714DF65C881E6BB7E9EBC8314F00891EF98993350D738E84ACB65

Function 004A02DA Relevance: 7.6, APIs: 5, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 004A02E7
GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 004A0310
GlobalLock.KERNEL32(00000000), ref: 004A033C
#43.ODBC32(?,?,000000FE,?,?,?,?,?,0049B6AE,?,00000000,?,?,?,?,?), ref: 004A035F
GlobalUnlock.KERNEL32(00000000), ref: 004A0389

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Global$Unlock$AllocLock
String ID:
API String ID: 2918905081-0
Opcode ID: 979e22f6f00f446971a9772132ac7c7c40ebca4ad1c2ad07a8424e828427a579
Instruction ID: f5d0a08fe8da6d183406fa8d72075fb2b2a17e3890e5502925dd5037df27d2d7
Opcode Fuzzy Hash: 979e22f6f00f446971a9772132ac7c7c40ebca4ad1c2ad07a8424e828427a579
Instruction Fuzzy Hash: 0E21387610020AEFCF20DF45D948DAA7BB5FF49354B04806AFD599B261C735E8A1CB54

Function 0049CCBE Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

#5.ODBC32(?), ref: 0049CCC1
#16.ODBC32(?,00000001,?), ref: 0049CCCB

Part of subcall function 004A44E2: RaiseException.KERNEL32(?,0040BC52,00000000,?,00000000,00000000,?,0040BC52,000007DD,?,00000000), ref: 004A4510

__EH_prolog.LIBCMT ref: 0049CCDE

Part of subcall function 004BDD72: EnterCriticalSection.KERNEL32(00541120,?,00000000,?,00000000,004BD0B9,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDDAD
Part of subcall function 004BDD72: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,004BD0B9,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDDBF
Part of subcall function 004BDD72: LeaveCriticalSection.KERNEL32(00541120,?,00000000,?,00000000,004BD0B9,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDDC8
Part of subcall function 004BDD72: EnterCriticalSection.KERNEL32(00000000,00000000,?,00000000,004BD0B9,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDDDA

#9.ODBC32(000000FF,0000000F,0000000F,?,?,?,?,?,00000000,00000000,?,00000001,?), ref: 0049CD33
#14.ODBC32(000000FF,000000FF,0000000F,0000000F,?,?,?,?,?,00000000,00000000,?,00000001,?), ref: 0049CD3B

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CriticalSection$Enter$ExceptionH_prologInitializeLeaveRaise
String ID:
API String ID: 2719870088-0
Opcode ID: ee02f643edce4f0a58207378a37aaca970b54cc0ab71c3aa6552e6993f10d610
Instruction ID: 8eb06ca86c2cfba5f16d598b960f6f0a5f2338981d2d66434a2b69ce4c29d5d4
Opcode Fuzzy Hash: ee02f643edce4f0a58207378a37aaca970b54cc0ab71c3aa6552e6993f10d610
Instruction Fuzzy Hash: DC110670A00701ABCB20AFA6C983B9EBBA5FF54714F10457FF155676A2DBB89C00866C

Function 004154B0 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B14C0: SendMessageA.USER32(?,0000110C,00000000,00000040), ref: 004B14E1

SendMessageA.USER32(?,0000110A,00000004,?), ref: 004154D5
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 004154F5
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 00415507
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 00415515
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 00415527

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 22c8019d56c0e5865c763ae68205132e19b7194963dcfa158f30f3188f3c11e7
Instruction ID: 123364680306bda97016b5859b794aa597931f0ad199951601fc0ec3a0ce6512
Opcode Fuzzy Hash: 22c8019d56c0e5865c763ae68205132e19b7194963dcfa158f30f3188f3c11e7
Instruction Fuzzy Hash: 0E01A7B2740B017AE634A6669CC1FE792AE9FD4B95F00051AF701D72C0CAE8EC424674

Function 004B56A5 Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B56AA
GetClassInfoA.USER32(?,?,?), ref: 004B56C5
RegisterClassA.USER32(?), ref: 004B56D0
lstrcatA.KERNEL32(00000034,?,00000001), ref: 004B5707
lstrcatA.KERNEL32(00000034,?), ref: 004B5715

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: a7c1a7eef79b3b4006a6e2bfb76ff3f19934d195e96983f8eb8584a420720aa1
Instruction ID: 58763541e6671742e42474c75c42aad46b006ab661248ba4e76126de96d24f11
Opcode Fuzzy Hash: a7c1a7eef79b3b4006a6e2bfb76ff3f19934d195e96983f8eb8584a420720aa1
Instruction Fuzzy Hash: DD11E535A00648BFCB10AFA49C41BDEBBBCEF19754F00855FF415A7291D7B9AA008679

Function 004A655A Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000035,0000001D,004A38CE,004A7B92,004AE259,0000001D,?,00000000,?), ref: 004A655C
TlsGetValue.KERNEL32(?,00000000,?), ref: 004A656A
SetLastError.KERNEL32(00000000,?,00000000,?), ref: 004A65B6

Part of subcall function 004A3C7E: HeapAlloc.KERNEL32(00000008,004A657F,00000000,00000000,00000008,004D7428,000000FF,?,004A657F,00000001,00000074,?,00000000,?), ref: 004A3D74

TlsSetValue.KERNEL32(00000000,?,00000000,?), ref: 004A658E
GetCurrentThreadId.KERNEL32 ref: 004A659F

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: cdff26fe59eae4da86041311e1c4de6c3c015d65568d6422b5c84678ed7ee1b4
Instruction ID: 8e52322e3bbf5d744de7d5703c16dc75263e2722027dddebed6c156c6cfee74a
Opcode Fuzzy Hash: cdff26fe59eae4da86041311e1c4de6c3c015d65568d6422b5c84678ed7ee1b4
Instruction Fuzzy Hash: 8CF0BB32D015226BC7352F75BC0DE1E3B54DF22772715063AFA419A2B0DF6899818B9D

Function 004BCC60 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(00000000,?,?,004BD152,00000000,00000001), ref: 004BCC6C
GlobalHandle.KERNEL32(00672618), ref: 004BCC94
GlobalUnlock.KERNEL32(00000000), ref: 004BCC9D
GlobalFree.KERNEL32(00000000), ref: 004BCCA4
DeleteCriticalSection.KERNEL32(00540F78,?,?,004BD152,00000000,00000001), ref: 004BCCAE

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: 7547c9e25e28889539e586c80cfe60793cbcdfc3526f91691ab54d1c1e9c0619
Instruction ID: f1658b0b2ebe6f214a5d5f9f04d604703ecf7601a01c56f7f05ec0b33a2b5407
Opcode Fuzzy Hash: 7547c9e25e28889539e586c80cfe60793cbcdfc3526f91691ab54d1c1e9c0619
Instruction Fuzzy Hash: D6F054312009009BD7605B39AD8CE6F7ABDAF95751715051BF815D73A1CFA8EC414678

Function 0047E9C0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 431COMMON

Download Yara Rule

APIs

CreateFontIndirectA.GDI32(?), ref: 0047EC60
GetTextMetricsA.GDI32(?,?), ref: 0047ECBA

Strings

body, xrefs: 0047EBB7
table, xrefs: 0047ED15

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CreateFontIndirectMetricsText
String ID: body$table
API String ID: 3217853150-874903180
Opcode ID: 8ae3a8aae67b6b955fdef22cdba5dc83910017f04aa8cd3bc174a1b5c17d3c09
Instruction ID: 7c0131f9f2efb002aa4252f0fc35707518b3e5ebda19306eee87e1c4446dbcb5
Opcode Fuzzy Hash: 8ae3a8aae67b6b955fdef22cdba5dc83910017f04aa8cd3bc174a1b5c17d3c09
Instruction Fuzzy Hash: 960238716083458FC764DF29C880A9EBBE5BFC8704F048A5EF88997341DB74E945CBA6

Function 004B8EBF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 004B8EDB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 004B8F2E
GlobalUnlock.KERNEL32(?), ref: 004B8FC5

Strings

System, xrefs: 004B8EC5

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: System
API String ID: 231414890-3470857405
Opcode ID: 2257e8213cbce7e905c681efd4133886fbdd04e61e3b45538e69e0542814f4b2
Instruction ID: 935506bae3b058fdcba117118987e6d7a66b3f63762d82b794f40b73c2e20d21
Opcode Fuzzy Hash: 2257e8213cbce7e905c681efd4133886fbdd04e61e3b45538e69e0542814f4b2
Instruction Fuzzy Hash: E641C831800215EFDB14DFA8C8819FEBBB9FF50354F14816EE8159B254D778AA46CB58

Function 004BD55D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 004BD569
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 004BD618
LoadBitmapA.USER32(00000000,00007FE3), ref: 004BD630

Strings

, xrefs: 004BD578

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: c81715cb5572127291e23600a8930c32aca2b5dfcc6352039f5a21795d17b593
Instruction ID: fc4bb134544aab57203db352abe0036bd703fa1366a01db9191d4c6cadf3e811
Opcode Fuzzy Hash: c81715cb5572127291e23600a8930c32aca2b5dfcc6352039f5a21795d17b593
Instruction Fuzzy Hash: 94214C71E00315BFDB20CB7CDC89BEE7BB5EB84318F0541A6F509EB281D6749A858B54

Function 0049E655 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

#44.ODBC32(?,0000003B,?), ref: 0049E66B
#45.ODBC32(?,0000000A,?,0000001E,?), ref: 0049E6B0

Strings

0, xrefs: 0049E6CD
2, xrefs: 0049E6D3

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: 0$2
API String ID: 0-3793063076
Opcode ID: c52e38222d2d0709cf053c72c0c2ce15aa8234ef4bf00a586c7182c28ffc7ac8
Instruction ID: d72cd59acfa723c0261fea22675bf0e47f165298901efbde957f7acd6cc374f5
Opcode Fuzzy Hash: c52e38222d2d0709cf053c72c0c2ce15aa8234ef4bf00a586c7182c28ffc7ac8
Instruction Fuzzy Hash: 6A119331700604AFDB21DB5AC849F9EBBF8AF68B04F10006EF542D72A1D764ED45CB54

Function 00471190 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00471199
ScreenToClient.USER32(?,?), ref: 004711B4
PostMessageA.USER32(?,00000401,00000000,00000000), ref: 004711F9

Strings

@, xrefs: 004711E6

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ClientCursorMessagePostScreen
String ID: @
API String ID: 4019823077-2766056989
Opcode ID: 3ac508ba36e5e30f779a965b66451e38a505257de163485112d7b0b4665ac750
Instruction ID: f328869ba933e3cd193e1ec29674801652b4d3635bd0ce08eda519ebe6162630
Opcode Fuzzy Hash: 3ac508ba36e5e30f779a965b66451e38a505257de163485112d7b0b4665ac750
Instruction Fuzzy Hash: 23F06275604301BFDA20DB28D945A9F77B9EB84710F40C91DF54997250D774E809879A

Function 004AED74 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0054181C), ref: 004AED80
InterlockedDecrement.KERNEL32(0054181C), ref: 004AED97

Part of subcall function 004A8DF4: InitializeCriticalSection.KERNEL32(00000000,?,?,?,004A2ACD,00000009,?,?,00000000), ref: 004A8E31
Part of subcall function 004A8DF4: EnterCriticalSection.KERNEL32(?,?,?,004A2ACD,00000009,?,?,00000000), ref: 004A8E4C

InterlockedDecrement.KERNEL32(0054181C), ref: 004AEDC7

Strings

y<J, xrefs: 004AED74

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Interlocked$CriticalDecrementSection$EnterIncrementInitialize
String ID: y<J
API String ID: 2038102319-1100700604
Opcode ID: 44870862216e384f7d601753c4b66b81f52349a35af2bcfb403bc59da37e005c
Instruction ID: fd82ec582edbeb8a3ffc4e410d387ec45ea2639bdca7b16b594e7f9bc16efee9
Opcode Fuzzy Hash: 44870862216e384f7d601753c4b66b81f52349a35af2bcfb403bc59da37e005c
Instruction Fuzzy Hash: 39F0243210020AAFDB102F92EC81DCF3B9CEFA2728F00003FF51049141CB7599419A99

Function 004BA5C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 004BA5D1
GetClassNameA.USER32(00000000,?,0000000A), ref: 004BA5EC
lstrcmpiA.KERNEL32(?,combobox), ref: 004BA5FB

Strings

combobox, xrefs: 004BA5F5

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: 50bc4ad4ac343871e242e1614912299fcc7ceb97d75d2df5aace3828f1543af4
Instruction ID: 803a9b1e64579b6009906c7ef369984f99145554e02841ab51ee884b7747a105
Opcode Fuzzy Hash: 50bc4ad4ac343871e242e1614912299fcc7ceb97d75d2df5aace3828f1543af4
Instruction Fuzzy Hash: 97E0E531544208BBCF115F60CC49E9D3BA8EB10301F108222B412D50E0D674E699C759

Function 004A696F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,004A11DE), ref: 004A6974
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004A6984

Strings

KERNEL32, xrefs: 004A696F
IsProcessorFeaturePresent, xrefs: 004A697E

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: a44f414c444b233ba856e95ab821817c0f7e4e249bc40f9d47b71477ef33ec90
Instruction ID: 5574e170e8bdf0aa947953687974ddc5212d9709bb9e4f7852971c9831c7b04d
Opcode Fuzzy Hash: a44f414c444b233ba856e95ab821817c0f7e4e249bc40f9d47b71477ef33ec90
Instruction Fuzzy Hash: BDC012A1388340AAEA502FB5AC29F1F214C5BA1F82F19003B7C09D03B0EEA8E140A02D

Function 004A400C Relevance: 6.5, APIs: 5, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736f3ad24199851e98604d3ba23cc1835491bbbd46d547f36e7102c9d78c21c0
Instruction ID: 02dbad736ccb83c05be2c5b7ba50482302673f1806bd0c6ae14db386bf7b1080
Opcode Fuzzy Hash: 736f3ad24199851e98604d3ba23cc1835491bbbd46d547f36e7102c9d78c21c0
Instruction Fuzzy Hash: ED911772D00614AACF21ABA9DC40ADF7BB4EBF73A4F240117F814A6291D7B94D80D76D

Function 004AAADC Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,004FF2B0,004FF2B0,?,?,004AAFA8,?,00000010,00000000,00000009,00000009,?,004A2C21,00000010,?), ref: 004AAAFD
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,004AAFA8,?,00000010,00000000,00000009,00000009,?,004A2C21,00000010,?), ref: 004AAB21
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,004AAFA8,?,00000010,00000000,00000009,00000009,?,004A2C21,00000010,?), ref: 004AAB3B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004AAFA8,?,00000010,00000000,00000009,00000009,?,004A2C21,00000010,?,?), ref: 004AABFC
HeapFree.KERNEL32(00000000,00000000,?,?,004AAFA8,?,00000010,00000000,00000009,00000009,?,004A2C21,00000010,?,?,00000000), ref: 004AAC13

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 74937ba6cf4e9638f5da875f7ef6f011994a6a5e90baa7a48c262c2c6dedc76f
Instruction ID: 767f9f8466a85a8b462f7a3ecc7f92cfaf904db40f93acab87935f31a08d73d5
Opcode Fuzzy Hash: 74937ba6cf4e9638f5da875f7ef6f011994a6a5e90baa7a48c262c2c6dedc76f
Instruction Fuzzy Hash: 453153756007029FD321CF28EC80B26B7E0EB66764F11813BE615973E0E779A864CB5D

Function 0048DB50 Relevance: 6.3, APIs: 4, Instructions: 302COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 0048DB63
CreateSolidBrush.GDI32(?), ref: 0048DE3C
FillRect.USER32(?,?,00000000), ref: 0048DE4B
DeleteObject.GDI32(00000000), ref: 0048DE56

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$BrushCopyCreateDeleteFillObjectSolid
String ID:
API String ID: 415556179-0
Opcode ID: aa428124a66347f4222ac10fde10d2c43a1de1dc8f8575e23dd71ecacba8086a
Instruction ID: 0f4f06f92dce5097fdb49a32bcfd936beedbbd00a5e8352162ecc5845afca760
Opcode Fuzzy Hash: aa428124a66347f4222ac10fde10d2c43a1de1dc8f8575e23dd71ecacba8086a
Instruction Fuzzy Hash: 6BB13875604305AFC344EF2DC98192BFBE9FBC8710F44896EF99887356D671E8058BA2

Function 00432C40 Relevance: 6.2, APIs: 4, Instructions: 246COMMON

Download Yara Rule

APIs

midiStreamOpen.WINMM(?,?,00000001,00433270,?,00030000,?,?,?,00000000), ref: 00432C6B
midiStreamProperty.WINMM ref: 00432D52
midiOutPrepareHeader.WINMM(?,?,00000040,00000001,?,?,?,?,00000000), ref: 00432EA0

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: midi$Stream$HeaderOpenPrepareProperty
String ID:
API String ID: 2061886437-0
Opcode ID: 3649facf4ad2b6d39f7edc890421f6adbb9b5c1d8baec89624e5cc1941263533
Instruction ID: 0e27d2233447e2dbc32f56b8643629c0733586a90a21644b4c58d974d8571931
Opcode Fuzzy Hash: 3649facf4ad2b6d39f7edc890421f6adbb9b5c1d8baec89624e5cc1941263533
Instruction Fuzzy Hash: 39A18F712006058FD724DF28D990BAAB7F6FB88304F50892EE686C7750EB79F959CB44

Function 00430D80 Relevance: 6.2, APIs: 4, Instructions: 211windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9C33: __EH_prolog.LIBCMT ref: 004B9C38
Part of subcall function 004B9C33: BeginPaint.USER32(?,?,?,?,0047CAE2), ref: 004B9C61

GetClientRect.USER32(?,?), ref: 00430E26
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00430E7B
__ftol.LIBCMT ref: 00430F60
__ftol.LIBCMT ref: 00430F6D

Part of subcall function 00497F10: GetClientRect.USER32(?,?), ref: 00497F37
Part of subcall function 00497F10: __ftol.LIBCMT ref: 0049800E
Part of subcall function 00497F10: __ftol.LIBCMT ref: 00498021

Part of subcall function 004B9834: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004B9858
Part of subcall function 004B9834: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004B986E

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect__ftol$ClientClipExclude$BeginH_prologPaint
String ID:
API String ID: 3882505602-0
Opcode ID: 7079af85d2103976bdf1f5ee2adb0f5520afc52956d7d7e48526e837b591f892
Instruction ID: d3c21798d5af4548890b0db6e5f181330897d8ae439cf5f4b04e7e2239ff027d
Opcode Fuzzy Hash: 7079af85d2103976bdf1f5ee2adb0f5520afc52956d7d7e48526e837b591f892
Instruction Fuzzy Hash: 02719EB16087019FC324DF29C990A6BBBF5FBD8700F148A2EF59583291EB74EC458B56

Function 00490D60 Relevance: 6.2, APIs: 4, Instructions: 191COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,000000FF,00000064), ref: 00490E2A
MulDiv.KERNEL32(00000000,000000FF,000000FF), ref: 00490F38
MulDiv.KERNEL32(00000000,000000FF,000000FF), ref: 00490F54
MulDiv.KERNEL32(?,000000FF,000000FF), ref: 00490F71

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84bbebdcdf0666dcbf75ce9c9ddbcbe855cdfc676e4aeb02fbae0a92b4252704
Instruction ID: 5ce244ba0ef5aa29505b8ec2204983a8e3a707421626503cd335855227d6637c
Opcode Fuzzy Hash: 84bbebdcdf0666dcbf75ce9c9ddbcbe855cdfc676e4aeb02fbae0a92b4252704
Instruction Fuzzy Hash: F4618A326093829FCB64CF29C990A2BBBE2AFC9744F59593EF9C5C7305D674E8018B45

Function 00479380 Relevance: 6.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 004793E2
ClientToScreen.USER32(?,?), ref: 00479487
ScreenToClient.USER32(?,?), ref: 00479497
PtInRect.USER32(?,004D6EB0,?), ref: 00479567

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ClientRectScreen$Empty
String ID:
API String ID: 107485975-0
Opcode ID: 9013a9e687f2c06344ef560d0999bc97fd55cf9c3b613c2a7909dea7af50ef8a
Instruction ID: 3946788d6e1730236ac9dc1a31d2eae0f1b7ea893984bf0dcc190de179e047a8
Opcode Fuzzy Hash: 9013a9e687f2c06344ef560d0999bc97fd55cf9c3b613c2a7909dea7af50ef8a
Instruction Fuzzy Hash: A371D2B5604A029FC328CF19C590896FBF5FF883107148A6EE88A87B15D730F856CFA5

Function 004AC358 Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(000001D0,000001D0,00000000,000001D0,00000000,00000000,00000000,00000000), ref: 004AC3D2
GetLastError.KERNEL32 ref: 004AC3DC
ReadFile.KERNEL32(?,?,00000001,000001D0,00000000), ref: 004AC4A2
GetLastError.KERNEL32 ref: 004AC4AC

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 7b47484eabaf26a545941181509cea9963878be68cf42971751faae13bf27c0d
Instruction ID: 1262f77ddf2d9ea871ebb27b3a45ecf93edfc046054755df271fd3c78aaf6517
Opcode Fuzzy Hash: 7b47484eabaf26a545941181509cea9963878be68cf42971751faae13bf27c0d
Instruction Fuzzy Hash: 6651B330A04395AFDF618F58C8C4BAA7BE0AF27304F54419BE8529B251D378A946CB5E

Function 00415CF0 Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9C33: __EH_prolog.LIBCMT ref: 004B9C38
Part of subcall function 004B9C33: BeginPaint.USER32(?,?,?,?,0047CAE2), ref: 004B9C61

Part of subcall function 004B97E4: GetClipBox.GDI32(?,?), ref: 004B97EB

IsRectEmpty.USER32(?), ref: 00415D36
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00415DBD
GetCurrentObject.GDI32(?,00000006), ref: 00415E4A
GetClientRect.USER32(?,?), ref: 00415EBC

Part of subcall function 004B9CA5: __EH_prolog.LIBCMT ref: 004B9CAA
Part of subcall function 004B9CA5: EndPaint.USER32(?,?,?,?,0047CC71,?,?), ref: 004B9CC7

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: H_prologPaintRect$BeginClientClipCurrentEmptyObject
String ID:
API String ID: 3717962522-0
Opcode ID: f6ae2db20dd5347167f1e758b5e1fb7da84cad3178e61ed03c539d8e72256749
Instruction ID: fc10ef654570e940c6b869d0d48e920eb6a8ec4fccecbfbd562ac0c26df4a9ee
Opcode Fuzzy Hash: f6ae2db20dd5347167f1e758b5e1fb7da84cad3178e61ed03c539d8e72256749
Instruction Fuzzy Hash: 4C616871508740DFD324DF25C885FEBBBE8ABD8314F40491EF59A83291DB38A949CB66

Function 00444FC0 Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00444FFE
GetDC.USER32(?), ref: 00445162
ReleaseDC.USER32(?,?), ref: 00445186
DeleteObject.GDI32(?), ref: 004451B8

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: DeleteObject$Release
String ID:
API String ID: 2600533906-0
Opcode ID: 0e1472b44a84278aca2cbc55ae19bb1079e5794dfb2dad05a69421311a5d6c67
Instruction ID: d8919bb438b51ec92f8af509003616cfc894b4399104c9b286c2c9dd5ede169e
Opcode Fuzzy Hash: 0e1472b44a84278aca2cbc55ae19bb1079e5794dfb2dad05a69421311a5d6c67
Instruction Fuzzy Hash: 3E514EB5A006449BEF14DF28D880B9A77E5BF94300F18817AEC49CF30BDB799949CB65

Function 00470A10 Relevance: 6.2, APIs: 4, Instructions: 161windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000102B,?,?), ref: 00470B2E

Part of subcall function 004B11C3: SendMessageA.USER32(?,0000102E,?,?), ref: 004B11E4

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 63284b617a6d8b5fe06326698cd1f355a271a826ff3c6248d3385d2918b0cb0e
Instruction ID: b1e4db03db14a0177766539b4460233263417d4833a99bec9f3b48e8d75d6288
Opcode Fuzzy Hash: 63284b617a6d8b5fe06326698cd1f355a271a826ff3c6248d3385d2918b0cb0e
Instruction Fuzzy Hash: E75190717017019BD724DF16CC41BABB3E4EB88764F40892EF94A97380D278F9458B99

Function 0041E640 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0041E6B4
GetParent.USER32(?), ref: 0041E704
IsWindow.USER32(?), ref: 0041E724
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 0041E79F

Part of subcall function 004B74DD: ShowWindow.USER32(00000000,?,00477FC1,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00477C1A), ref: 004B74EB

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$ParentShow
String ID:
API String ID: 2052805569-0
Opcode ID: 34560676b5981a7d939022c0f6c7e4c6a86d394b5d68ec8972b650b9c379f9b6
Instruction ID: 0b4659019bba80fdd07cf3b6083a55c585456ba252c20737f174dc8f6fef9156
Opcode Fuzzy Hash: 34560676b5981a7d939022c0f6c7e4c6a86d394b5d68ec8972b650b9c379f9b6
Instruction Fuzzy Hash: C541A1796003116BD720DE668C81FEBB394AB44754F04452EFD249B3C1DB78ED858BA9

Function 004AC168 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 004AC22F

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fcc64c078d2cf2e5278cd190ae15783f1de521c9dcb578eea6b1b557dde23b64
Instruction ID: 6b70c1ea33afbaab39edc531b06eb7671ed3091f84b7b75aa48a2cdf66c05092
Opcode Fuzzy Hash: fcc64c078d2cf2e5278cd190ae15783f1de521c9dcb578eea6b1b557dde23b64
Instruction Fuzzy Hash: 53519032A00108EFDB51DFA9C884B9E7BF4FF66340F2081ABF8159B255D7389A40DB59

Function 00494610 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0049466B
__ftol.LIBCMT ref: 00494682
__ftol.LIBCMT ref: 00494711
__ftol.LIBCMT ref: 0049471A

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: __ftol
String ID:
API String ID: 495808979-0
Opcode ID: 2aba9fb57e1a06c8c7464c33f1b568155a0ea16ac4afdbb5acdeb345043da5d2
Instruction ID: c34eadd76c53fbb8220dc513d4317a1d6f4d6204632c4b293456eed5345df904
Opcode Fuzzy Hash: 2aba9fb57e1a06c8c7464c33f1b568155a0ea16ac4afdbb5acdeb345043da5d2
Instruction Fuzzy Hash: D84159752042058BCB14DE65C490E2BBBEAEFD5310F588A6EE999CB310D738EC46CB65

Function 0043CE20 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0043CE94
SendMessageA.USER32(?,000000B1,?,000000FF), ref: 0043CEED
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0043CEFC
SendMessageA.USER32(?,000000C2,00000000,?), ref: 0043CF2A

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$Window
String ID:
API String ID: 2326795674-0
Opcode ID: d3e83e9d0df292c391d15daa1332fadd6638187cda63af4fe35fe15a6efaa78b
Instruction ID: 34dd02843dbbcaa50ac1ce6532544490b94d8205354dc6009ec4ec0e94199b75
Opcode Fuzzy Hash: d3e83e9d0df292c391d15daa1332fadd6638187cda63af4fe35fe15a6efaa78b
Instruction Fuzzy Hash: AA41E3722487419FE320DB19C881F5BB7E4EB98710F448A1EF5A5973C1C338D404CB96

Function 00491E10 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 00491E63
IntersectRect.USER32(?,?,?), ref: 00491E9D
IsRectEmpty.USER32(?), ref: 00491EC8
EqualRect.USER32(?,?), ref: 00491EE7

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Rect$EmptyEqualIntersect
String ID:
API String ID: 3431771147-0
Opcode ID: 62910c3795e173758d256bc60e8cb0f1ee2cefad46c05ea7cdb9cebfa2738bf5
Instruction ID: 92de2ecb3472bfcc46482bcc130ea3147cbf918fd8f3ef043c6233e1325fc580
Opcode Fuzzy Hash: 62910c3795e173758d256bc60e8cb0f1ee2cefad46c05ea7cdb9cebfa2738bf5
Instruction Fuzzy Hash: FD31E7B66083419F9704CF59D880A6BBBE9FBC8750F04892EF896C3310D774E9098B66

Function 00450DF0 Relevance: 6.1, APIs: 4, Instructions: 100windowCOMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(?), ref: 00450E7A
SendMessageA.USER32(?,00000030,00000000,00000000), ref: 00450EBE
SendMessageA.USER32(?,000000B1,?,000000FF), ref: 00450EF4
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00450F03

Part of subcall function 004B740B: SetWindowTextA.USER32(?,0042AFBA), ref: 004B7419

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$BrushCreateSolidTextWindow
String ID:
API String ID: 3501373727-0
Opcode ID: c43c7c2b96999743615a7c7a26d5d8afb2dd188cafe1649fc60ee97a71e61efb
Instruction ID: 4c49efa5bae256c0fc5131025001276b80a2cecc7fca3821437989fb3c9ab33c
Opcode Fuzzy Hash: c43c7c2b96999743615a7c7a26d5d8afb2dd188cafe1649fc60ee97a71e61efb
Instruction Fuzzy Hash: BC315875204700AFC324DF19C851B2AF7E5FB88B14F108A1EF95687791CBB8E800CB99

Function 00471810 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00471825
SendMessageA.USER32(?,00000419,?,00000000), ref: 0047185C
SendMessageA.USER32(?,00000433,?,?), ref: 004718C2
ClientToScreen.USER32(?,?), ref: 004718EE

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$ClientScreenWindow
String ID:
API String ID: 4074774880-0
Opcode ID: 5417572f7a7014203a0572e513ac5baa08125328fb491120ac8e297031696d66
Instruction ID: 16d874fb6bb81017829509f9c0b946c816500d8345b9009ca7d351505165e5a7
Opcode Fuzzy Hash: 5417572f7a7014203a0572e513ac5baa08125328fb491120ac8e297031696d66
Instruction Fuzzy Hash: F93149F56083019FD324CF29D890A5FB7E8EB88754F00992EFA9987350D774E805CB6A

Function 004BAC9B Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004BAE13: GetParent.USER32(?), ref: 004BAE46
Part of subcall function 004BAE13: GetLastActivePopup.USER32(?), ref: 004BAE55
Part of subcall function 004BAE13: IsWindowEnabled.USER32(?), ref: 004BAE6A
Part of subcall function 004BAE13: EnableWindow.USER32(?,00000000), ref: 004BAE7D

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 004BACD1
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 004BAD3F
MessageBoxA.USER32(00000000,?,?,00000000), ref: 004BAD4D
EnableWindow.USER32(00000000,00000001), ref: 004BAD69

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 1958756768-0
Opcode ID: 75059275bce9ba77119fc0ed20decdd837dc86a64ee4f9ac38f7997ad6814a49
Instruction ID: b40211a541219f82e3f45df5aaa6919a8bacce9f3d8a58915edbb44ccc50ce48
Opcode Fuzzy Hash: 75059275bce9ba77119fc0ed20decdd837dc86a64ee4f9ac38f7997ad6814a49
Instruction Fuzzy Hash: AA21A272A00208AFDB209F64CCC5BEEBBBAFB04305F14042AF614E7240D7759D649B76

Function 004195B0 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 00419648
ScreenToClient.USER32(?,?), ref: 0041966A
ChildWindowFromPointEx.USER32(?,?,?,00000005), ref: 00419680
GetFocus.USER32 ref: 0041968B

Part of subcall function 004B7546: SetFocus.USER32(?,004BB89D), ref: 004B7550

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Focus$ChildClientFromMessagePointScreenWindow
String ID:
API String ID: 3117237277-0
Opcode ID: c702fc284acd8e5d790e57e1e8093b5a2a319749c460364676b50ee9770effc9
Instruction ID: 4e274363ad8b94fcceed48679bbb4fa71d91e7b68a35ab366dbfdc01c23b43a2
Opcode Fuzzy Hash: c702fc284acd8e5d790e57e1e8093b5a2a319749c460364676b50ee9770effc9
Instruction Fuzzy Hash: B52193313046026BD215DB24CC51FAFB3A9AFC4704F14852EF94987245DB39F991CBA9

Function 004A1083 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 004A10A9

Part of subcall function 004A6736: HeapCreate.KERNELBASE(00000000,00001000,00000000,004A10E1,00000001), ref: 004A6747
Part of subcall function 004A6736: HeapDestroy.KERNEL32 ref: 004A6786

GetCommandLineA.KERNEL32 ref: 004A1109
GetStartupInfoA.KERNEL32(?), ref: 004A1134
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004A1157

Part of subcall function 004A11B0: ExitProcess.KERNEL32 ref: 004A11CD

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 296e363cbac655da4e56023e4cdf8d01555092a3772a67649d6afca569240dbe
Instruction ID: fdaf61d71aa947394cb4e0433c6e001c3022d02cd3999b530ded7374f0598af1
Opcode Fuzzy Hash: 296e363cbac655da4e56023e4cdf8d01555092a3772a67649d6afca569240dbe
Instruction Fuzzy Hash: 9E21D8B1940B049FDB04AFB5DD06AAE77B4EF26708F10052FF9019A2A1DB7C4880CB5C

Function 00451670 Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000002D), ref: 00451699
SystemParametersInfoA.USER32 ref: 004516F3
CreateFontIndirectA.GDI32(?), ref: 00451701
CreatePalette.GDI32(00000300), ref: 00451759

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CreateSystem$FontIndirectInfoMetricsPaletteParameters
String ID:
API String ID: 934993634-0
Opcode ID: 674ff91644024d60f365af70e1cf670e86f4ffb434b5daa28727035412e5d966
Instruction ID: 74ee7cf36e0e976bbdfd496087f93381e04a8050ba07e9c061182ad0aa0be953
Opcode Fuzzy Hash: 674ff91644024d60f365af70e1cf670e86f4ffb434b5daa28727035412e5d966
Instruction Fuzzy Hash: 24318074505B408FD320CF29C488ADBFBF5FF84304F44896EE59A8B661D775A448CB55

Function 00419EC0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

StartPage.GDI32(?), ref: 00419F05
EndPage.GDI32(?), ref: 00419F2B

Part of subcall function 00428A60: wsprintfA.USER32 ref: 00428A6F

Part of subcall function 004B740B: SetWindowTextA.USER32(?,0042AFBA), ref: 004B7419

UpdateWindow.USER32(?), ref: 00419F7A
EndPage.GDI32(?), ref: 00419F92

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Page$Window$StartTextUpdatewsprintf
String ID:
API String ID: 104827578-0
Opcode ID: c17bc8c03ebfacaab659e81774c8b22466a64d56636f02ee2338bd5246da53b9
Instruction ID: b9ede4e6a3204b10520fbd69099d35c070e741f4fb00ad44c302b6107a44e0aa
Opcode Fuzzy Hash: c17bc8c03ebfacaab659e81774c8b22466a64d56636f02ee2338bd5246da53b9
Instruction Fuzzy Hash: 8F214171602B00ABC3249B39DC98BDBB7E4EFC4701F54482EF49FC6214DA35A886CB59

Function 00410940 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetParent.USER32(000000D0), ref: 0041096C
GetParent.USER32(?), ref: 00410981
SetParent.USER32(?,?), ref: 0041099F
GetWindowRect.USER32(?,?), ref: 004109B4

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Parent$RectWindow
String ID:
API String ID: 2276825053-0
Opcode ID: d5102f975183dac7c26403bbf50da0a648ee07e470d661e33191e648693f5cb5
Instruction ID: eaf677af3ab9ca7771b315afd8ff3f84331d4166eab931813de93d467d2e2d93
Opcode Fuzzy Hash: d5102f975183dac7c26403bbf50da0a648ee07e470d661e33191e648693f5cb5
Instruction Fuzzy Hash: BA116DB12047459FE724EF79C884EABB7ADEBC4210F444A1EF99583302DA78EC858774

Function 0049CBB0 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0049CD74: __EH_prolog.LIBCMT ref: 0049CD79
Part of subcall function 0049CD74: #15.ODBC32(?,0000000F,004BD8C6,?,00000001,?,?,0049CA2A,00000000,?,0049900B,00000000,00000000), ref: 0049CDB9

Part of subcall function 004A44E2: RaiseException.KERNEL32(?,0040BC52,00000000,?,00000000,00000000,?,0040BC52,000007DD,?,00000000), ref: 004A4510

__EH_prolog.LIBCMT ref: 0049CBC6
#3.ODBC32(00000002,?,?,?,00000000), ref: 0049CBDD
#11.ODBC32(?,?,000000FD,?,00000000,?,00000002,?,?,?,00000000), ref: 0049CC1F
#16.ODBC32(?,00000001,?,00000000,?,?,?,?,?,00000000,?,?,?,000000FD,?,00000000), ref: 0049CCA8

Part of subcall function 0049C622: __EH_prolog.LIBCMT ref: 0049C627

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: H_prolog$ExceptionRaise
String ID:
API String ID: 2062786585-0
Opcode ID: 9ea29538116ab0066806927f0f314329eae0a06aa2744a9ce1e2d76b9707ba69
Instruction ID: ff9f213f42aab46f854f5847926bee3f53f2571c6b813055a4398404c28eb94f
Opcode Fuzzy Hash: 9ea29538116ab0066806927f0f314329eae0a06aa2744a9ce1e2d76b9707ba69
Instruction Fuzzy Hash: 9C118171900105AFDF21ABA1CE46EBFBF75EF95714F20012AF501761A1DB394E01DA6A

Function 004AE41D Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 004AE44C
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 004AE45F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 004AE4AB
CompareStringW.KERNEL32(00460576,00000000,00000000,00000000,?,00000000,?,00000000), ref: 004AE4C3

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 49ca854a898e709022cb3a9c61e65a927f3e0051577118b208c947545e046aca
Instruction ID: ae45ed7d754a8e13d5c126fa6a40f0ca5532e0f7ba8a7fe5ce157765a5861421
Opcode Fuzzy Hash: 49ca854a898e709022cb3a9c61e65a927f3e0051577118b208c947545e046aca
Instruction Fuzzy Hash: E2212932900209EBCF218F96CD419DEBFB5FF49350F10466AFA2572160C3369962EBA4

Function 00475400 Relevance: 6.1, APIs: 4, Instructions: 63windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000001,00000030,?,00000001), ref: 0047545D
SendMessageA.USER32(00000001,00000030,?,00000001), ref: 00475476
GetStockObject.GDI32(00000011), ref: 00475481
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 00475494

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$ObjectStock
String ID:
API String ID: 1309931672-0
Opcode ID: 1261f425ed48458f87a23139e7da44e1537e69d76916b160a399221d7326c9d3
Instruction ID: eac20a44420754cf94ab6e5527f31f9c868263d7f2d5abfb68bdae059966ae61
Opcode Fuzzy Hash: 1261f425ed48458f87a23139e7da44e1537e69d76916b160a399221d7326c9d3
Instruction Fuzzy Hash: 71116036301A10ABD654DF55E844FDB73A9EFC8B11F45841EF6099B290C7B4EC82CBA5

Function 0040DF60 Relevance: 6.1, APIs: 4, Instructions: 63windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000030,?,00000001), ref: 0040DFBD
SendMessageA.USER32(?,00000030,?,00000001), ref: 0040DFD6
GetStockObject.GDI32(00000011), ref: 0040DFE1
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 0040DFF4

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$ObjectStock
String ID:
API String ID: 1309931672-0
Opcode ID: 4335074b3b62f5bd5d0aef3350d683f02025a599665ff569fb991f110c968b05
Instruction ID: 45e8e54fe5440bfae7f3c12f069dabb20f4a46fadd6e18fb45750c39bf4ed049
Opcode Fuzzy Hash: 4335074b3b62f5bd5d0aef3350d683f02025a599665ff569fb991f110c968b05
Instruction Fuzzy Hash: 1E116036701611AFD754DF55E844F9BB3A9AF88711F04882EF6069B380C7B4EC45CBA5

Function 0041CC00 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 0041CC0D

Part of subcall function 0041CA40: IsChild.USER32(?,?), ref: 0041CABD
Part of subcall function 0041CA40: GetParent.USER32(?), ref: 0041CAD7

SendMessageA.USER32(00000000,000000F0,00000000,00000000), ref: 0041CC66
SendMessageA.USER32(00000000,000000F1,00000000,00000000), ref: 0041CC76
GetWindow.USER32(00000000,00000002), ref: 0041CC7B

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSendWindow$ChildParent
String ID:
API String ID: 1043810220-0
Opcode ID: f646fd580d22edf345b82a8d4a3a900da140968d67f93ce37935712659c19a6e
Instruction ID: 13d3ac64548caa0eea71ce893da4fe65ebc577aedb5c43ee193414cc755a32da
Opcode Fuzzy Hash: f646fd580d22edf345b82a8d4a3a900da140968d67f93ce37935712659c19a6e
Instruction Fuzzy Hash: 810171313C171276E23156299DD6FAB725C9F52B50F140226F704BB2D0EF98FC8082AD

Function 00442140 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0044215B
SendMessageA.USER32(?,000083EB,?,00000000), ref: 00442185
SendMessageA.USER32(?,000083EC,?,00000000), ref: 00442199
SendMessageA.USER32(?,000083E9,?,00000000), ref: 004421BC

Part of subcall function 004B7432: GetDlgCtrlID.USER32(00000000), ref: 004B743C

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID:
API String ID: 1383977212-0
Opcode ID: 4d031c4ba3abf2117cfd728fd44ca05682d05c1fc7df4df177f1b240e18774ea
Instruction ID: 58dcb466ae29bb52251fc7cb0d57fdb7ea2c2c0f4dd7f3cea9a9ef41e8b954c3
Opcode Fuzzy Hash: 4d031c4ba3abf2117cfd728fd44ca05682d05c1fc7df4df177f1b240e18774ea
Instruction Fuzzy Hash: F601A7713006043BE610AB668CC5D2FB76DEBC4B05BC1851EF24487781CE68ED4287B8

Function 004B1A35 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?), ref: 004B1A4D
GetParent.USER32(00000000), ref: 004B1A5A
ScreenToClient.USER32(00000000,?), ref: 004B1A7B
IsWindowEnabled.USER32(00000000), ref: 004B1A94

Part of subcall function 004BA5C0: GetWindowLongA.USER32(00000000,000000F0), ref: 004BA5D1

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: a8e9d8badaca29d292efe8e1555a3034268748c28f76984aa2e7b87d6ae7bcec
Instruction ID: f06e3324a584e788540ac989552e7c019e41b4785564a32cd03177130457bc7d
Opcode Fuzzy Hash: a8e9d8badaca29d292efe8e1555a3034268748c28f76984aa2e7b87d6ae7bcec
Instruction Fuzzy Hash: AF01D436601900BF87129B59CC14DEF7BB9AF89740744402BF505D7320EB38EE128778

Function 004B61E8 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 004B61F6
SendMessageA.USER32(00000000,?,?,?), ref: 004B622C
GetTopWindow.USER32(00000000), ref: 004B6239
GetWindow.USER32(00000000,00000002), ref: 004B6257

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 54bd8edeef31bd94dab2a514a9e5707c5aeddc46fc0c239e953c7059cd57a066
Instruction ID: 61b658010140ee9510d4cbb923ffbc45e7bf354812773b8bc66f6e0d49398d48
Opcode Fuzzy Hash: 54bd8edeef31bd94dab2a514a9e5707c5aeddc46fc0c239e953c7059cd57a066
Instruction Fuzzy Hash: 3B01253200251ABFDF166F959C05EDF3B2AAF45350F068026FA0455121CB3EC962EBBA

Function 004B68D7 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 004B6915
SetBkColor.GDI32(00000000,00000000), ref: 004B6921
GetSysColor.USER32(00000008), ref: 004B6931
SetTextColor.GDI32(00000000,?), ref: 004B693B

Part of subcall function 004BA5C0: GetWindowLongA.USER32(00000000,000000F0), ref: 004BA5D1

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 2dca981aa8f729569c5ba8ec0008a05c35e91d38c94b1f19980fa5bf6932ea1b
Instruction ID: c0389444b280e19a04d645c866de8433e020c05ac5b1300c307afc9b224097aa
Opcode Fuzzy Hash: 2dca981aa8f729569c5ba8ec0008a05c35e91d38c94b1f19980fa5bf6932ea1b
Instruction Fuzzy Hash: E8014BB1100109ABDF315F68DE89BEF3B65AB00360F514122FE11C42E4D779D994CAB9

Function 004B99F9 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,?), ref: 004B9A0A
GetViewportExtEx.GDI32(?,?), ref: 004B9A17
MulDiv.KERNEL32(?,00000000,00000000), ref: 004B9A3C
MulDiv.KERNEL32(?,00000000,00000000), ref: 004B9A57

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: b38080c1ce6a7543116e9a80b57430aea3b85c8526acc190966f4ca2faaab8ec
Instruction ID: 718bf38904157f529bd03771a4383be1e1f988db524c5ed51b35ebdeda8fa067
Opcode Fuzzy Hash: b38080c1ce6a7543116e9a80b57430aea3b85c8526acc190966f4ca2faaab8ec
Instruction Fuzzy Hash: F4F01972800509BFEF116B62DD0ACAEBBBDEFA0350710442AFA51D2170DBB26D919B54

Function 004B9A62 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,?), ref: 004B9A73
GetViewportExtEx.GDI32(?,?), ref: 004B9A80
MulDiv.KERNEL32(?,00000000,00000000), ref: 004B9AA5
MulDiv.KERNEL32(?,00000000,00000000), ref: 004B9AC0

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 10d1f5584b974eaf012826f5470ea173e74c692b3a07c63a09dc535ba076563b
Instruction ID: bf8a6df074f91ac7869fa4d94edb65ba264ee0c8393916d0aef5215924f6bdff
Opcode Fuzzy Hash: 10d1f5584b974eaf012826f5470ea173e74c692b3a07c63a09dc535ba076563b
Instruction Fuzzy Hash: BCF01972800509BFEF116B62DD0ACAEBBBDEFA0350710442AFA51D2170DBB26D919B54

Function 00474940 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(76C21AC0), ref: 0047494D
IsWindowVisible.USER32(00000000), ref: 00474962
GetTopWindow.USER32(00000000), ref: 0047496D
GetWindow.USER32(00000000,00000002), ref: 00474988

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Window$Visible
String ID:
API String ID: 3657826678-0
Opcode ID: d8dc657dcad1d083ea6e33b06b5ac69213a10362732d7dd643ad34edde308bf4
Instruction ID: 441aa15393ef71189decf61a14ac5c8644fec1f59ddf9eaf38392960205b6cb9
Opcode Fuzzy Hash: d8dc657dcad1d083ea6e33b06b5ac69213a10362732d7dd643ad34edde308bf4
Instruction Fuzzy Hash: DEF0A7B3602A21778522677A6C45DEFB79C5FC5B61B458126FB0CE7201DB18EC0182FD

Function 00441AB0 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00441ABF
PtInRect.USER32(?,?,?), ref: 00441AD4

Part of subcall function 004B7504: IsWindowEnabled.USER32(?), ref: 004B750E

Part of subcall function 00441EF0: UpdateWindow.USER32(00000002), ref: 00441F0D

GetCapture.USER32 ref: 00441AFC
SetCapture.USER32(00000002), ref: 00441B07

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CaptureRectWindow$ClientEnabledUpdate
String ID:
API String ID: 2789096292-0
Opcode ID: baf7bbc353a3c48f3c8d88bc059efb3eee51a81893a562aad7f20bf8d6d69682
Instruction ID: 4aead077a4249020f8ed709c4497d5b7571846a3d0157f419045996f346a1ed9
Opcode Fuzzy Hash: baf7bbc353a3c48f3c8d88bc059efb3eee51a81893a562aad7f20bf8d6d69682
Instruction Fuzzy Hash: D4F0AF313007106BE320EB24DD44EAF73A8AF84351B44491EF885C3261EB38F98087A9

Function 004BA6AA Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 004BA6B7
GetWindowTextA.USER32(?,?,00000100), ref: 004BA6D3
lstrcmpA.KERNEL32(?,?), ref: 004BA6E7
SetWindowTextA.USER32(?,?), ref: 004BA6F7

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: c30cde8c7590e9c34a82e0d61cd499cfc81649f31d3b41885f3e4d694d3b557a
Instruction ID: c086bc83ece6e54e15c2f7955bcae320712dc2c39ceaf39cc07cdaa5f257a22c
Opcode Fuzzy Hash: c30cde8c7590e9c34a82e0d61cd499cfc81649f31d3b41885f3e4d694d3b557a
Instruction Fuzzy Hash: 87F01275400019BBCF626F24DC48EDE7B69FB08390F044022F985D5160DBB5DDE49B99

Function 0047CD30 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0047CD3B
ScreenToClient.USER32(?,?), ref: 0047CD4A

Part of subcall function 0047E6A0: SetCursor.USER32(?), ref: 0047E759

LoadCursorA.USER32(00000000,00007F00), ref: 0047CD6B
SetCursor.USER32(00000000), ref: 0047CD72

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Cursor$ClientLoadScreen
String ID:
API String ID: 120721131-0
Opcode ID: b373394c2d8fbc4a886901f1e38a273cbd862cda8f8b2977bfdee1559de21308
Instruction ID: 54ccf38563f6349cb7dfccaeae23ff490b3d9d4ee49c572968023af9821efc42
Opcode Fuzzy Hash: b373394c2d8fbc4a886901f1e38a273cbd862cda8f8b2977bfdee1559de21308
Instruction Fuzzy Hash: D8E03075944601ABDB10ABB0DD49DAB77ACAB64306F80492EF54AC2140E678F4098764

Function 00421730 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

<, xrefs: 00421ABA

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 07460ca7ca8a8e8b3f44e4a1f64f1c92c1528e165929f0876a251504a0dd0fd5
Instruction ID: 748353195647148374d2459f62d8b308e3e5268420f6dd1950ac624d621e4f6f
Opcode Fuzzy Hash: 07460ca7ca8a8e8b3f44e4a1f64f1c92c1528e165929f0876a251504a0dd0fd5
Instruction Fuzzy Hash: 4FB192717093518BC728CF24D880A6BB7E1BFD5710F548A2EF49AD7290DB34D949CB86

Function 0043D240 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 0043D3A0
IsRectEmpty.USER32(?), ref: 0043D3AB

Part of subcall function 0043A480: CreateFontIndirectA.GDI32(?), ref: 0043A5AC

Part of subcall function 00450DF0: CreateSolidBrush.GDI32(?), ref: 00450E7A
Part of subcall function 00450DF0: SendMessageA.USER32(?,00000030,00000000,00000000), ref: 00450EBE
Part of subcall function 00450DF0: SendMessageA.USER32(?,000000B1,?,000000FF), ref: 00450EF4
Part of subcall function 00450DF0: SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00450F03

Strings

L, xrefs: 0043D45E

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$CreateRect$BrushCopyEmptyFontIndirectSolid
String ID: L
API String ID: 4199050670-1778183444
Opcode ID: d71a8fc0d7ffb4e3555d6f714fe24e81a26b793d869ff488626482c8a1c4258f
Instruction ID: 4224a8c7cc8af4fc8f0ec75258b55221fc6083fb85fa7d95a8a1f0571c132686
Opcode Fuzzy Hash: d71a8fc0d7ffb4e3555d6f714fe24e81a26b793d869ff488626482c8a1c4258f
Instruction Fuzzy Hash: 0461A6706047419FD314DB66D841B6FB7E9BFD8708F00491EF58683281EB78E904CB66

Function 004A1252 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004A12E2

Strings

pow, xrefs: 004A12BA, 004A12D7

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b7a161947e38ca37f123f507ce98e231a0ce639a3e8b2a074e21ee0e1d1acf52
Instruction ID: e94477e608d53e997b679afadb02e028eedb1f55277b5ddbff3a461f374593d4
Opcode Fuzzy Hash: b7a161947e38ca37f123f507ce98e231a0ce639a3e8b2a074e21ee0e1d1acf52
Instruction Fuzzy Hash: BE512B6290D10196EF316B19DD4137B2BD49B73710F244DABFC81863B5EA2C8895D74E

Function 0041D480 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00420CA0: GetCurrentThreadId.KERNEL32 ref: 00420CC5
Part of subcall function 00420CA0: IsWindow.USER32(0001040E), ref: 00420CE1
Part of subcall function 00420CA0: SendMessageA.USER32(0001040E,000083E7,?,00000000), ref: 00420CFA
Part of subcall function 00420CA0: ExitProcess.KERNEL32 ref: 00420D0F

DeleteCriticalSection.KERNEL32(0050E860,?,?,?,?,?,?,?,?,0042827D), ref: 0041D4BA

Part of subcall function 004B5193: __EH_prolog.LIBCMT ref: 004B5198

Strings

!, xrefs: 0041D4A8
#, xrefs: 0041D733

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CriticalCurrentDeleteExitH_prologMessageProcessSectionSendThreadWindow
String ID: !$#
API String ID: 2888814780-2504090897
Opcode ID: 6126c1f32f37a73a9b73bf88f1c87fb5f72292aafd823b4d2e2b40337ff9725d
Instruction ID: bb16895268e08d9f2e165a209fceaf90fb8063eb5201e5120cb284edb9c96e9f
Opcode Fuzzy Hash: 6126c1f32f37a73a9b73bf88f1c87fb5f72292aafd823b4d2e2b40337ff9725d
Instruction Fuzzy Hash: 5E91AC740087858ED316EF75C4897DABFD4AF65348F10484EE8DA07292DBB9624CCBA7

Function 004A5749 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

Part of subcall function 004A8DF4: InitializeCriticalSection.KERNEL32(00000000,?,?,?,004A2ACD,00000009,?,?,00000000), ref: 004A8E31
Part of subcall function 004A8DF4: EnterCriticalSection.KERNEL32(?,?,?,004A2ACD,00000009,?,?,00000000), ref: 004A8E4C

GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,004A1123), ref: 004A579A

Part of subcall function 004A8E55: LeaveCriticalSection.KERNEL32(?,004A2C42,00000009,004A2C2E,?,?,00000000,?,?), ref: 004A8E62

Strings

`O, xrefs: 004A578E
pO, xrefs: 004A5781

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CriticalSection$EnterInfoInitializeLeave
String ID: `O$pO
API String ID: 1866836854-120486874
Opcode ID: 08c0e2f4b4b8e78d1ed0159a9cfc669c3abeb97abd2003934c72490a8ae6d22a
Instruction ID: 702cdf5d3224a127891b03bb37cc8c9e6cf24e8a35391300fc0bd324e5fda497
Opcode Fuzzy Hash: 08c0e2f4b4b8e78d1ed0159a9cfc669c3abeb97abd2003934c72490a8ae6d22a
Instruction Fuzzy Hash: 74418B75904E81DFE710EB75DE843BA7BE1AB27318F24006FE5459B2A2C63D4889DB4C

Function 004A599C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 004A59B0

Strings

, xrefs: 004A59F9
, xrefs: 004A59D5

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 1c8627621406cf8b083e2dc60a7bbfbe11f98377221687ca85a8c1f2e26e6c80
Instruction ID: 782883d31865f25b0d569e494d69833a2d35b778f28992e5f9945fb28c79783b
Opcode Fuzzy Hash: 1c8627621406cf8b083e2dc60a7bbfbe11f98377221687ca85a8c1f2e26e6c80
Instruction Fuzzy Hash: EA41AE31201E981EEB119754CE99BFB7FA8DB23708F1400E6E145D7153C3784988D7BA

Function 0049D94D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0049D952
#18.ODBC32(00000000,?,?,?,?,?,0049DC17), ref: 0049D979

Strings

State:S1010, xrefs: 0049D9C6

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: H_prolog
String ID: State:S1010
API String ID: 3519838083-2581568126
Opcode ID: 7269d83daae6e7e68d289e6053a26583eccd0e9e21793cb079f8f87e0cae1a24
Instruction ID: 1549435b5d24589a25b1993f61ce79a638cd5fc9d8f3cc3266ad257c9e8141ef
Opcode Fuzzy Hash: 7269d83daae6e7e68d289e6053a26583eccd0e9e21793cb079f8f87e0cae1a24
Instruction Fuzzy Hash: 5021A571A40201AFDB18FB65CA46BAFB7A5AF88705F10053FF052D7290DBBC9D419724

Function 004B5736 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 004BDDE2: LeaveCriticalSection.KERNEL32(?,004BD0D0,00000010,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDDFA

Part of subcall function 004A44E2: RaiseException.KERNEL32(?,0040BC52,00000000,?,00000000,00000000,?,0040BC52,000007DD,?,00000000), ref: 004A4510

wsprintfA.USER32 ref: 004B577C
wsprintfA.USER32 ref: 004B5798
GetClassInfoA.USER32(?,-00000058,?), ref: 004B57A7

Strings

Afx:%x:%x, xrefs: 004B5776

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: wsprintf$ClassCriticalExceptionInfoLeaveRaiseSection
String ID: Afx:%x:%x
API String ID: 2529146597-2071556601
Opcode ID: 81821383207949e2b0a3ac3cdb785c57b2b8dd7a31a16c0e3f0558ecbee86d84
Instruction ID: 0f1d411a0e371f5ad0474372580834d04864517a69699fbf2e2e70c4ff2194fc
Opcode Fuzzy Hash: 81821383207949e2b0a3ac3cdb785c57b2b8dd7a31a16c0e3f0558ecbee86d84
Instruction Fuzzy Hash: CB112170A016199F8B10EF95C881ADEBBB8EF58354F10402BF905E2201E77899418BB9

Function 0049DB54 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0049DB59

Part of subcall function 0049C72E: __EH_prolog.LIBCMT ref: 0049C733
Part of subcall function 0049C72E: #10.ODBC32(?,00000001,?,?,?,?,000001FF,?,004BD8C6,?), ref: 0049C796
Part of subcall function 0049C72E: lstrcmpA.KERNEL32(?,00000,?,?,00000001,?,?,?,?,000001FF,?,004BD8C6,?), ref: 0049C7C5
Part of subcall function 0049C72E: wsprintfA.USER32 ref: 0049C7EE

Strings

State:01S01, xrefs: 0049DBB3
State:01004, xrefs: 0049DB8A

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: H_prolog$lstrcmpwsprintf
String ID: State:01004$State:01S01
API String ID: 2099361635-730015928
Opcode ID: cb18dfbc89923a251d128e1408e7d9718dac06ef798f04e7137166ffcafa2bd4
Instruction ID: ba78156fe2c6a8b9e0e24afac32db9ff17092e23e383e058b546f3a20410ec36
Opcode Fuzzy Hash: cb18dfbc89923a251d128e1408e7d9718dac06ef798f04e7137166ffcafa2bd4
Instruction Fuzzy Hash: 03218C31A00604ABCF25EF59C995E9EBFB0EF84744F11442FF852962A1D7B8E980CB59

Function 00470E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B153C: SendMessageA.USER32(00001111,00001111,00000000,?), ref: 004B155C

SendMessageA.USER32(?,0000110B,00000009,00000000), ref: 00470E34
IsWindow.USER32(?), ref: 00470E3B

Strings

F, xrefs: 00470E20

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: MessageSend$Window
String ID: F
API String ID: 2326795674-1304234792
Opcode ID: 9cb81a2c65b986be18060ea6ea60fb49288214e2a9e4dfe1f93e27828630f725
Instruction ID: d9f5cf572505983032f263c55b948c7c8ca65b975bd01f3d48e413cec5c8f8d4
Opcode Fuzzy Hash: 9cb81a2c65b986be18060ea6ea60fb49288214e2a9e4dfe1f93e27828630f725
Instruction Fuzzy Hash: 81019E71209300AFE360DF24C884FAFBBF8AFC4B04F40491EF58997290D7B4A8448B96

Function 004945B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 004945D9
__ftol.LIBCMT ref: 004945E2

Strings

/I, xrefs: 004945C9, 004945CE

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: __ftol
String ID: /I
API String ID: 495808979-4180497861
Opcode ID: 9e21e4fbd6ba1a1608018f7fb02abe2efefafaa090db8a314121178a7c1f36aa
Instruction ID: 64421529251add89d5e463fb3930cda429c522c5ae58bca655616649bc4fef6f
Opcode Fuzzy Hash: 9e21e4fbd6ba1a1608018f7fb02abe2efefafaa090db8a314121178a7c1f36aa
Instruction Fuzzy Hash: 0FF0CD322006145BCA10EA9AE884C97BBACEBE9371B054A2FF6809B611CA35F8548770

Function 004BDE9D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004BDE09: RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 004BDE37
Part of subcall function 004BDE09: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 004BDE5A
Part of subcall function 004BDE09: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 004BDE79
Part of subcall function 004BDE09: RegCloseKey.ADVAPI32(?,?,00000000), ref: 004BDE89
Part of subcall function 004BDE09: RegCloseKey.ADVAPI32(?,?,00000000), ref: 004BDE93

RegCreateKeyExA.ADVAPI32(00000000,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,?,004BB0BF,?), ref: 004BDECD
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,004BB0BF,?), ref: 004BDED4

Strings

hu, xrefs: 004BDED4

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CloseCreate$Open
String ID: hu
API String ID: 1740278721-423011080
Opcode ID: 644deb08e7b6cf1e12745136994e79a492cdbc35c0bbb18f7531140eb2e1195f
Instruction ID: e3bc6404d8946396e50532fb2ae848802a227f9b732fa444cb0ef9fb99b3d202
Opcode Fuzzy Hash: 644deb08e7b6cf1e12745136994e79a492cdbc35c0bbb18f7531140eb2e1195f
Instruction Fuzzy Hash: 3CE0E576500128BB87219B92DC49CEFBF7CEF9A7A07500066F505D2100E634AA00E6F4

Function 00471120 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00471143
PostMessageA.USER32(?,00000401,00000000,00000000), ref: 00471159

Strings

, xrefs: 00471128

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: Message$PostSend
String ID:
API String ID: 2264170824-3916222277
Opcode ID: 56ee73f295987a82782355741aa5144af7a39f5424f16f406fdf56bfa6febdd1
Instruction ID: 36dbfe83949312524e4499fede1f04c5dee6dbc7e1ad06ff350fa7c6f7fd5768
Opcode Fuzzy Hash: 56ee73f295987a82782355741aa5144af7a39f5424f16f406fdf56bfa6febdd1
Instruction Fuzzy Hash: 6DE01231740701ABE6749B649C45F97729A9B48711F40851AF74AEB3D1C6F4E8818618

Function 004B00F7 Relevance: 5.1, APIs: 4, Instructions: 134stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,004F6040,00000000,?,<body>,?,00000000,?,00000000,?), ref: 004B0115
lstrlenA.KERNEL32(?), ref: 004B0132
lstrlenA.KERNEL32(75570440), ref: 004B0164
lstrlenA.KERNEL32(?,?), ref: 004B0239

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: fbeafddd8956b120230f0063a0bde737e1a084579279fec181eb34d891314680
Instruction ID: be2338feea8c1c1873cdcdb6f658279799a3409e7a40f9ef4ecf371391147fd6
Opcode Fuzzy Hash: fbeafddd8956b120230f0063a0bde737e1a084579279fec181eb34d891314680
Instruction Fuzzy Hash: F1419A36D0021AEFCF04DFA8C9849EEBBB5FF44355B10406AE904A7211D739AE41CBA8

Function 004290D0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00429161
wsprintfA.USER32 ref: 0042917B
wsprintfA.USER32 ref: 00429196

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 3fb0f7543b1903f061421a86e09e6e8f84a3e41313901b06714adf993fbf95ee
Instruction ID: 784fd8d972aa161e56d74c3e34cd419f871de2bf845cdd389e545e5732585932
Opcode Fuzzy Hash: 3fb0f7543b1903f061421a86e09e6e8f84a3e41313901b06714adf993fbf95ee
Instruction Fuzzy Hash: 6831E8B15043045BD204EF65E845A6FBBE9FFC4754F800A2DF84693281DB78ED08C6AA

Function 004BCF11 Relevance: 5.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 004BCF6E
LeaveCriticalSection.KERNEL32(?,?), ref: 004BCF7E
LocalFree.KERNEL32(?), ref: 004BCF87
TlsSetValue.KERNEL32(?,00000000), ref: 004BCF9D

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 5780859897a024419df82f0c3d8b4ec91c0bcbee54d446c215ee063b32192a85
Instruction ID: 69f7450a0bfcb6e1eca450225e2211a2fa9734d12043b518839c5a53b0b86c32
Opcode Fuzzy Hash: 5780859897a024419df82f0c3d8b4ec91c0bcbee54d446c215ee063b32192a85
Instruction Fuzzy Hash: 1F215C31200600EFDB258F48D8C5FAA77A6FF45716F1480AAF5468B2A1C7B5F941DB68

Function 004AA63A Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,004AA402,?,?,00000000,004A2BC3,?,?,?,00000000,?,?), ref: 004AA662
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,004AA402,?,?,00000000,004A2BC3,?,?,?,00000000,?,?), ref: 004AA696
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 004AA6B0
HeapFree.KERNEL32(00000000,?), ref: 004AA6C7

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 68349643ec0020fa9deff301ba81ee9bc69f35bcb7f81c3b418292cd1a3fb18b
Instruction ID: 5c1cf92bdb7bed3e7ec7d45fac7eb43f79c6c42baae0ff673976c16c8c704c11
Opcode Fuzzy Hash: 68349643ec0020fa9deff301ba81ee9bc69f35bcb7f81c3b418292cd1a3fb18b
Instruction Fuzzy Hash: 48115134200B04DFC7219F59EC45DA67BF5FB66758718452AF192C61B4C372A8A9EF08

Function 004BDD72 Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00541120,?,00000000,?,00000000,004BD0B9,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDDAD
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,004BD0B9,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDDBF
LeaveCriticalSection.KERNEL32(00541120,?,00000000,?,00000000,004BD0B9,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDDC8
EnterCriticalSection.KERNEL32(00000000,00000000,?,00000000,004BD0B9,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDDDA

Part of subcall function 004BDCDF: GetVersion.KERNEL32(?,004BDD82,00000000,004BD0B9,00000010,?,?,00000000,?,?,004BCABB,004BCB1E,004BC39A,004B08EF), ref: 004BDCF2

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: b397e18393fec7875a39dbbd5588507ae7d86e77443f2cf0b453673165851fc8
Instruction ID: 08d1aa2545b74429fcdc49611cdd45e549e9a44cc5196d8f5d5d6bba90ad67ff
Opcode Fuzzy Hash: b397e18393fec7875a39dbbd5588507ae7d86e77443f2cf0b453673165851fc8
Instruction Fuzzy Hash: 0FF0AF39801A4ADFC710DF96FC849DAB7ACFB2135AF00003BE64582021E774B4C9DAAC

Function 004A8DCB Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,004A64F9,?,004A10F3), ref: 004A8DD8
InitializeCriticalSection.KERNEL32(?,004A64F9,?,004A10F3), ref: 004A8DE0
InitializeCriticalSection.KERNEL32(?,004A64F9,?,004A10F3), ref: 004A8DE8
InitializeCriticalSection.KERNEL32(?,004A64F9,?,004A10F3), ref: 004A8DF0

Memory Dump Source

Source File: 00000002.00000002.2748834636.0000000000401000.00000080.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2748760372.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749124775.00000000004C5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749209698.00000000004C6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749320866.00000000004E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749396792.00000000004EA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749483121.00000000004F8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749552798.00000000004F9000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749626560.00000000004FD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.0000000000501000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000050D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749699440.000000000053F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749889067.0000000000543000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2749960688.000000000054B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2750021605.000000000055B000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U65b0#U7248#U7f51#U5173.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 702c47a70c355b11c0fe075582665cb170743e128ff395e645083820e95c59c0
Instruction ID: fa4b6ab56ac0d6507b69e149010bbf788ecf771beb62753bd5d3de8bc0ea3e1f
Opcode Fuzzy Hash: 702c47a70c355b11c0fe075582665cb170743e128ff395e645083820e95c59c0
Instruction Fuzzy Hash: 27C00235800535DBCA512B55FE458697F25EF052A13010072E9045107086621C74DFD8

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U65b0#U7248#U7f51#U5173.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files (x86)\AutoIt3\Uninstall.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Windows Analysis Report
#U65b0#U7248#U7f51#U5173.exe

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre