Edit tour

Windows Analysis Report
212.exe

Overview

General Information

Sample name:	212.exe
Analysis ID:	1559165
MD5:	5fd229e70f23300791fa020ce7ad2994
SHA1:	33d77817b9bee09ef49b57134f441dd95a694105
SHA256:	47b9caba2fee3a8ea78b60c393999f52d06929b1cda0c8302dd661c29947b8e7
Tags:	exeopendiruser-Joker
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for dropped file

Machine Learning detection for sample

Renames NTDLL to bypass HIPS

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Enables driver privileges

Enables security privileges

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

212.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\212.exe" MD5: 5FD229E70F23300791FA020CE7AD2994)

212.exe (PID: 2072 cmdline: "C:\Users\user\Desktop\212.exe" MD5: 5FD229E70F23300791FA020CE7AD2994)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: 212.exe PID: 6488	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: 212.exe PID: 2072	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Signatures

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\212.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\212.exe, ProcessId: 6488, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\QQWER.dll

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: 212.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\QQWER.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 212.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\212.exe	Unpacked PE file: 0.2.212.exe.10000000.2.unpack
Source: C:\Users\user\Desktop\212.exe	Unpacked PE file: 3.2.212.exe.10000000.2.unpack

Source: 212.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: devco n.pdbo source: 212.exe
Source:	Binary string: wntdll.pdbUGP source: 212.exe, 00000000.00000002.3531881449.0000000002B20000.00000040.00000020.00020000.00000000.sdmp, 212.exe, 00000000.00000003.2269868044.0000000002973000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000002.3532026836.0000000002D17000.00000040.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000003.2433505343.0000000002B69000.00000004.00000020.00020000.00000000.sdmp, 47ae76.tmp.0.dr, 47eeac.tmp.3.dr
Source:	Binary string: wntdll.pdb source: 212.exe, 00000000.00000002.3531881449.0000000002B20000.00000040.00000020.00020000.00000000.sdmp, 212.exe, 00000000.00000003.2269868044.0000000002973000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000002.3532026836.0000000002D17000.00000040.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000003.2433505343.0000000002B69000.00000004.00000020.00020000.00000000.sdmp, 47ae76.tmp.0.dr, 47eeac.tmp.3.dr
Source:	Binary string: wuser32.pdb source: 212.exe, 00000000.00000003.2270703330.0000000002979000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000000.00000002.3532096814.0000000002CDE000.00000040.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000003.2434260326.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000002.3532234560.0000000002EC8000.00000040.00000020.00020000.00000000.sdmp, 47af22.tmp.0.dr, 47ef0a.tmp.3.dr
Source:	Binary string: DrvInDM U.pdbe source: 212.exe
Source:	Binary string: wuser32.pdbUGP source: 212.exe, 00000000.00000003.2270703330.0000000002979000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000000.00000002.3532096814.0000000002CDE000.00000040.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000003.2434260326.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000002.3532234560.0000000002EC8000.00000040.00000020.00020000.00000000.sdmp, 47af22.tmp.0.dr, 47ef0a.tmp.3.dr
Source:	Binary string: devc@on.pdb source: 212.exe

Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1000710E
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1000710E
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-28h], esp	0_2_1000710E
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1000710E
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A199
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10018AD3
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10018AD3
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10018EEA
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_100193C2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	0_2_100193C2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10007FDD
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10018801
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_10017804
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10011772
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10013C18
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10011C1A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A031
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10024C38
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1001AC51
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1001AC51
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1001AC51
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10006051
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10006051
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001385A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10002461
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1000F472
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_1001847E
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10022882
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	0_2_10025484
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10025484
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_10006495
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10006C96
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10014096
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10014096
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_100024AC
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_100024AC
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_100024AC
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_100024AC
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000FCB0
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_100198CC
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100188E1
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001A4E7
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1000210D
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1000210D
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	0_2_1000B90D
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10003116
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10017D41
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10017D41
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000FD4D
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_10001D56
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10025977
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10010199
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1001419C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1001419C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10008DA3
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100111A7
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10007DB8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_100151BD
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_100151BD
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_100151BD
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-28h], esp	0_2_1001D1C4
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1001D1C4
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_100259D9
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_100189E6
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1000FDEA
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100101FB
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_10014203
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1000B61E
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_1001221F
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_1001221F
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001A236
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1001363D
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001363D
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10008E40
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_10011653
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_10011653
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10010255
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10010255
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10007E55
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	0_2_10007E55
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-40h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-40h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000FA6F
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10022A80
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10011E89
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	0_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001A6C7
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_10017ECA
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10010AD6
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10010AD6
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	0_2_10008EDD
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1001BADE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_100246E4
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100236FF
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100236FF
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000FF10
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10008B27
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1001BB29
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_10015B34
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000833D
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	0_2_10012B40
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1000634E
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000B353
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_10026356
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	0_2_1001DB5C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_1001DB5C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10017B68
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10011772
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	0_2_10024781
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10024781
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1002378A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1002378A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1002378A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1002378A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1002378A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_1000A7A2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_100137A3
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000F7AC
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10008BC4
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10013FC8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10007BCA
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10005FDA
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_100253E7
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000B3F0
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	3_2_1000710E
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	3_2_1000710E
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-28h], esp	3_2_1000710E
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	3_2_1000710E
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_1001A199
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_10018AD3
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_10018AD3
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_10018EEA
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	3_2_100193C2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	3_2_100193C2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_10007FDD
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_10018801
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_10017804
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_10011772
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10013C18
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_10011C1A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_1001A031
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	3_2_10024C38
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	3_2_1001AC51
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	3_2_1001AC51
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	3_2_1001AC51
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10006051
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10006051
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_1001385A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_10002461
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_1000F472
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	3_2_1001847E
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10022882
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	3_2_10025484
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	3_2_10025484
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	3_2_10006495
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10006C96
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_10014096
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_10014096
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_100024AC
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	3_2_100024AC
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_100024AC
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_100024AC
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_1000FCB0
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001A8BE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_100198CC
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	3_2_100188E1
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_1001A4E7
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_1000210D
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_1000210D
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	3_2_1000B90D
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10003116
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_10017D41
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_10017D41
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_1000FD4D
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	3_2_10001D56
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	3_2_10025977
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_10010199
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_1001419C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_1001419C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10008DA3
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	3_2_100111A7
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10007DB8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	3_2_100151BD
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	3_2_100151BD
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	3_2_100151BD
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-28h], esp	3_2_1001D1C4
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	3_2_1001D1C4
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	3_2_100259D9
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	3_2_100221E2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	3_2_100221E2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	3_2_100221E2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	3_2_100221E2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	3_2_100221E2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_100189E6
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_1000FDEA
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	3_2_100101FB
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	3_2_10014203
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_1001121A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_1001121A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_1001121A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_1001121A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_1001121A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_1001121A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_1000B61E
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	3_2_1001221F
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	3_2_1001221F
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_1001A236
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_1001363D
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_1001363D
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10008E40
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	3_2_10011653
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	3_2_10011653
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10010255
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10010255
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10007E55
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	3_2_10007E55
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-40h], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-40h], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	3_2_1000C655
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_1000FA6F
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10022A80
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10011E89
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	3_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	3_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_1002129C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_1001A6C7
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	3_2_10017ECA
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10010AD6
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10010AD6
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	3_2_10008EDD
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_1001BADE
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_100246E4
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	3_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_1001A6F8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	3_2_1001A6F8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_1001A6F8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_1001A6F8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_1001A6F8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_1001A6F8
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	3_2_100236FF
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	3_2_100236FF
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_1000FF10
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10008B27
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_1001BB29
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_10015B34
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_1000833D
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	3_2_10012B40
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	3_2_1000634E
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_1000B353
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_10026356
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	3_2_1001DB5C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_1001DB5C
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_10017B68
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_10011772
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	3_2_10024781
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	3_2_10024781
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_1002378A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_1002378A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	3_2_1002378A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_1002378A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	3_2_1002378A
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	3_2_10014289
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001BFA0
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001BFA0
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001BFA0
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	3_2_1001BFA0
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	3_2_1001BFA0
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	3_2_1000A7A2
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_100137A3
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_1000F7AC
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10008BC4
Source: C:\Users\user\Desktop\212.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	3_2_10013FC8

Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57
Source: unknown	TCP traffic detected without corresponding DNS query: 42.193.100.57

Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Date: Wed, 20 Nov 2024 08:14:42 GMTContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Date: Wed, 20 Nov 2024 08:14:59 GMTContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69

Source: 212.exe	String found in binary or memory: http://.httpsset-cookie:;;
Source: 212.exe	String found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/
Source: 212.exe, 00000003.00000002.3531080909.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
Source: 212.exe, 00000003.00000002.3531080909.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt4Z
Source: 212.exe, 00000000.00000002.3531021707.0000000000C09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt4j
Source: 212.exe, 00000003.00000002.3531080909.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtGZ
Source: 212.exe, 00000003.00000002.3531080909.0000000000C53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtZ
Source: 212.exe, 00000003.00000002.3531080909.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtmZ
Source: 212.exe, 00000000.00000002.3531021707.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.tx
Source: 212.exe	String found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt
Source: 212.exe, 00000003.00000002.3531080909.0000000000C53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtE
Source: 212.exe, 00000003.00000002.3531080909.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtG
Source: 212.exe, 00000000.00000002.3531021707.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtk%
Source: 212.exe, 00000000.00000002.3531021707.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtp
Source: 212.exe, 00000000.00000002.3531021707.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txty%
Source: 212.exe	String found in binary or memory: http://ocsp.t
Source: 212.exe	String found in binary or memory: http://sf.symc
Source: 212.exe	String found in binary or memory: http://ts-ocsp.ws.s
Source: 212.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.
Source: 212.exe	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: 212.exe	String found in binary or memory: https://User-Agent:Mozilla/4.0
Source: 212.exe	String found in binary or memory: https://note.youdao.com/yws/public/note/03cb89fe74e7b4305099ed5dabde2135?sev=j1
Source: 212.exe	String found in binary or memory: https://ww(w.v

Source: C:\Users\user\Desktop\212.exe

Code function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,

0_2_1001F2ED

Source: 212.exe, 00000000.00000002.3531021707.0000000000B57000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_5f98affc-9

Source: Yara match	File source: Process Memory Space: 212.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 212.exe PID: 2072, type: MEMORYSTR

Source: C:\Users\user\Desktop\212.exe	Code function: 0_2_10007FDD NtClose,	0_2_10007FDD
Source: C:\Users\user\Desktop\212.exe	Code function: 0_2_1001419C ReleaseMutex,NtClose,	0_2_1001419C
Source: C:\Users\user\Desktop\212.exe	Code function: 0_2_1001221F NtClose,	0_2_1001221F
Source: C:\Users\user\Desktop\212.exe	Code function: 3_2_10007FDD NtClose,	3_2_10007FDD
Source: C:\Users\user\Desktop\212.exe	Code function: 3_2_1001419C ReleaseMutex,NtClose,	3_2_1001419C
Source: C:\Users\user\Desktop\212.exe	Code function: 3_2_1001221F NtClose,	3_2_1001221F

Source: C:\Users\user\Desktop\212.exe	Code function: 0_2_004C6020	0_2_004C6020
Source: C:\Users\user\Desktop\212.exe	Code function: 0_2_10002628	0_2_10002628
Source: C:\Users\user\Desktop\212.exe	Code function: 0_2_100032EA	0_2_100032EA
Source: C:\Users\user\Desktop\212.exe	Code function: 3_2_004C6020	3_2_004C6020
Source: C:\Users\user\Desktop\212.exe	Code function: 3_2_10002628	3_2_10002628
Source: C:\Users\user\Desktop\212.exe	Code function: 3_2_100032EA	3_2_100032EA

Source: C:\Users\user\Desktop\212.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\212.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\Desktop\212.exe

Code function: String function: 10029640 appears 130 times

Source: 47ae76.tmp.0.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 47eeac.tmp.3.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped

Source: 47eeac.tmp.3.dr	Static PE information: No import functions for PE file found
Source: 47ae76.tmp.0.dr	Static PE information: No import functions for PE file found

Source: 212.exe, 00000000.00000003.2270703330.0000000002979000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 212.exe
Source: 212.exe, 00000000.00000002.3532096814.0000000002D86000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 212.exe
Source: 212.exe, 00000000.00000003.2269868044.0000000002A96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 212.exe
Source: 212.exe, 00000000.00000002.3531881449.0000000002C4D000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 212.exe
Source: 212.exe, 00000003.00000002.3532234560.0000000002F70000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 212.exe
Source: 212.exe, 00000003.00000003.2434260326.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 212.exe
Source: 212.exe, 00000003.00000003.2433505343.0000000002C8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 212.exe
Source: 212.exe, 00000003.00000002.3532026836.0000000002E44000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 212.exe

Source: 212.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: QQWER.dll.0.dr

Static PE information: Section: .rsrc ZLIB complexity 1.0002780183550337

Source: 47eeac.tmp.3.dr

Binary string: \Device\IPT[

Source: classification engine

Classification label: mal84.evad.winEXE@2/11@0/1

Source: C:\Users\user\Desktop\212.exe

Code function: 0_2_00415ACD GetDiskFreeSpaceExA,

0_2_00415ACD

Source: C:\Users\user\Desktop\212.exe

File created: C:\Users\user\Desktop\QQWER.dll

Jump to behavior

Source: C:\Users\user\Desktop\212.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\212.exe

File created: C:\Users\user\AppData\Local\Temp\47ae76.tmp

Jump to behavior

Source: 212.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\212.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 212.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\212.exe "C:\Users\user\Desktop\212.exe"
Source: unknown	Process created: C:\Users\user\Desktop\212.exe "C:\Users\user\Desktop\212.exe"

Source: C:\Users\user\Desktop\212.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\212.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\212.exe

Window detected: Number of UI elements: 23

Source: 212.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 212.exe

Static file information: File size 5222400 > 1048576

Source: 212.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x14f000
Source: 212.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x286000
Source: 212.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10d000

Source:	Binary string: devco n.pdbo source: 212.exe
Source:	Binary string: wntdll.pdbUGP source: 212.exe, 00000000.00000002.3531881449.0000000002B20000.00000040.00000020.00020000.00000000.sdmp, 212.exe, 00000000.00000003.2269868044.0000000002973000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000002.3532026836.0000000002D17000.00000040.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000003.2433505343.0000000002B69000.00000004.00000020.00020000.00000000.sdmp, 47ae76.tmp.0.dr, 47eeac.tmp.3.dr
Source:	Binary string: wntdll.pdb source: 212.exe, 00000000.00000002.3531881449.0000000002B20000.00000040.00000020.00020000.00000000.sdmp, 212.exe, 00000000.00000003.2269868044.0000000002973000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000002.3532026836.0000000002D17000.00000040.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000003.2433505343.0000000002B69000.00000004.00000020.00020000.00000000.sdmp, 47ae76.tmp.0.dr, 47eeac.tmp.3.dr
Source:	Binary string: wuser32.pdb source: 212.exe, 00000000.00000003.2270703330.0000000002979000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000000.00000002.3532096814.0000000002CDE000.00000040.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000003.2434260326.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000002.3532234560.0000000002EC8000.00000040.00000020.00020000.00000000.sdmp, 47af22.tmp.0.dr, 47ef0a.tmp.3.dr
Source:	Binary string: DrvInDM U.pdbe source: 212.exe
Source:	Binary string: wuser32.pdbUGP source: 212.exe, 00000000.00000003.2270703330.0000000002979000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000000.00000002.3532096814.0000000002CDE000.00000040.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000003.2434260326.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000002.3532234560.0000000002EC8000.00000040.00000020.00020000.00000000.sdmp, 47af22.tmp.0.dr, 47ef0a.tmp.3.dr
Source:	Binary string: devc@on.pdb source: 212.exe

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\212.exe	Unpacked PE file: 0.2.212.exe.10000000.2.unpack
Source: C:\Users\user\Desktop\212.exe	Unpacked PE file: 3.2.212.exe.10000000.2.unpack

Source: C:\Users\user\Desktop\212.exe

Code function: 0_2_004C3F90 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_004C3F90

Source: initial sample

Static PE information: section where entry point is pointing to: .rsrc

Source: QQWER.dll.0.dr	Static PE information: section name: .Upack
Source: 47ae76.tmp.0.dr	Static PE information: section name: RT
Source: 47ae76.tmp.0.dr	Static PE information: section name: .mrdata
Source: 47ae76.tmp.0.dr	Static PE information: section name: .00cfg
Source: 47af22.tmp.0.dr	Static PE information: section name: .didat
Source: 47eeac.tmp.3.dr	Static PE information: section name: RT
Source: 47eeac.tmp.3.dr	Static PE information: section name: .mrdata
Source: 47eeac.tmp.3.dr	Static PE information: section name: .00cfg
Source: 47ef0a.tmp.3.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\212.exe	Code function: 0_2_0052EC60 push eax; ret	0_2_0052EC8E
Source: C:\Users\user\Desktop\212.exe	Code function: 0_2_00530ED4 push eax; ret	0_2_00530EF2
Source: C:\Users\user\Desktop\212.exe	Code function: 0_2_1002C7F8 push edi; ret	0_2_1002C7FC
Source: C:\Users\user\Desktop\212.exe	Code function: 3_2_0052EC60 push eax; ret	3_2_0052EC8E
Source: C:\Users\user\Desktop\212.exe	Code function: 3_2_00530ED4 push eax; ret	3_2_00530EF2
Source: C:\Users\user\Desktop\212.exe	Code function: 3_2_1002C7F8 push edi; ret	3_2_1002C7FC

Source: QQWER.dll.0.dr	Static PE information: section name: .rsrc entropy: 7.999713933191419
Source: 47ae76.tmp.0.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 47eeac.tmp.3.dr	Static PE information: section name: .text entropy: 6.844715065913507

Source: C:\Users\user\Desktop\212.exe	File created: C:\Users\user\Desktop\QQWER.dll	Jump to dropped file
Source: C:\Users\user\Desktop\212.exe	File created: C:\Users\user\AppData\Local\Temp\47ef0a.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\212.exe	File created: C:\Users\user\AppData\Local\Temp\47af22.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\212.exe	File created: C:\Users\user\AppData\Local\Temp\47eeac.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\212.exe	File created: C:\Users\user\AppData\Local\Temp\47ae76.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\212.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run			Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run			Jump to behavior

Source: C:\Users\user\Desktop\212.exe	Code function: 0_2_004CBF30 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,	0_2_004CBF30
Source: C:\Users\user\Desktop\212.exe	Code function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,	0_2_1001F2ED
Source: C:\Users\user\Desktop\212.exe	Code function: 3_2_004CBF30 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,	3_2_004CBF30
Source: C:\Users\user\Desktop\212.exe	Code function: 3_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,	3_2_1001F2ED

Source: C:\Users\user\Desktop\212.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\212.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-21447

Renames NTDLL to bypass HIPS

Source: C:\Users\user\Desktop\212.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\212.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior

Source: C:\Users\user\Desktop\212.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QQWER.dll	Jump to dropped file
Source: C:\Users\user\Desktop\212.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\47ef0a.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\212.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\47af22.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\212.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\47eeac.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\212.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\47ae76.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\212.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\212.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\212.exe

Code function: 0_2_1000710E GetVersionExA,GetSystemInfo,RtlGetNtVersionNumbers,

0_2_1000710E

Source: 212.exe, 00000003.00000002.3531080909.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: 212.exe, 00000000.00000002.3531021707.0000000000B57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: 212.exe, 00000003.00000002.3531080909.0000000000C53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWnDW
Source: 212.exe, 00000000.00000002.3531021707.0000000000BC9000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000000.00000002.3531021707.0000000000B82000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000003.00000002.3531080909.0000000000C53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\212.exe	API call chain: ExitProcess graph end node			graph_0-21561
Source: C:\Users\user\Desktop\212.exe	API call chain: ExitProcess graph end node			graph_3-21513

Source: C:\Users\user\Desktop\212.exe

Code function: 0_2_10004B1B LdrInitializeThunk,

0_2_10004B1B

Source: C:\Users\user\Desktop\212.exe

Code function: 0_2_004C3F90 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_004C3F90

Source: C:\Users\user\Desktop\212.exe	Code function: 0_2_1001A4C7 mov eax, dword ptr fs:[00000030h]	0_2_1001A4C7
Source: C:\Users\user\Desktop\212.exe	Code function: 0_2_1000AE99 mov eax, dword ptr fs:[00000030h]	0_2_1000AE99
Source: C:\Users\user\Desktop\212.exe	Code function: 3_2_1001A4C7 mov eax, dword ptr fs:[00000030h]	3_2_1001A4C7
Source: C:\Users\user\Desktop\212.exe	Code function: 3_2_1000AE99 mov eax, dword ptr fs:[00000030h]	3_2_1000AE99

Source: C:\Users\user\Desktop\212.exe

Code function: 0_2_10027BB0 GetProcessHeap,RtlAllocateHeap,MessageBoxA,

0_2_10027BB0

Source: C:\Users\user\Desktop\212.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\212.exe	Process token adjusted: Debug			Jump to behavior

Source: 212.exe, 00000000.00000002.3531021707.0000000000B57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindowH
Source: 212.exe	Binary or memory string: @TaskbarCreatedShell_TrayWndTrayNotifyWndSysPagerToolbarWindow32@@
Source: 212.exe, 00000000.00000002.3531021707.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000000.00000003.2270703330.0000000002979000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000000.00000002.3532096814.0000000002CDE000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: 212.exe	Binary or memory string: Shell_TrayWnd
Source: 212.exe, 00000000.00000002.3531021707.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000000.00000003.2270703330.0000000002979000.00000004.00000020.00020000.00000000.sdmp, 212.exe, 00000000.00000002.3532096814.0000000002CDE000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\212.exe

Code function: 0_2_10019EDC cpuid

0_2_10019EDC

Source: C:\Users\user\Desktop\212.exe

Code function: 0_2_0052D668 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

0_2_0052D668

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 Registry Run Keys / Startup Folder	2 Process Injection	1 Masquerading	11 Input Capture	111 Security Software Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 LSASS Driver	1 Registry Run Keys / Startup Folder	2 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Input Capture	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 LSASS Driver	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	4 Obfuscated Files or Information	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
212.exe	47%	ReversingLabs
212.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\QQWER.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\47ae76.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\47af22.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\47eeac.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\47ef0a.tmp	0%	ReversingLabs
C:\Users\user\Desktop\QQWER.dll	73%	ReversingLabs	Win32.Infostealer.OnlineGames

Source	Detection	Scanner	Label
http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtG	0%	Avira URL Cloud	safe
http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt4Z	0%	Avira URL Cloud	safe
http://ts-ocsp.ws.s	0%	Avira URL Cloud	safe
http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtZ	0%	Avira URL Cloud	safe
http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtE	0%	Avira URL Cloud	safe
http://.httpsset-cookie:;;	0%	Avira URL Cloud	safe
http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtGZ	0%	Avira URL Cloud	safe
http://ocsp.t	0%	Avira URL Cloud	safe
http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtmZ	0%	Avira URL Cloud	safe
http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtp	0%	Avira URL Cloud	safe
http://ts-ocsp.ws.symantec.	0%	Avira URL Cloud	safe
http://sf.symc	0%	Avira URL Cloud	safe
http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt4j	0%	Avira URL Cloud	safe
http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtk%	0%	Avira URL Cloud	safe
http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt	0%	Avira URL Cloud	safe
https://ww(w.v	0%	Avira URL Cloud	safe
http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt	0%	Avira URL Cloud	safe
https://User-Agent:Mozilla/4.0	0%	Avira URL Cloud	safe
http://42.193.100.57/%E5%AD%98%E6%A1%A3/	0%	Avira URL Cloud	safe
http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.tx	0%	Avira URL Cloud	safe
http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txty%	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt	false	Avira URL Cloud: safe	unknown
http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtZ	212.exe, 00000003.00000002.3531080909.0000000000C53000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtE	212.exe, 00000003.00000002.3531080909.0000000000C53000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtG	212.exe, 00000003.00000002.3531080909.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.eyuyan.com)DVarFileInfo$	212.exe	false		high
http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt4Z	212.exe, 00000003.00000002.3531080909.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.t	212.exe	false	Avira URL Cloud: safe	unknown
http://.httpsset-cookie:;;	212.exe	false	Avira URL Cloud: safe	unknown
http://ts-ocsp.ws.s	212.exe	false	Avira URL Cloud: safe	unknown
http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtGZ	212.exe, 00000003.00000002.3531080909.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://note.youdao.com/yws/public/note/03cb89fe74e7b4305099ed5dabde2135?sev=j1	212.exe	false		high
http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtmZ	212.exe, 00000003.00000002.3531080909.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtp	212.exe, 00000000.00000002.3531021707.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ts-ocsp.ws.symantec.	212.exe	false	Avira URL Cloud: safe	unknown
http://sf.symc	212.exe	false	Avira URL Cloud: safe	unknown
http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt4j	212.exe, 00000000.00000002.3531021707.0000000000C09000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtk%	212.exe, 00000000.00000002.3531021707.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ww(w.v	212.exe	false	Avira URL Cloud: safe	unknown
https://User-Agent:Mozilla/4.0	212.exe	false	Avira URL Cloud: safe	unknown
http://42.193.100.57/%E5%AD%98%E6%A1%A3/	212.exe	false	Avira URL Cloud: safe	unknown
http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.tx	212.exe, 00000000.00000002.3531021707.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txty%	212.exe, 00000000.00000002.3531021707.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
42.193.100.57	unknown	China		4249	LILLY-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559165
Start date and time:	2024-11-20 09:13:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	212.exe
Detection:	MAL
Classification:	mal84.evad.winEXE@2/11@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.190.159.4, 20.190.159.71, 20.190.159.64, 40.126.31.69, 40.126.31.67, 40.126.31.73, 20.190.159.75, 40.126.31.71
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, azureedge-t-prod.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 212.exe

Simulations

Behavior and APIs

Time	Type	Description
09:14:34	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\Desktop\212.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.45
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	PO-000041492.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	Credit_DetailsCBS24312017915.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	Payment Advice.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	Delivery_Notification_00116030.doc.js	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.45
fp2e7a.wpc.phicdn.net	file.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	6GvQSVIEIu.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	NW_EmployerNewsletter_11142024_pdf.html	Get hash	malicious	Unknown	Browse	192.229.221.95
	gggghh.exe	Get hash	malicious	FormBook	Browse	192.229.221.95
	file.exe	Get hash	malicious	Remcos	Browse	192.229.221.95
	https://www.amtso.org/check-desktop-phishing-page/	Get hash	malicious	Unknown	Browse	192.229.221.95
	FACTURA 4377.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	WEqMZ4qrbX.dll	Get hash	malicious	Unknown	Browse	192.229.221.95
	exe005(1).exe	Get hash	malicious	Berbew	Browse	192.229.221.95
	exe002(1).exe	Get hash	malicious	Berbew	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LILLY-ASUS	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	43.155.76.124
	arm7.nn-20241120-0508.elf	Get hash	malicious	Mirai, Okiru	Browse	43.52.215.121
	arm.nn-20241120-0508.elf	Get hash	malicious	Mirai, Okiru	Browse	43.152.251.74
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	40.221.176.183
	https://trackwniw.top/i	Get hash	malicious	Unknown	Browse	43.130.33.71
	https://trackwniw.top/i	Get hash	malicious	Unknown	Browse	43.130.33.71
	owari.m68k.elf	Get hash	malicious	Unknown	Browse	42.132.90.14
	owari.arm7.elf	Get hash	malicious	Mirai	Browse	43.100.132.215
	owari.arm.elf	Get hash	malicious	Unknown	Browse	40.167.148.109
	owari.spc.elf	Get hash	malicious	Unknown	Browse	40.205.187.175

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\47ae76.tmp	SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	BCNFNjvJNq.exe	Get hash	malicious	ADWIND, Lokibot, Ramnit, Sality	Browse
	cnlg48.exe	Get hash	malicious	Unknown	Browse
	Lisect_AVT_24003_G1A_54.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002A_186.exe	Get hash	malicious	Unknown	Browse
	zde6gdIB73.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\47af22.tmp	SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	FZ6oyLoqGM.exe	Get hash	malicious	Unknown	Browse
	Lisect_AVT_24003_G1A_54.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002A_186.exe	Get hash	malicious	Unknown	Browse
	zde6gdIB73.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\47ae76.tmp

Download File

Process:	C:\Users\user\Desktop\212.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: BCNFNjvJNq.exe, Detection: malicious, Browse Filename: cnlg48.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_54.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_186.exe, Detection: malicious, Browse Filename: zde6gdIB73.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\47af22.tmp

Download File

Process:	C:\Users\user\Desktop\212.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: FZ6oyLoqGM.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_54.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_186.exe, Detection: malicious, Browse Filename: zde6gdIB73.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\47eeac.tmp

Download File

Process:	C:\Users\user\Desktop\212.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1699896
Entropy (8bit):	6.290547513916722
Encrypted:	false
SSDEEP:	24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
MD5:	5564A98A4692BA8B2D25770FB834D5F6
SHA1:	129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
SHA-256:	28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
SHA-512:	D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\47ef0a.tmp

Download File

Process:	C:\Users\user\Desktop\212.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1679648
Entropy (8bit):	5.3288490918902225
Encrypted:	false
SSDEEP:	24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
MD5:	2E8AB67DC55089DFBCBFA7710BD15B07
SHA1:	159434853CE512029314C6B70070220D251A924A
SHA-256:	2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
SHA-512:	7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\ .bmp

Download File

Process:	C:\Users\user\Desktop\212.exe
File Type:	PC bitmap, Windows 3.x format, 88 x 30 x 24, image size 7920, cbSize 7974, bits offset 54
Category:	dropped
Size (bytes):	7974
Entropy (8bit):	5.673356453027983
Encrypted:	false
SSDEEP:	192:Ff/ZR+G5hr4gwFy2EmU8fTDAa/AUdiwcWOWNnLV:FfbEzsxUdinWDh
MD5:	7E50424DE95D765740BCE30899FA4E3B
SHA1:	306B279E18EB8830960449758C025C0F13F7A484
SHA-256:	1886332AA5F083560E14B3E7DAEF8BFBFA7BE16FBD93CC10CD84C11C87014AA6
SHA-512:	4E9349366B4A16111B47E6E78D289DC22892BA7B2E5E5A8F46C808CA268FEEE1D7483A4E43F46686DB24E4C50C4BABBD2A8722D323A25C7656F31C45D186B5A3
Malicious:	false
Preview:	BM&.......6...(...X...................................P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1....................................................................................................................................................................................\|..p.........................................................................~..~..}..}..}..{..{..{..{..z..y..y..x..x..w..w..w..v..u..u..u..t..t..s..s..r..q..q..q..q..p..o..o..n..n..m..m..l..k..k..j..j..i..i..h..h..h..h..g..f..f..e..e..o........................................................................~..~..~..}..}..{..{..{..z..z..z..y..x..x..w..w..w..

C:\Users\user\Desktop\ 1.bmp

Download File

Process:	C:\Users\user\Desktop\212.exe
File Type:	PC bitmap, Windows 3.x format, 43 x 25 x 24, image size 3300, cbSize 3354, bits offset 54
Category:	dropped
Size (bytes):	3354
Entropy (8bit):	2.989481212693407
Encrypted:	false
SSDEEP:	12:hqVRlllllllllLlll7lllllllllp9l+fs9WLtOlqTT9WLXLELc9WLccwlVLcEAAZ:pIsgTZMY
MD5:	6391A0DCDD648730D0801673DAA5E9C9
SHA1:	023E19E73F390D6C976A75E4804E356F8D4E2B79
SHA-256:	8CBC9646B997839C056FA4C663B843971C084CDC044502753A543D83D35092C5
SHA-512:	17C8C196F2D27928FA01E2A461E9F2400E1ACFE73B50A3B3B9A03C3117D2EEC346E9032CE35DA508C26BE561404142DD073D5F7E393729160830EE148C5F4536
Malicious:	false
Preview:	BM........6...(...+...................................%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%........%..%..%..%..%..%..%..%..%........%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..........................%..%.........................................%..%..%..%..%..%..%..%.....%..%..%..%..%..%......

C:\Users\user\Desktop\ 2.bmp

Download File

Process:	C:\Users\user\Desktop\212.exe
File Type:	PC bitmap, Windows 3.x format, 122 x 40 x 24, image size 14720, cbSize 14774, bits offset 54
Category:	dropped
Size (bytes):	14774
Entropy (8bit):	4.868699837953847
Encrypted:	false
SSDEEP:	384:fDinzsGO052UtTri2fzOJ3pzvdTzD8mZxEBxQ74w2jBfG79s6OY:riA/w1ObZSny4dRI9Hh
MD5:	EE883808D176D23096A2D4F339C84368
SHA1:	D901775EDE136567215ABE718023C1A62F46A0A6
SHA-256:	3D28C7A863B6E937EBC72AD585F94359B6BC2FF8523173DB0FEEFBC803AB372B
SHA-512:	F14CF6522847121246B7913FA1C800227EEEAFAE5F7AA44D2E45ED55EC50B2A729C109B222D0F2E3FECFB3B16031AEF742C286DA0393322A73C4B182C71033D3
Malicious:	false
Preview:	BM.9......6...(...z...(............9..............................................................................................................................~..~..~..~..}..}..}..}..\|..\|..{..{..{..{..z..z..z..z..y..y..x..y..x..x..w..x..w..w..v..v..v..v..u..u..t..t..t..t..s..s..s..s..r..r..q..r..q..q..p..q..p..p..o..o..o..o..n..n..m..n..m..m..l..l..l..l..k..k..j..k................................................................................................................~..~..}..}..}..}..\|..\|..\|..\|..{..{..z..{..z..z..y..z..y..y..x..x..x..x..w..w..v..v..v..v..u..u..u..u..t..t..s..t..s..s..r..s..r..r..q..q..q..q..p..p..o..p..o..o..n..n..n..n..m..m..l..m..l..l..k..l..k..k..j..j...............................................................................................................~..~..~..~..}..}..\|..}..\|..\|..{..{..{..{..z..z..y..z.

C:\Users\user\Desktop\ .bmp

Download File

Process:	C:\Users\user\Desktop\212.exe
File Type:	PC bitmap, Windows 3.x format, 124 x 21 x 24, image size 7812, cbSize 7866, bits offset 54
Category:	dropped
Size (bytes):	7866
Entropy (8bit):	2.8370523003123043
Encrypted:	false
SSDEEP:	24:o4XlQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQP:T+QgQ2VQPQ/QNQmQTQGQKxQyQIHiw1
MD5:	5D70530E3663B004B68425154CB9AFB9
SHA1:	46CFADA3D2EDE8A3280598BD4E2EC89CE0C7D56F
SHA-256:	0818DF2198DA1889321E82F769F3AA6B01F9CD773987354A8F5E0908379F45CE
SHA-512:	824569EAB3FBB412708BB35CDF0A3630289008307A518E68253CFAAD379CFB830C56A2582D2FB071561BF2FB3ADB2535CEBA13319A3A096009357E152022119E
Malicious:	false
Preview:	BM........6...(...\|...................................%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%

C:\Users\user\Desktop\ 4.bmp

Download File

Process:	C:\Users\user\Desktop\212.exe
File Type:	PC bitmap, Windows 3.x format, 132 x 32 x 24, image size 12672, cbSize 12726, bits offset 54
Category:	dropped
Size (bytes):	12726
Entropy (8bit):	5.79054775797227
Encrypted:	false
SSDEEP:	384:xcEOHiLY/s8/wo4C4tPzSrEEBN/LMzeW1:xcdHiLeF4Q4pSY+hLMzv
MD5:	FA9FA099399E2ADF93BE1348C4AED087
SHA1:	3FB710D8AD919AE6783E222DF46305E39FA81098
SHA-256:	3749B52884564A500221E53DE5FCF24A2F6E3EDB4E58ADB13CF2B5F8F422BA7B
SHA-512:	A6D378F8AD7EFAF4A3067D3F601AFAB53C83947DA29C9F6A21BAD21F287D2CAB093939BD017F32971EE6B3DA1EC82BE6D59234CB446A325A33C8AA5215200DD8
Malicious:	false
Preview:	BM.1......6...(....... ............1..................................................................................................................................................................................................................................................................................................~..~..}..}..\|..\|..{..\|..{..{..z..z..y..y..x..x..x..w..w..w..................................................................................................................................................................................................................................................................................~..~..}..~..}..}..\|..\|..{..{..z..z..z..z..y..y..x..x..w..w....................................................................................................................................................

C:\Users\user\Desktop\ 404.bmp

Download File

Process:	C:\Users\user\Desktop\212.exe
File Type:	PC bitmap, Windows 3.x format, 312 x 196 x 24, image size 183456, cbSize 183510, bits offset 54
Category:	dropped
Size (bytes):	183510
Entropy (8bit):	5.556020063769881
Encrypted:	false
SSDEEP:	3072:6Sv2XACrsCmcuRGDpKiVarMsILpZTjDuD:rv2tNRdn5hpZvQ
MD5:	1C4B3140D22A2921DC9E023E3E68963E
SHA1:	0D4F280950E2221F30D40DF40A14C496FD5B9723
SHA-256:	4F7D1D27980D902757136771413B5B9E681D7D5664259F8C0914DAEF986F1614
SHA-512:	F0615BDA954AA84B871237F7BD64046BB99CAD7EE1CB43C28917B13EB5EC08120E659138C721A660D8B00567E00B79BB6C9384ED30E8EB522D84617177642037
Malicious:	false
Preview:	BM........6...(...8...................................Y,.]..[,.U(.Y+.Y.V).V(.S&.W(.V(.V).Y.[,.\-.U(.]..U(.W).W).X.R%.X.S'.X.S&.S&.V).V(.T&.T'.V).T'.N#.X).X+.T&.S'.S&.S&.V(.V.V(.U).R%.U(.P%.S'.S'.T'.U'.U).X.X+.V).S'.T(.U(.X).b1.]..T'.P$.S&.T(.V+.Y,.Q%.R(.U).T(.R%.T(.V).P%.S'.S'.S&.U).U).V.T'.R&.Q'.O$.T(.S(.N#.S'.S(.T'.S(.M#.S(.X,.Q'.P%.R'.N$.P'.O%.K".Q&.N%.R(.M$.M$.L#.L#.M#.R).K#.O&.Q'.N%.M#.N$.T'.O%.Q'.U).R(.R(.Q(.T+.U+.X..T+.T.U+.W,.T+.S.W-.R).U+.U+.U-.V-.R).S+.Q).T.Q).T+.W,.P(.T+.U,.R).Q).Q.Q).Q).T+.X..S.Q.N'.O(.Q).U-.T,.R.S+.R.R).Q.P(.Q+.P'.S,.T-.R+.P,.P+.P,.M(.P(.R,.Q+.P.Q).V..R,.T,.N).Q+.R+.T..L(.C&.<$.8 .:#.:#.<%.<#.6..@'.8!.5..5..:".8!.@'.;$.9#.:#.9!.>$.7 .;#.<$.;#.D).<#.6..;#.=$.;$.=$.8..:".;#.:!.8".9!.<#.<$.<#.<%.:#.;#.;".9!.<$.<$.:!.<$.;#.<#.:!.E).A(.>%.<$.:#.:".:#.>&.<$.<$.=%.=%.;$.C(.@&.?'.;$.=$.<".>%.8!.;#.9!.>%.<$.>&.>&.;$.=$.>$.<$.A'.?%.6..:".?%.:".:".<#.@&.:#.:#.=$.:".?$.:!.B'.>$.<#.>$.D'.9!.@%.@%.?&.=$.=$.=#.;".:".>#.@'.>%.>%.?&.?$.>%.>$.?$.c3.R%.W(.R

C:\Users\user\Desktop\QQWER.dll

Download File

Process:	C:\Users\user\Desktop\212.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	687517
Entropy (8bit):	7.999653084247243
Encrypted:	true
SSDEEP:	12288:nAPtAe/2ByNkI6K8Pi7GMskNEkzJ0x1d2GpSI5EwLtwun3aPh:nEtAemv+hNZGTds9UtwgqPh
MD5:	4B7109E2F77FF15219B81079DF8C12B2
SHA1:	AB3BF417AF304B83CD49707E399BC06E1E10D519
SHA-256:	BE7A0A59B36299F40D6AC2FC126ACFD6C8BBFF8C4F8D9D85267DF3E2E1E3AED3
SHA-512:	770EBECF21AAD663BB27F7800AE476FF3B9EF444FF661916CB50E65AE4987DDE7413E4AE83FD152C47A296C13E41D4544AED3C780F0F5958BB605F57016537E7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 73%
Preview:	MZKERNEL32.DLL..LoadLibraryA....GetProcAddress..UpackByDwing@...PE..L..................!...9.`..........`X.......p......................................................................,[..q....[..............................H........................................................................................Upack..............................`....rsrc............{..................`........[...............Z...Z...Z...Z...Z.......Z...Z...X.......[.......Y......\|...........u...............................*..T...h........Zx.)1Y"F..,...L..F.4."W\|..5P......A...c]...J..X.;/.T..\|...~.d.W..........(k.../.!.y..0Kol.Ty..N...yg....-.GI....@.c..g:...!.Oo..j..N.h6x..9)B.Iw.4Z}..g.CCN......X...:.`......!y.p.^=..;..!.......83..W..W...h.?$R.Q....$..+......... 6....3..i...<.Z.\...r.T....,.).s..~.V.......^].k.[....bQ....+Y.';C.._.R. fq......y..X.8t2.J.....4B...m.....A...a.8..F....51mt6e..Yec..A...q......:..)..l.O!.S..8.f..X....k.....!B..Z<.\.C....kc(...0..#.M}+@..X.g;P..r....x.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.3374185256067275
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	212.exe
File size:	5'222'400 bytes
MD5:	5fd229e70f23300791fa020ce7ad2994
SHA1:	33d77817b9bee09ef49b57134f441dd95a694105
SHA256:	47b9caba2fee3a8ea78b60c393999f52d06929b1cda0c8302dd661c29947b8e7
SHA512:	d857fcafc462291a1a23abe4419fae73825b087a6fca51e51c9f26eb43c1ac8871269399fd7412847d7eb62ed60790fa37d8a561690596a1689d1a94b1d11605
SSDEEP:	98304:aXOEWTf0319KoRdqPGCSbRQTD4wP7wxJRzmSbRQTD4wP7wxJRz4:Bjico5+/z7wxJRz+/z7wxJRE
TLSH:	C836AE03B252C866D2142BB455F5E738D6784FA17C76CB43E7E0FCA37D72A636A12209
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......L..A............s.......g.......g...........$...^...$...j.......................>...c...>...................i...............S..

File Icon


Icon Hash:	0f4d70f0ed71330f

Static PE Info

General

Entrypoint:	0x52d668
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x672B06A1 [Wed Nov 6 06:03:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	04c7a30e342800eb893154d4d8d3104c

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 007C9A78h
push 005304D4h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [005503E8h]
xor edx, edx
mov dl, ah
mov dword ptr [00828EACh], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00828EA8h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [00828EA4h], ecx
shr eax, 10h
mov dword ptr [00828EA0h], eax
push 00000001h
call 00007F3C34DCC457h
pop ecx
test eax, eax
jne 00007F3C34DC643Ah
push 0000001Ch
call 00007F3C34DC64F8h
pop ecx
call 00007F3C34DCC202h
test eax, eax
jne 00007F3C34DC643Ah
push 00000010h
call 00007F3C34DC64E7h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F3C34DCC030h
call dword ptr [00550358h]
mov dword ptr [0082E0E4h], eax
call 00007F3C34DCBEEEh
mov dword ptr [00828E18h], eax
call 00007F3C34DCBC97h
call 00007F3C34DCBBD9h
call 00007F3C34DCAB0Ah
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [005501C8h]
call 00007F3C34DCBB6Ah
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F3C34DC6438h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d2a28	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42f000	0x10ce8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x150000	0x7d8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14e93e	0x14f000	3aa6742e530922fac208fec52aff2050	False	0.40917167094216417	data	6.419392068049381	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x150000	0x2852b4	0x286000	f0f44d9cd77e8975ea97ffbd7426d468	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d6000	0x580ea	0x18000	6b13893c53c8e60272266e79a1c9fa31	False	0.3039347330729167	data	5.075623248652785	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x42f000	0x10ce8c	0x10d000	e64db9b885839be50d9740fb68390968	False	0.4221699654391264	data	4.847579887280327	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TEXTINCLUDE	0x42fb9c	0xb	ASCII text, with no line terminators	Chinese	China	1.7272727272727273
TEXTINCLUDE	0x42fba8	0x16	data	Chinese	China	1.3636363636363635
TEXTINCLUDE	0x42fbc0	0x151	C source, ASCII text, with CRLF line terminators	Chinese	China	0.6201780415430267
RT_CURSOR	0x42fd14	0x134	data	Chinese	China	0.5811688311688312
RT_CURSOR	0x42fe48	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0x42ff7c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0x4300b0	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_BITMAP	0x430164	0x248	Device independent bitmap graphic, 64 x 15 x 4, image size 480	Chinese	China	0.3407534246575342
RT_BITMAP	0x4303ac	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.4444444444444444
RT_BITMAP	0x4304f0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.26453488372093026
RT_BITMAP	0x430648	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2616279069767442
RT_BITMAP	0x4307a0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2441860465116279
RT_BITMAP	0x4308f8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.24709302325581395
RT_BITMAP	0x430a50	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2238372093023256
RT_BITMAP	0x430ba8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.19476744186046513
RT_BITMAP	0x430d00	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.20930232558139536
RT_BITMAP	0x430e58	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.18895348837209303
RT_BITMAP	0x430fb0	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	Chinese	China	0.34615384615384615
RT_BITMAP	0x431594	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0x43164c	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.28296703296703296
RT_BITMAP	0x4317b8	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0x4318fc	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0x431be4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0x431d0c	0x108028	Device independent bitmap graphic, 512 x 1024 x 32, image size 2097152			0.43531131744384766
RT_MENU	0x539d34	0xc	data	Chinese	China	1.5
RT_MENU	0x539d40	0x284	data	Chinese	China	0.5
RT_DIALOG	0x539fc4	0x98	data	Chinese	China	0.7171052631578947
RT_DIALOG	0x53a05c	0x17a	data	Chinese	China	0.5185185185185185
RT_DIALOG	0x53a1d8	0xfa	data	Chinese	China	0.696
RT_DIALOG	0x53a2d4	0xea	data	Chinese	China	0.6239316239316239
RT_DIALOG	0x53a3c0	0x8ae	data	Chinese	China	0.39603960396039606
RT_DIALOG	0x53ac70	0xb2	data	Chinese	China	0.7359550561797753
RT_DIALOG	0x53ad24	0xcc	data	Chinese	China	0.7647058823529411
RT_DIALOG	0x53adf0	0xb2	data	Chinese	China	0.6629213483146067
RT_DIALOG	0x53aea4	0xe2	data	Chinese	China	0.6637168141592921
RT_DIALOG	0x53af88	0x18c	data	Chinese	China	0.5227272727272727
RT_STRING	0x53b114	0x50	data	Chinese	China	0.85
RT_STRING	0x53b164	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0x53b190	0x78	data	Chinese	China	0.925
RT_STRING	0x53b208	0x1c4	data	Chinese	China	0.8141592920353983
RT_STRING	0x53b3cc	0x12a	data	Chinese	China	0.5201342281879194
RT_STRING	0x53b4f8	0x146	data	Chinese	China	0.6288343558282209
RT_STRING	0x53b640	0x40	data	Chinese	China	0.65625
RT_STRING	0x53b680	0x64	data	Chinese	China	0.73
RT_STRING	0x53b6e4	0x1d8	data	Chinese	China	0.6758474576271186
RT_STRING	0x53b8bc	0x114	data	Chinese	China	0.6376811594202898
RT_STRING	0x53b9d0	0x24	data	Chinese	China	0.4444444444444444
RT_GROUP_CURSOR	0x53b9f4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x53ba08	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x53ba1c	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_ICON	0x53ba40	0x14	Targa image data - Map 32 x 32808 x 16			1.1
RT_GROUP_ICON	0x53ba54	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0x53ba68	0x14	data	Chinese	China	1.25
RT_VERSION	0x53ba7c	0x240	data	Chinese	China	0.5642361111111112
RT_MANIFEST	0x53bcbc	0x1cd	XML 1.0 document, ASCII text, with very long lines (461), with no line terminators			0.5878524945770065

Imports

DLL	Import
WINMM.dll	midiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart, waveOutGetNumDevs
WS2_32.dll	WSAAsyncSelect, closesocket, send, select, WSAStartup, inet_ntoa, recvfrom, ioctlsocket, recv, getpeername, accept, WSACleanup, ntohl
RASAPI32.dll	RasGetConnectStatusA, RasHangUpA
KERNEL32.dll	MultiByteToWideChar, SetLastError, GetTimeZoneInformation, OpenProcess, TerminateThread, FileTimeToSystemTime, CreateMutexA, ReleaseMutex, SuspendThread, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpiA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, DuplicateHandle, lstrcpynA, FileTimeToLocalFileTime, LocalFree, WideCharToMultiByte, InterlockedDecrement, InterlockedIncrement, TerminateProcess, GetCurrentProcess, GetFileSize, SetFilePointer, CreateToolhelp32Snapshot, Process32First, Process32Next, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, RemoveDirectoryA, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GetDriveTypeA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, ExpandEnvironmentStringsA, GlobalAlloc, GlobalLock, GlobalUnlock, FindFirstFileA, FindClose, SetFileAttributesA, InterlockedExchange, GetFileAttributesA, DeleteFileA, GetCurrentDirectoryA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, CreateProcessA, WaitForSingleObject, CloseHandle, RtlUnwind, GetSystemTime, GetLocalTime, RaiseException, HeapSize, GetACP, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, VirtualAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, GetVersion
USER32.dll	SetWindowRgn, DestroyAcceleratorTable, GetWindow, GetActiveWindow, SetFocus, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, IsIconic, PeekMessageA, SetMenu, GetMenu, DeleteMenu, GetSystemMenu, DefWindowProcA, GetClassInfoA, IsZoomed, PostQuitMessage, CopyAcceleratorTableA, GetKeyState, TranslateAcceleratorA, IsWindowEnabled, ShowWindow, SystemParametersInfoA, LoadImageA, EnumDisplaySettingsA, ClientToScreen, EnableMenuItem, GetSubMenu, GetDlgCtrlID, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, CreateAcceleratorTableA, LoadStringA, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetScrollPos, RegisterClassA, GetMenuItemCount, GetMenuItemID, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, RemovePropA, GetMessageTime, GetLastActivePopup, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, WaitForInputIdle, CreateMenu, ModifyMenuA, AppendMenuA, CreatePopupMenu, DrawIconEx, CreateIconFromResource, CreateIconFromResourceEx, RegisterClipboardFormatA, SetRectEmpty, DispatchMessageA, GetMessageA, WindowFromPoint, DrawFocusRect, DrawEdge, DrawFrameControl, TranslateMessage, LoadIconA, UnregisterClassA, GetDesktopWindow, GetClassNameA, GetWindowThreadProcessId, GetDlgItem, GetWindowTextA, CallWindowProcA, CreateWindowExA, RegisterHotKey, UnregisterHotKey, SetWindowTextA, GetSysColorBrush, FindWindowA, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetForegroundWindow
GDI32.dll	PtVisible, GetViewportExtEx, ExtSelectClipRgn, LineTo, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, RealizePalette, SelectPalette, StretchBlt, CreatePalette, RectVisible, CreateDIBitmap, DeleteObject, SelectClipRgn, CreatePolygonRgn, GetClipRgn, SetStretchBltMode, CreateRectRgnIndirect, SetBkColor, CreateFontA, TranslateCharsetInfo, MoveToEx, ExcludeClipRect, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, TextOutA, ExtTextOutA, Escape, GetTextMetricsA, CreateCompatibleDC, BitBlt, StartPage, StartDocA, DeleteDC, EndDoc, EndPage, GetObjectA, GetStockObject, CreateFontIndirectA, CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, SelectObject, CreateBitmap, SetViewportOrgEx, SetMapMode, SetTextColor, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, GetTextColor, CreateRoundRectRgn, CreateEllipticRgn, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, GetViewportOrgEx, GetWindowExtEx, GetSystemPaletteEntries, GetDIBits
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter
ADVAPI32.dll	RegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegDeleteValueA, RegQueryValueA, RegCreateKeyExA, RegOpenKeyA, RegCloseKey
SHELL32.dll	Shell_NotifyIconA, SHGetSpecialFolderPathA, SHChangeNotify, ShellExecuteA, DragQueryFileA, DragFinish, DragAcceptFiles
ole32.dll	CLSIDFromProgID, OleRun, CoCreateInstance, CLSIDFromString, OleUninitialize, OleInitialize
OLEAUT32.dll	VariantChangeType, VariantClear, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetElement, VariantCopyInd, VariantInit, SysAllocString, SafeArrayDestroy, SafeArrayGetDim, SafeArrayCreate, SafeArrayUnaccessData, UnRegisterTypeLib, LoadTypeLib, LHashValOfNameSys, RegisterTypeLib, SafeArrayPutElement, SafeArrayAccessData
COMCTL32.dll	ImageList_Add, ImageList_BeginDrag, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_EndDrag
WININET.dll	InternetCanonicalizeUrlA, InternetCrackUrlA, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetConnectA, InternetSetOptionA, InternetOpenA, InternetCloseHandle, InternetReadFile
comdlg32.dll	ChooseColorA, GetOpenFileNameA, GetFileTitleA, GetSaveFileNameA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 09:14:28.885695934 CET	49749	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:28.890798092 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:28.890866995 CET	49749	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:28.891055107 CET	49749	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:28.895934105 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:29.319107056 CET	49755	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:29.324106932 CET	80	49755	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:29.324736118 CET	49755	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:29.324812889 CET	49755	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:29.330068111 CET	80	49755	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:30.430892944 CET	80	49755	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:30.430918932 CET	80	49755	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:30.430932999 CET	80	49755	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:30.430970907 CET	49755	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:30.431005001 CET	80	49755	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:30.431013107 CET	49755	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:30.431016922 CET	80	49755	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:30.431044102 CET	49755	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:30.431077957 CET	49755	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:32.845829964 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:32.845865011 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:32.845880985 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:32.845896959 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:32.845913887 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:32.845971107 CET	49749	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:32.846016884 CET	49749	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:35.986907005 CET	49749	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:35.994410992 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:36.394695997 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:36.394716024 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:36.394728899 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:36.394783020 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:36.394795895 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:36.394879103 CET	49749	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:36.394879103 CET	49749	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:42.739360094 CET	49749	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:42.744288921 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:43.051779985 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:43.051800013 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:43.051908016 CET	49749	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:43.051908016 CET	49749	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:45.186805010 CET	49856	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:45.191740990 CET	80	49856	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:45.191963911 CET	49856	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:45.193109035 CET	49856	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:45.198060989 CET	80	49856	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:45.633497000 CET	49862	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:45.638441086 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:45.638571024 CET	49862	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:45.638742924 CET	49862	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:45.643646955 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:46.161211967 CET	80	49856	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:46.161237001 CET	80	49856	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:46.161248922 CET	80	49856	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:46.161261082 CET	80	49856	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:46.161273003 CET	80	49856	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:46.161317110 CET	49856	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:46.161468029 CET	49856	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:46.628895044 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:46.628915071 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:46.628999949 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:46.629013062 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:46.629026890 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:46.629038095 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:46.629061937 CET	49862	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:46.629105091 CET	49862	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:46.629105091 CET	49862	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:52.037288904 CET	49862	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:52.044867992 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:52.455089092 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:52.455107927 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:52.455121994 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:52.455158949 CET	49862	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:52.455203056 CET	49862	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:52.455212116 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:52.455226898 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:52.455265999 CET	49862	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:59.067512035 CET	49862	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:14:59.073419094 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:59.486918926 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:59.486941099 CET	80	49862	42.193.100.57	192.168.2.5
Nov 20, 2024 09:14:59.487080097 CET	49862	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:16:18.848134995 CET	49749	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:16:18.848227024 CET	49755	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:16:18.853735924 CET	80	49749	42.193.100.57	192.168.2.5
Nov 20, 2024 09:16:18.853801012 CET	49749	80	192.168.2.5	42.193.100.57
Nov 20, 2024 09:16:18.853991032 CET	80	49755	42.193.100.57	192.168.2.5
Nov 20, 2024 09:16:18.854039907 CET	49755	80	192.168.2.5	42.193.100.57

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 09:14:22.375523090 CET	1.1.1.1	192.168.2.5	0xfea0	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 09:14:22.375523090 CET	1.1.1.1	192.168.2.5	0xfea0	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Nov 20, 2024 09:14:24.734914064 CET	1.1.1.1	192.168.2.5	0xe628	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 09:14:24.734914064 CET	1.1.1.1	192.168.2.5	0xe628	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

42.193.100.57

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49749	42.193.100.57	80	6488	C:\Users\user\Desktop\212.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:14:28.891055107 CET	181	OUT	GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 42.193.100.57 Cache-Control: no-cache
Nov 20, 2024 09:14:32.845829964 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT Accept-Ranges: bytes ETag: "c04e101e3bdb1:0" Server: Microsoft-IIS/8.5 Date: Wed, 20 Nov 2024 08:14:32 GMT Content-Length: 5139 Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED] Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
Nov 20, 2024 09:14:32.845865011 CET	1236	IN	Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2 Data Ascii: T4
Nov 20, 2024 09:14:32.845880985 CET	1236	IN	Data Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0 Data Ascii: 2III322
Nov 20, 2024 09:14:32.845896959 CET	672	IN	Data Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae Data Ascii: ORPG2
Nov 20, 2024 09:14:32.845913887 CET	983	IN	Data Raw: c2 bd 4f 52 50 47 b6 a8 d6 c6 0d 0a b6 b7 bb ea b4 f3 c2 bd 4f 52 50 47 b3 c9 be cd 0d 0a bf e0 b9 a4 56 53 cb c2 c9 ae 32 0d 0a ce fc d1 aa b9 ed d0 d2 b4 e6 d5 df 32 0d 0a be d9 c9 f1 ce aa b5 d0 32 0d 0a b5 f6 d3 e3 c9 fa b4 e6 0d 0a ba da c9 Data Ascii: ORPGORPGVS2222100TD
Nov 20, 2024 09:14:35.986907005 CET	181	OUT	GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 42.193.100.57 Cache-Control: no-cache
Nov 20, 2024 09:14:36.394695997 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT Accept-Ranges: bytes ETag: "c04e101e3bdb1:0" Server: Microsoft-IIS/8.5 Date: Wed, 20 Nov 2024 08:14:36 GMT Content-Length: 5139 Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED] Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
Nov 20, 2024 09:14:36.394716024 CET	1236	IN	Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2 Data Ascii: T4
Nov 20, 2024 09:14:36.394728899 CET	448	IN	Data Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0 Data Ascii: 2III322
Nov 20, 2024 09:14:36.394783020 CET	1236	IN	Data Raw: 0d 0a cb e9 bf d5 d6 f7 d4 d7 0d 0a 38 2e 32 36 d7 a2 d2 e2 ca c2 cf ee 0d 0a bd f8 bb af d2 bb cd b7 d6 ed 0d 0a d2 bb b8 f9 cf c9 bc f5 c9 d9 d5 bd c1 a6 0d 0a c9 a5 ca ac b3 f6 c1 fd 0d 0a c3 fe d3 e3 b7 e8 bf f1 cc d4 bd f0 0d 0a d2 bb b8 f9 Data Ascii: 8.264FORPG2
Nov 20, 2024 09:14:36.394795895 CET	1207	IN	Data Raw: cc ec d6 ae e1 db 0d 0a c4 a7 ca de d5 f7 d5 bd ca a6 0d 0a d5 da cc ec c8 fd b2 bf c7 fa 0d 0a cb de c3 fc c2 d6 bb d8 0d 0a ce e1 c3 fb ce aa bb c4 0d 0a df c7 df c7 c2 d2 c9 b1 0d 0a c9 a5 ca ac b5 ba 0d 0a d2 bb bf c3 ca f7 0d 0a d2 bb b8 f9 Data Ascii: X222ORPG
Nov 20, 2024 09:14:42.739360094 CET	164	OUT	GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 42.193.100.57 Cache-Control: no-cache
Nov 20, 2024 09:14:43.051779985 CET	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/8.5 Date: Wed, 20 Nov 2024 08:14:42 GMT Content-Length: 1163 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> [TRUNCATED]
Nov 20, 2024 09:14:43.051800013 CET	64	IN	Data Raw: dd ca b1 b2 bb bf c9 d3 c3 a1 a3 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: </h3> </fieldset></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49755	42.193.100.57	80	6488	C:\Users\user\Desktop\212.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:14:29.324812889 CET	181	OUT	GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 42.193.100.57 Cache-Control: no-cache
Nov 20, 2024 09:14:30.430892944 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT Accept-Ranges: bytes ETag: "c04e101e3bdb1:0" Server: Microsoft-IIS/8.5 Date: Wed, 20 Nov 2024 08:14:30 GMT Content-Length: 5139 Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED] Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
Nov 20, 2024 09:14:30.430918932 CET	1236	IN	Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2 Data Ascii: T4
Nov 20, 2024 09:14:30.430932999 CET	1236	IN	Data Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0 Data Ascii: 2III322
Nov 20, 2024 09:14:30.431005001 CET	1236	IN	Data Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae Data Ascii: ORPG2
Nov 20, 2024 09:14:30.431016922 CET	419	IN	Data Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d Data Ascii: 242323

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49856	42.193.100.57	80	2072	C:\Users\user\Desktop\212.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:14:45.193109035 CET	181	OUT	GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 42.193.100.57 Cache-Control: no-cache
Nov 20, 2024 09:14:46.161211967 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT Accept-Ranges: bytes ETag: "c04e101e3bdb1:0" Server: Microsoft-IIS/8.5 Date: Wed, 20 Nov 2024 08:14:45 GMT Content-Length: 5139 Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED] Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
Nov 20, 2024 09:14:46.161237001 CET	1236	IN	Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2 Data Ascii: T4
Nov 20, 2024 09:14:46.161248922 CET	1236	IN	Data Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0 Data Ascii: 2III322
Nov 20, 2024 09:14:46.161261082 CET	672	IN	Data Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae Data Ascii: ORPG2
Nov 20, 2024 09:14:46.161273003 CET	983	IN	Data Raw: c2 bd 4f 52 50 47 b6 a8 d6 c6 0d 0a b6 b7 bb ea b4 f3 c2 bd 4f 52 50 47 b3 c9 be cd 0d 0a bf e0 b9 a4 56 53 cb c2 c9 ae 32 0d 0a ce fc d1 aa b9 ed d0 d2 b4 e6 d5 df 32 0d 0a be d9 c9 f1 ce aa b5 d0 32 0d 0a b5 f6 d3 e3 c9 fa b4 e6 0d 0a ba da c9 Data Ascii: ORPGORPGVS2222100TD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49862	42.193.100.57	80	2072	C:\Users\user\Desktop\212.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 09:14:45.638742924 CET	181	OUT	GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 42.193.100.57 Cache-Control: no-cache
Nov 20, 2024 09:14:46.628895044 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT Accept-Ranges: bytes ETag: "c04e101e3bdb1:0" Server: Microsoft-IIS/8.5 Date: Wed, 20 Nov 2024 08:14:46 GMT Content-Length: 5139 Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED] Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
Nov 20, 2024 09:14:46.628915071 CET	224	IN	Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2 Data Ascii: T4
Nov 20, 2024 09:14:46.628999949 CET	1236	IN	Data Raw: 0d 0a ce d2 d2 aa b4 f2 bd a9 ca ac 0d 0a d2 bb c9 ed d1 fd d7 b0 0d 0a ce d2 c4 dc b4 b3 bc b8 b9 d8 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 0d 0a bf aa cf e4 c9 fa b4 e6 0d 0a ca ae b5 ee d1 d6 c2 de 32 b2 e2 ca d4 0d 0a c6 e5 c5 cc ce Data Ascii: 2II2T
Nov 20, 2024 09:14:46.629013062 CET	1236	IN	Data Raw: ae c3 fc d4 cb 0d 0a ca ae b5 ee d1 d6 c2 de 32 d7 a8 cb a2 c8 a8 cf de 0d 0a d0 a1 d0 a1 bd a3 ca a5 d7 a8 cb a2 c8 a8 cf de 0d 0a d2 bb c4 ee cd a8 cc ec d7 a8 cb a2 c8 a8 cf de 0d 0a cb c4 c9 fa ca d3 bd e7 d7 a8 cb a2 c8 a8 cf de 0d 0a b7 e7 Data Ascii: 2F38.26
Nov 20, 2024 09:14:46.629026890 CET	1236	IN	Data Raw: af 0d 0a b7 e8 bf f1 b4 f2 bd f0 0d 0a cc b0 c0 b7 bf f3 bf d3 0d 0a c7 f3 cf c9 cc ec b5 c0 54 44 0d 0a b3 d4 ca e9 c9 fa b4 e6 0d 0a ba da bb ea c6 f4 ca be c2 bc 0d 0a ce d2 d4 da c3 f7 c4 a9 b5 b1 bd ab be fc 0d 0a be f8 ca c0 ce e4 bb ea 0d Data Ascii: TD7
Nov 20, 2024 09:14:46.629038095 CET	195	IN	Data Raw: d2 bb c9 ed c9 f1 d7 b0 33 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d5 b6 d4 c2 cd c0 c1 fa 0d 0a d0 fe bb f0 b2 d4 f1 b7 0d 0a d3 a2 d0 db c2 b7 0d 0a be fc cd c5 d5 bd d5 f9 35 0d 0a b0 b5 ba da d1 ad bb b7 c8 a6 0d 0a c3 ce bc a3 c9 b3 ba d3 32 0d Data Ascii: 35222
Nov 20, 2024 09:14:52.037288904 CET	181	OUT	GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 42.193.100.57 Cache-Control: no-cache
Nov 20, 2024 09:14:52.455089092 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT Accept-Ranges: bytes ETag: "c04e101e3bdb1:0" Server: Microsoft-IIS/8.5 Date: Wed, 20 Nov 2024 08:14:51 GMT Content-Length: 5139 Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED] Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
Nov 20, 2024 09:14:52.455107927 CET	1236	IN	Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2 Data Ascii: T4
Nov 20, 2024 09:14:52.455121994 CET	448	IN	Data Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0 Data Ascii: 2III322
Nov 20, 2024 09:14:52.455212116 CET	1236	IN	Data Raw: 0d 0a cb e9 bf d5 d6 f7 d4 d7 0d 0a 38 2e 32 36 d7 a2 d2 e2 ca c2 cf ee 0d 0a bd f8 bb af d2 bb cd b7 d6 ed 0d 0a d2 bb b8 f9 cf c9 bc f5 c9 d9 d5 bd c1 a6 0d 0a c9 a5 ca ac b3 f6 c1 fd 0d 0a c3 fe d3 e3 b7 e8 bf f1 cc d4 bd f0 0d 0a d2 bb b8 f9 Data Ascii: 8.264FORPG2
Nov 20, 2024 09:14:52.455226898 CET	1207	IN	Data Raw: cc ec d6 ae e1 db 0d 0a c4 a7 ca de d5 f7 d5 bd ca a6 0d 0a d5 da cc ec c8 fd b2 bf c7 fa 0d 0a cb de c3 fc c2 d6 bb d8 0d 0a ce e1 c3 fb ce aa bb c4 0d 0a df c7 df c7 c2 d2 c9 b1 0d 0a c9 a5 ca ac b5 ba 0d 0a d2 bb bf c3 ca f7 0d 0a d2 bb b8 f9 Data Ascii: X222ORPG
Nov 20, 2024 09:14:59.067512035 CET	164	OUT	GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 42.193.100.57 Cache-Control: no-cache
Nov 20, 2024 09:14:59.486918926 CET	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/8.5 Date: Wed, 20 Nov 2024 08:14:59 GMT Content-Length: 1163 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> [TRUNCATED]
Nov 20, 2024 09:14:59.486941099 CET	64	IN	Data Raw: dd ca b1 b2 bb bf c9 d3 c3 a1 a3 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: </h3> </fieldset></div></div></body></html>

Target ID:	0
Start time:	03:14:26
Start date:	20/11/2024
Path:	C:\Users\user\Desktop\212.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\212.exe"
Imagebase:	0x400000
File size:	5'222'400 bytes
MD5 hash:	5FD229E70F23300791FA020CE7AD2994
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	03:14:42
Start date:	20/11/2024
Path:	C:\Users\user\Desktop\212.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\212.exe"
Imagebase:	0x400000
File size:	5'222'400 bytes
MD5 hash:	5FD229E70F23300791FA020CE7AD2994
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	51.7%
Signature Coverage:	38.5%
Total number of Nodes:	662
Total number of Limit Nodes:	24

Executed Functions

Function 004C3F90 Relevance: 15.3, APIs: 10, Instructions: 281
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,007E95F4), ref: 004C3FF7
LoadLibraryA.KERNEL32(?,?,007F9FD8), ref: 004C40E7
LoadLibraryA.KERNEL32(?,?), ref: 004C412D
LoadLibraryA.KERNEL32(?,?,007F9EE0,?), ref: 004C4175
LoadLibraryA.KERNEL32(?), ref: 004C418B
GetProcAddress.KERNEL32(00000000,?), ref: 004C419D
FreeLibrary.KERNEL32(00000000), ref: 004C4230

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: Library$Load$AddressProc$Free
String ID:
API String ID: 3120990465-0
Opcode ID: 9b10ded3165ffa8ed911674d8f4cba4c92a7c6affc743818d7843ed4808c0364
Instruction ID: e578664c677171d07b919bf33d0cfa4dc7b4e38d6a97b4071a74072c46e41feb
Opcode Fuzzy Hash: 9b10ded3165ffa8ed911674d8f4cba4c92a7c6affc743818d7843ed4808c0364
Instruction Fuzzy Hash: 1AA1A0B9A00702ABC754DF64C895FABB7A8BFD8314F044A2EF85587341DB38E9058B95

Function 10027BB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
RtlAllocateHeap.NTDLL(00B30000,00000008,?,?,10028674), ref: 10027BCD
MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6

Strings

error, xrefs: 10027BDB

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

Function 100193C2 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 424
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF

Strings

@, xrefs: 10019521

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
String ID: @
API String ID: 183890193-2766056989
Opcode ID: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
Opcode Fuzzy Hash: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

Function 1000710E Relevance: 5.1, APIs: 3, Instructions: 556
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: Version$InfoNumbersSystem
String ID:
API String ID: 995872648-0
Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

Function 10007FDD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00000000), ref: 1000806F

Strings

`+v, xrefs: 1000806F

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: Close
String ID: `+v
API String ID: 3535843008-2805226579
Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91

Function 10018AD3 Relevance: 3.3, APIs: 2, Instructions: 304
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05

HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51

Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: Create$Heap$ComputeCrc32Mutex
String ID:
API String ID: 3311811139-0
Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52

Function 10004B1B Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789

Function 1001A199 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92

Function 10018EEA Relevance: 1.5, APIs: 1, Instructions: 23synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696

Function 00415ACD Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42efc7911a3632c85252d72a26d5be10352e65ab7c73a58dbd817ebbc231f559
Instruction ID: 922f983633efeb4e650654563c48a9c6ba1cb93056497a40514982931ce7fbd4
Opcode Fuzzy Hash: 42efc7911a3632c85252d72a26d5be10352e65ab7c73a58dbd817ebbc231f559
Instruction Fuzzy Hash: F631EA70804A0DEBCF00DF95E5C5A9DBB70FF09300F61C0D5E9A46A25ACB365A34DB66

Function 00549380 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00828AA0,00828A74,00000000,?,00828A84,00828A84,0054971B,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836,?,00000000), ref: 0054938F
GlobalAlloc.KERNEL32(00002002,00000000,?,?,00828A84,00828A84,0054971B,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836,?,00000000), ref: 005493E4
GlobalHandle.KERNEL32(00B42830), ref: 005493ED
GlobalUnlock.KERNEL32(00000000), ref: 005493F6
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00549408
GlobalHandle.KERNEL32(00B42830), ref: 0054941F
GlobalLock.KERNEL32(00000000), ref: 00549426
LeaveCriticalSection.KERNEL32(0052D748,?,?,00828A84,00828A84,0054971B,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836,?,00000000), ref: 0054942C
GlobalLock.KERNEL32(00000000), ref: 0054943B
LeaveCriticalSection.KERNEL32(?), ref: 00549484

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
Instruction ID: 19dbcf0657b61c1cc227c06bdba581954e5447f19367e633dfe00b6d56813a3a
Opcode Fuzzy Hash: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
Instruction Fuzzy Hash: 863162752007069FDB249F24DC9A96ABBE9FB84305F015E2DF452C36A1E771E849CB10

Function 100294C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
GetTickCount.KERNEL32 ref: 10029543
wsprintfA.USER32 ref: 10029558
PathFileExistsA.SHLWAPI(?), ref: 10029565

Strings

%s%x.tmp, xrefs: 10029552

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: Path$CountExistsFileTempTickwsprintf
String ID: %s%x.tmp
API String ID: 3843276195-78920241
Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

Function 10028D40 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C

Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(00B30000,00000008,?,?,10028674), ref: 10027BCD
Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6

ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
String ID:
API String ID: 749537981-0
Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

Function 005445A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 005445B4
SetWindowsHookExA.USER32(000000FF,V`H,00000000,00000000), ref: 005445C4

Part of subcall function 0054977C: __EH_prolog.LIBCMT ref: 00549781

Strings

V`H, xrefs: 005445BD

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID: V`H
API String ID: 2183259885-1425837005
Opcode ID: a968092648243b1de3933c13ca20f37d9bfa769727cd23695748f94c2b568f44
Instruction ID: cafaa9d5175e1b4fcbafa3d351b0214de027a49dc63830424b1166ee167f086c
Opcode Fuzzy Hash: a968092648243b1de3933c13ca20f37d9bfa769727cd23695748f94c2b568f44
Instruction Fuzzy Hash: A4F0EC724403527FCF603BB0AD0FBDA3E50BF41329F051658B112565E2DE704884CB51

Function 00549FB0 Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00000000,00000000,00545855,00000000,00000000,00000000,00000000,?,00000000,?,0053CFE3,00000000,00000000,00000000,00000000,0052D748), ref: 00549FB9
SetErrorMode.KERNEL32(00000000,?,00000000,?,0053CFE3,00000000,00000000,00000000,00000000,0052D748,00000000), ref: 00549FC0

Part of subcall function 0054A013: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A044
Part of subcall function 0054A013: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A0E5
Part of subcall function 0054A013: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A112

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: f5cc11b3060c09880d13a835071dac1ff441f947291634e4d0d4758776c38180
Instruction ID: f8c6a5041a6189f4a9727753535ba19f80266c4f89c0d2c832ce6d820c9130e8
Opcode Fuzzy Hash: f5cc11b3060c09880d13a835071dac1ff441f947291634e4d0d4758776c38180
Instruction Fuzzy Hash: A0F03771A442128FDB54BF24D449B8A7FE5BF84724F06848AB4489B3A2CB70D844CB66

Function 004C3A50 Relevance: 3.0, APIs: 2, Instructions: 30
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004C3A67
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004C3A8D

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
Instruction ID: 76e8f1ffa07dd898dc716bdc8894ed582a4827aed8380352d3db6b074b258331
Opcode Fuzzy Hash: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
Instruction Fuzzy Hash: 82F02B35740302BBFB30EAA48C07F5B37686F44B00F58445AF741AB1C0D6B4E5048BE9

Function 005336E8 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,0052D6C6,00000001), ref: 005336F9

Part of subcall function 005335A0: GetVersionExA.KERNEL32 ref: 005335BF

HeapDestroy.KERNEL32 ref: 00533738

Part of subcall function 00536FB5: HeapAlloc.KERNEL32(00000000,00000140,00533721,000003F8), ref: 00536FC2

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: a74c570746986a0d0ea47059bd758b4a4c67e8f0631b46f34643c4d50467435d
Instruction ID: 4c67345b98219cc9fbcd319bd06b0996eed072ab7f9ead6850bd63d8d21f0bfd
Opcode Fuzzy Hash: a74c570746986a0d0ea47059bd758b4a4c67e8f0631b46f34643c4d50467435d
Instruction Fuzzy Hash: C6F0E5F15543029ADF316B71AC4A7396FD4FB94B92F208825F401C51F5EB609781D651

Function 10027C40 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
RtlFreeHeap.NTDLL(00B30000,00000000,00000000), ref: 10027C80

Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: FreeHandleHeapModuleRead
String ID:
API String ID: 627478288-0
Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2

Function 0052EFA5 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0052F08C

Part of subcall function 00535DA4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0052FEBC,00000009,00000000,00000000,00000001,00533531,00000001,00000074,?,?,00000000,00000001), ref: 00535DE1
Part of subcall function 00535DA4: EnterCriticalSection.KERNEL32(?,?,?,0052FEBC,00000009,00000000,00000000,00000001,00533531,00000001,00000074,?,?,00000000,00000001), ref: 00535DFC

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: b50a54126d5f03314ace5bce555d84f4417006c255ac018d07a5b83e6c35a0ba
Instruction ID: fda5f1372ea282848f20700875a3b7f291e02e6ecb51f2ca8f5cdd57d303a4dd
Opcode Fuzzy Hash: b50a54126d5f03314ace5bce555d84f4417006c255ac018d07a5b83e6c35a0ba
Instruction Fuzzy Hash: 07219131A00225ABDB20DB65FD4ABAE7F74FF05B20F148635F512EB1C2D774A9418754

Function 0052EE7E Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0052FEBC,00000009,00000000,00000000,00000001,00533531,00000001,00000074), ref: 0052EF52

Part of subcall function 00535DA4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0052FEBC,00000009,00000000,00000000,00000001,00533531,00000001,00000074,?,?,00000000,00000001), ref: 00535DE1
Part of subcall function 00535DA4: EnterCriticalSection.KERNEL32(?,?,?,0052FEBC,00000009,00000000,00000000,00000001,00533531,00000001,00000074,?,?,00000000,00000001), ref: 00535DFC

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapInitialize
String ID:
API String ID: 641406236-0
Opcode ID: 24c306d7923f459035ffe69cb54918f162b565b98831144c1282bc373f874ba9
Instruction ID: 2cd68e3eda54daa632ce78adaa8977869d60c8453585af0fd4ff57cff763c124
Opcode Fuzzy Hash: 24c306d7923f459035ffe69cb54918f162b565b98831144c1282bc373f874ba9
Instruction Fuzzy Hash: 2C21077280566AABDF209B54ED0BBDE7F78FF45720F280529F410B61C0D7348940CBA0

Function 00545111 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

LoadStringA.USER32(?,?,?,?), ref: 00545128

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: e00ba2af5c0ab2ebee51c7ba3a58208dc53a8c205b24856cabd4796f089c07ce
Instruction ID: f866337a6e553ccfb506ae1d9a70e8dbcc8f7b4d9878c9d426e063b8485df80a
Opcode Fuzzy Hash: e00ba2af5c0ab2ebee51c7ba3a58208dc53a8c205b24856cabd4796f089c07ce
Instruction Fuzzy Hash: ADD0A7725093629BC751DF50880CDCFBFA8BF54320B050C0DF58443212D320C804CB61

Function 00543BFA Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?,004C05BC,00000000), ref: 00543C08

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
Instruction ID: 252037205515f111dae06e2208d33911f0af6dae1e059eb374bc1af3dd6e5d94
Opcode Fuzzy Hash: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
Instruction Fuzzy Hash: C7D09231204200EFCF058F60CA88A5ABBA2BF94709F249968E5469A166D732DD62FF01

Function 10028E50 Relevance: 1.5, APIs: 1, Instructions: 4fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21

Non-executed Functions

Function 1001F2ED Relevance: 27.7, APIs: 17, Instructions: 2156windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 1001F57C
IsIconic.USER32(00000000), ref: 1001F86F
GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001F8D4
GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001FE93
GetWindowInfo.USER32(00000000,00000000), ref: 1001FFE2
GetWindowRect.USER32(00000000,?), ref: 100201EB
CreateCompatibleDC.GDI32(00000000), ref: 100205D5
CreateDIBSection.GDI32(00000000,00000000,00000000,00000000), ref: 100206C0
SelectObject.GDI32(00000000,00000000), ref: 10020798
CreateCompatibleDC.GDI32(00000000), ref: 100207D7
SelectObject.GDI32(00000000,00000000), ref: 1002086C
PrintWindow.USER32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,-00000004), ref: 100208A9
BitBlt.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00CC0020), ref: 1002091B
SelectObject.GDI32(00000000,00000000), ref: 10020ADE
GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10020CB4

Part of subcall function 10028090: _CIfmod.MSVCRT(?,?,?,1000197A,00000002,?,?,80000601,00000000,40140000,80000601,00000000,00000000,00000001), ref: 100280A8

Part of subcall function 10002461: HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: Window$CreateObjectSelect$Compatible$AllocBitsHeapIconicIfmodInfoPrintRectSection
String ID:
API String ID: 3140154463-0
Opcode ID: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
Instruction ID: ea048d8ca86424f245eedfb131be0975fd1a5b6ab4dedd9bad29979357843bcf
Opcode Fuzzy Hash: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
Instruction Fuzzy Hash: CB13F3B0A40329DBEF20CF54DCC1B99BBB1FF19314F5440A4E648AB241D775AAA4DF25

Function 10014289 Relevance: 23.7, APIs: 15, Instructions: 1193COMMON

Download Yara Rule

APIs

PathFindFileNameA.SHLWAPI(00000000), ref: 100143A7

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: FileFindNamePath
String ID:
API String ID: 1422272338-0
Opcode ID: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
Instruction ID: 6aa6a69dd7cd03d5bb48bed33b8f4d969fd18b6c87b19858859c797241170964
Opcode Fuzzy Hash: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
Instruction Fuzzy Hash: 6A8276B5E40309ABEB10DFD0DC82F9E77B4EF14741F550025F608BE291EBB2AA558B52

Function 004CBF30 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 93libraryloaderwindowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004CBF3C
IsZoomed.USER32(?), ref: 004CBF4A
LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 004CBF74
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004CBF87
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004CBF95
FreeLibrary.KERNEL32(00000000), ref: 004CBFCB
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004CBFE1
IsWindow.USER32(?), ref: 004CC00E
ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 004CC01B

Strings

H, xrefs: 004CBFB8
User32.dll, xrefs: 004CBF69
MonitorFromWindow, xrefs: 004CBF81
GetMonitorInfoA, xrefs: 004CBF8D

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
API String ID: 447426925-661446951
Opcode ID: 8b34f5fbba60183606cc67ad269d2bff897997b10f0a45e32e74d7b78f754ff6
Instruction ID: ca2de38681900c8b3a34e365fa1ea7a15dce86e6860c6c7bd0eacf66f68d9767
Opcode Fuzzy Hash: 8b34f5fbba60183606cc67ad269d2bff897997b10f0a45e32e74d7b78f754ff6
Instruction Fuzzy Hash: 33316D75300302AFDB209F65CC5AF2B77A8EF94B41F04841DFA05E7290DB78E9098BA5

Function 1000C655 Relevance: 17.0, APIs: 9, Instructions: 3537threadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D459,?), ref: 1000C917
InterlockedExchange.KERNEL32(1002D45D,?), ref: 1000C9CE
InterlockedExchange.KERNEL32(1002D461,?), ref: 1000CA85
InterlockedExchange.KERNEL32(1002D465,?), ref: 1000CB3C
InterlockedExchange.KERNEL32(1002D469,?), ref: 1000CBF3
InterlockedExchange.KERNEL32(1002D455,?), ref: 1000CCAA

Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73

GetWindowThreadProcessId.USER32(1000C613,00000000), ref: 1000CCFD

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked$CodeProcessThreadWindow
String ID:
API String ID: 1323220708-0
Opcode ID: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
Instruction ID: 2b64659c084c5c153bef61b4d063f84a8c6e811bd728d09e8d095ab07dd3c45c
Opcode Fuzzy Hash: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
Instruction Fuzzy Hash: AF5308B5E00348ABEF11DFD4DC82FADBBB5EF08344F540029FA04BA296D7B669548B15

Function 1002129C Relevance: 14.7, APIs: 9, Instructions: 1172COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000001,00000001), ref: 1002140D
GetDCEx.USER32(00000000,00000000,00000020,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100218AD
CreateCompatibleDC.GDI32(00000000), ref: 100218DC
SelectObject.GDI32(00000000,00000000), ref: 1002195D
PrintWindow.USER32(00000001,00000000,00000000), ref: 10021994
GetObjectA.GDI32(00000000,00000018,00000000), ref: 10021A33
GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10021CA1
SelectObject.GDI32(00000000,00000000), ref: 100220CA
ReleaseDC.USER32(00000000,00000000), ref: 10022153

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: Object$SelectWindow$BitsCompatibleCreatePrintRectRelease
String ID:
API String ID: 2343085801-0
Opcode ID: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
Instruction ID: af8189180e66b16a91b6480abd6d1d91958fea63da9546105489bf86ff406ccc
Opcode Fuzzy Hash: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
Instruction Fuzzy Hash: A7A2BCB4E40359ABEF10CF94DC81B9DBBB1FF09304F604064EA09AB295D3B56965CB26

Function 004C6020 Relevance: 12.9, APIs: 8, Instructions: 859COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad197e24d0fa4df088b58870f85af792d4101ac12818177ef34829a5b86e8479
Instruction ID: 598362dc1d7d85b3f43893f337487c966691ef6159d1ca6b4fb522807c11b04b
Opcode Fuzzy Hash: ad197e24d0fa4df088b58870f85af792d4101ac12818177ef34829a5b86e8479
Instruction Fuzzy Hash: 6B62D2796043019BD764DF24C890F6BB7E5EFC4314F15852EE98A97381EA38EC05CB6A

Function 10017804 Relevance: 7.8, Strings: 6, Instructions: 270COMMON

Download Yara Rule

Strings

?, xrefs: 10017833
\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT, xrefs: 1001796A
\REGISTRY\MACHINE, xrefs: 10017A0C
\, xrefs: 10017871
\REGISTRY\USER, xrefs: 10017A52
_Classes, xrefs: 10017AA0

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID: ?$\$\REGISTRY\MACHINE$\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT$\REGISTRY\USER$_Classes
API String ID: 0-1655980394
Opcode ID: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
Instruction ID: cfee4882955295f256346ab5d35a508912345f973a0f1410f6445f43bbb6ad63
Opcode Fuzzy Hash: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
Instruction Fuzzy Hash: 379124B5E00209EFDF40DFD4DD85BAE7BB8FF18240F604429E60DAA241D7759B849B62

Function 100221E2 Relevance: 6.3, APIs: 4, Instructions: 331fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59

Function 1001A8BE Relevance: 6.3, APIs: 4, Instructions: 265COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 1001A976
SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ObjectSelect$Release
String ID:
API String ID: 3581861777-0
Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96

Function 1001A6F8 Relevance: 6.1, APIs: 4, Instructions: 133windowthreadCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 1001A773
IsWindowVisible.USER32(00000000), ref: 1001A7AC
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
GetWindow.USER32(00000000,00000002), ref: 1001A872

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: Window$ProcessThreadVisible
String ID:
API String ID: 569392824-0
Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96

Function 0052D668 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0052D68E

Part of subcall function 005336E8: HeapCreate.KERNEL32(00000000,00001000,00000000,0052D6C6,00000001), ref: 005336F9
Part of subcall function 005336E8: HeapDestroy.KERNEL32 ref: 00533738

GetCommandLineA.KERNEL32 ref: 0052D6EE
GetStartupInfoA.KERNEL32(?), ref: 0052D719
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0052D73C

Part of subcall function 0052D795: ExitProcess.KERNEL32 ref: 0052D7B2

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 0628e629c6cb789062e5930e7e98b9449164dc3c39a12ae0ff9b831c0963d826
Instruction ID: fe17ad6629eb14775e6edcfa1fb380c5c3f9d267a9a03c527cbe546e9254be7a
Opcode Fuzzy Hash: 0628e629c6cb789062e5930e7e98b9449164dc3c39a12ae0ff9b831c0963d826
Instruction Fuzzy Hash: AC21B1B1900716AFDB18AFB4EC4ABAE7FB8FF85B10F144419F9019B291DB748841C760

Function 1001221F Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 630nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00000000), ref: 10012990

Strings

`+v, xrefs: 10012990
(, xrefs: 10012244

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: Close
String ID: ($`+v
API String ID: 3535843008-1656047349
Opcode ID: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
Instruction ID: acc8f56f01466ae78c1c2cfb7f14f5a9cb3254fd2462285b483ece6b545600e1
Opcode Fuzzy Hash: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
Instruction Fuzzy Hash: 41220CB5D00219ABEF00DFE4ECC1BAEB775FF18340F504028FA15BA256D776A9608B61

Function 100151BD Relevance: 5.3, APIs: 3, Instructions: 822COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000059,00000000,00000000,00000000), ref: 100156E3
SystemParametersInfoA.USER32(0000005A,00000000,00000000,00000002), ref: 100158B9
UnloadKeyboardLayout.USER32(00000000), ref: 100159A5

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: InfoParametersSystem$KeyboardLayoutUnload
String ID:
API String ID: 1487128349-0
Opcode ID: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
Instruction ID: 050fea7ffa1bc3994f10f6bed9b27e470259e4e1db6febdaadab7ec0439d0979
Opcode Fuzzy Hash: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
Instruction Fuzzy Hash: 224245B5E40305EBEB00DF94DCC2FAE77A4EF18355F540025E605BF286E776AA448B62

Function 1001419C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34nativesynchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,?,10026B6B), ref: 100141AB
NtClose.NTDLL(?), ref: 100141D7

Strings

`+v, xrefs: 100141D7

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: CloseMutexRelease
String ID: `+v
API String ID: 2985832019-2805226579
Opcode ID: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
Instruction ID: 38ac61447b851c898caa1bdb063a432cf123be9b48bf26603be34453f4d11833
Opcode Fuzzy Hash: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
Instruction Fuzzy Hash: 69F08CB0E41308F7DA00AF50DC03B7DBA30EB16751F105021FA087E0A0DBB29A659A9A

Function 100198CC Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 434stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,FFFFFFFF,00000000,?,00000000,00000000,00000001,FFFFFFFF,00000000,?,FFFFFFFF,00000000,?,FFFFFFFF,00000000), ref: 10019B06

Strings

Z, xrefs: 10019B7F
w, xrefs: 10019BBE

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: lstrlen
String ID: Z$w
API String ID: 1659193697-2716038989
Opcode ID: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
Instruction ID: 282b89e6495933af6440fbbb597b1de90ef5dffa39cee2d72f7ed257570ffe54
Opcode Fuzzy Hash: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
Instruction Fuzzy Hash: 550202B0D0061CDBEB10DFE1E9897EDBBB4FF48340F2140A4E485BA249DB725AA5CB55

Function 1002378A Relevance: 4.6, APIs: 3, Instructions: 104COMMON

Download Yara Rule

APIs

WindowFromDC.USER32(00000000), ref: 100237BF
GetCurrentObject.GDI32(00000000,00000007), ref: 100237FF

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: CurrentFromObjectWindow
String ID:
API String ID: 1970099965-0
Opcode ID: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
Instruction ID: 5e3447216257589ac88371f0c3b1c154c22f3bd6e68f106655ab8dd4a69be074
Opcode Fuzzy Hash: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
Instruction Fuzzy Hash: 9F313770D40308EBDB00DF90D886BADBBB0FB0A751F409065F6087E290E7B19A54DF96

Function 1001AC51 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 700COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 1001ACD1

Strings

, xrefs: 1001B0E1

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ObjectStock
String ID:
API String ID: 3428563643-3916222277
Opcode ID: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
Instruction ID: b9a15d43875d05f13c7aca3fde3137a0688d1b6e1dffe905ed574dcac1c1d11e
Opcode Fuzzy Hash: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
Instruction Fuzzy Hash: AE325BB5A402569FEB00CF98DCC1B99BBF4FF29314F580065E546AB342D379B991CB22

Function 10025484 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 423COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D531,?), ref: 10025544

Strings

Thread, xrefs: 10025515

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID: Thread
API String ID: 367298776-915163573
Opcode ID: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
Instruction ID: e87a296fab3b19ef06520bc3e141919b3527ea124beb15feda4261f24f1e3c13
Opcode Fuzzy Hash: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
Instruction Fuzzy Hash: 38F116B5E00259ABEF00DFE4EC81BDDBBB5FF08314F640025F605BA241D7B6A9548B65

Function 10024781 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 405COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D529,?), ref: 10024841

Strings

Process, xrefs: 10024812

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID: Process
API String ID: 367298776-1235230986
Opcode ID: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
Instruction ID: 84bd04864f9d1e807072be8e5ab147b3cae892089b2f3c2b5496a308401e609c
Opcode Fuzzy Hash: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
Instruction Fuzzy Hash: 85E104B5E41259ABEF00DFE4EC81B9DBBB5FF08304F640025F605BA241EB75A954CB61

Function 10026356 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 587stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,000000FF,00000000,?,00000000,00000000,?,0000009C,00000000,?,?,FFFFFF9C,00000000), ref: 10026700

Strings

#, xrefs: 1002641F

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: lstrlen
String ID: #
API String ID: 1659193697-1885708031
Opcode ID: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
Instruction ID: 30fcd15e93819707c4a405128049bbda1367cf8e2b4a4446b34ba685154cf5d7
Opcode Fuzzy Hash: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
Instruction Fuzzy Hash: 2232CF70D0061DEBEB10DFD0EC99BADBBB4FF48340F618094E495BA199CB715AB58B14

Function 10007E55 Relevance: 3.1, APIs: 2, Instructions: 119COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10007D8B,00000000), ref: 10007EA0
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,10007D8B,00000000,00000000,00000000,00000000,00000000), ref: 10007F7E

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
Instruction ID: b3f739b553b0eb222627b335ec04950199b8c6fc0fb38b6c76c83e211291c2b2
Opcode Fuzzy Hash: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
Instruction Fuzzy Hash: 62417C74E0020DFBEB10DFD0EC46BAEBBB4FB08750F204165F618BA195DBB56A608B55

Function 1001363D Relevance: 3.1, APIs: 2, Instructions: 110COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001368C
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 10013744

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
Instruction ID: dea56998412ea2cd2e2e07e98f2853e180ac33eb45cb94fa257388ef996dc557
Opcode Fuzzy Hash: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
Instruction Fuzzy Hash: 543141B5E40309BBEB50DFD49C82FAE7BB4EB04710F108055FA18BE2C1D7B6A6909B55

Function 10017D41 Relevance: 3.1, APIs: 2, Instructions: 108COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,100172C1,00000000,00000000,00000000), ref: 10017D82
ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,100172C1), ref: 10017E29

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
Instruction ID: 93bfbce67b494b6763231a081cd11fe6566247fc84b5e7443ef84a885c003b65
Opcode Fuzzy Hash: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
Instruction Fuzzy Hash: 96313675E00309BBEB51DED49C82FAE7BF4EF08704F104065FA08BB242D772AA509B55

Function 10011653 Relevance: 3.1, APIs: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

DispatchMessageA.USER32(1001176C), ref: 100116D4
CallWindowProcA.USER32(?,?,?,?), ref: 10011714

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: CallDispatchMessageProcWindow
String ID:
API String ID: 3568206097-0
Opcode ID: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
Instruction ID: 63bf1ad0f6820a7cfc32d841282287ffa4cda79eab35e4a2f1e5c3704b1abdfe
Opcode Fuzzy Hash: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
Instruction Fuzzy Hash: AE21C775E40318EBDB00EF94DCC2A9DBBB1FB0D310F5040A5EA08AB351D371AA90DB52

Function 100032EA Relevance: 2.8, Strings: 1, Instructions: 1588COMMON

Download Yara Rule

Strings

, xrefs: 100034D2

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
Instruction ID: 90b3556d9a436454375a3f12806074c3db2d9078b135128fdcdde92096655a79
Opcode Fuzzy Hash: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
Instruction Fuzzy Hash: 52C2B7B4F40346ABFB11CA94DCC2B9E77B0EB08390F214165F658FA2DAD7B15E408B56

Function 1000210D Relevance: 2.7, APIs: 2, Instructions: 237COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,?,?,?,100078F7,00000000,00000000,00000000), ref: 10002169
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000002,00000000,00000000,?,?,?,?,?,?,?,100078F7), ref: 1000222A

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
Instruction ID: e83377b6f6ad2707753203cfccfcc485ecbfcdf7635717af9e37d537513bb723
Opcode Fuzzy Hash: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
Instruction Fuzzy Hash: 29814D75E00209ABEF00DFD4DC86FEEBBB4EF08340F504065FA14BA285D7B5AA548B55

Function 1001DB5C Relevance: 2.4, APIs: 1, Instructions: 857COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D519,?), ref: 1001DD15

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
Instruction ID: 7a99189caa79d54ac912ebbbba7bdc920c16141239c7c74b934a59564cf638f4
Opcode Fuzzy Hash: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
Instruction Fuzzy Hash: 2A6238B5E40348ABEB10DF94DC82F9DBBB5FF08344F244025F608BE292E7B5A9558B51

Function 1001BFA0 Relevance: 2.4, APIs: 1, Instructions: 850COMMON

Download Yara Rule

APIs

PathFindFileNameA.SHLWAPI(00000000,?,00000000,00000000,00000000,00000000,0000001C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001C7F6

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: FileFindNamePath
String ID:
API String ID: 1422272338-0
Opcode ID: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
Instruction ID: f98056538ddd495e24e8dfbf0cad4fd33bc614c33abef30b02bddadc29e55c32
Opcode Fuzzy Hash: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
Instruction Fuzzy Hash: 364240B5A40219ABEB00DF94ECC2F9EB7B4FF5C354F140025EA09BF241E775A9508B66

Function 100259D9 Relevance: 2.2, APIs: 1, Instructions: 733COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D535,?), ref: 10025AFF

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
Instruction ID: ec57d409bd248faccfe3f0420db7539557fe035a6b0d78d3a35a1a7dfc2ec437
Opcode Fuzzy Hash: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
Instruction Fuzzy Hash: AC5208B5E00208ABEF01DF94EC82FDDBBB5FF08314F544029F614BA292D7B5A9548B65

Function 1001D1C4 Relevance: 2.2, APIs: 1, Instructions: 693libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000000,00000000,00000000), ref: 1001D53E

Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: CodeLibraryLoad
String ID:
API String ID: 4269728939-0
Opcode ID: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
Instruction ID: 8ca3c93d7244418e6012e556740facccd0f38a3c9c4ff1909e44a403dc44f6d3
Opcode Fuzzy Hash: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
Instruction Fuzzy Hash: BC421AB5E40318AFEF50EF94DC82BDDBBB1FB08740F500125F618BA295D7B6A9808B55

Function 10008EDD Relevance: 2.0, APIs: 1, Instructions: 541COMMON

Download Yara Rule

APIs

Part of subcall function 10028720: atoi.MSVCRT(00000000), ref: 1002877E

RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 1000918C

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: MemoryMoveatoi
String ID:
API String ID: 2867837884-0
Opcode ID: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
Instruction ID: c625aa631b3fd7664a23ceac8d029317df328e953ac31412f977eb30fe789f83
Opcode Fuzzy Hash: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
Instruction Fuzzy Hash: 1A023DB5A40216AFFB00DF94DCC1BAEB7A5FF58354F240025E905AB385E7B5B950CB22

Function 10006495 Relevance: 1.8, APIs: 1, Instructions: 318COMMON

Download Yara Rule

APIs

RtlMoveMemory.NTDLL(00000000), ref: 1000665A

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: MemoryMove
String ID:
API String ID: 1951056069-0
Opcode ID: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
Instruction ID: de403b7ac96d81ad167a5567031b13b093eba99a0845d2f8fdd956dd85fb778c
Opcode Fuzzy Hash: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
Instruction Fuzzy Hash: 12B151B5A812969BFF00CF58DCC1B95B7E1EF69324B291470E846AF344D378B861DB21

Function 10015B34 Relevance: 1.8, APIs: 1, Instructions: 255COMMON

Download Yara Rule

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,00000000), ref: 10015BEE

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: KeyboardLayoutList
String ID:
API String ID: 4253248152-0
Opcode ID: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
Instruction ID: 3f0b898e91331e47705899626b39ccd446a255f5e12301d86a1815f33d743008
Opcode Fuzzy Hash: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
Instruction Fuzzy Hash: 487158F6E00205AFEB00DFA4ECC2BAE77E5EF58251F540025E609EF341E775A9448B62

Function 10006051 Relevance: 1.6, APIs: 1, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

LdrGetProcedureAddress.NTDLL(00000000,00000000,00000000), ref: 10006115

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: AddressProcedure
String ID:
API String ID: 3653107232-0
Opcode ID: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
Instruction ID: 78c0987cb7ffc063797d9a6f9d393f2066e6151a443f59dc1fc5ba499ae867df
Opcode Fuzzy Hash: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
Instruction Fuzzy Hash: 564146B5D40209AFEB00DFD4EC81BAEB7B5FF18314F244065E909AB245D375AA54CB62

Function 1000B61E Relevance: 1.6, APIs: 1, Instructions: 110libraryCOMMON

Download Yara Rule

APIs

LdrGetDllHandleEx.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 1000B6DF

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: Handle
String ID:
API String ID: 2519475695-0
Opcode ID: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
Instruction ID: f5b1eeb52ae3afd7add8d8d659320dd3d1fa50eb2e7bb74abf840f5972d141ec
Opcode Fuzzy Hash: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
Instruction Fuzzy Hash: 6B312FF6D40205ABEB40DF94ECC2B9AB7F8FF18314F184065E90DAB341E375A9548B62

Function 1000FF10 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ComputeCrc32
String ID:
API String ID: 660108262-0
Opcode ID: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
Instruction ID: 885f51156191be290847c32039febb9a430df116088fdaca21ba1fa0fc310e03
Opcode Fuzzy Hash: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
Instruction Fuzzy Hash: FE3149B5E00309BBEB51DFD49C82FBE77B8EF14740F104068FA18BA242D7B6A6509B51

Function 100188E1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(00000000,00000100), ref: 10018935

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: DirectorySystem
String ID:
API String ID: 2188284642-0
Opcode ID: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
Instruction ID: ee8817d9cef94c28fb543e8b0ac086dfa591c469ffb5e13cc4bb05c5ca752fcb
Opcode Fuzzy Hash: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
Instruction Fuzzy Hash: 2F115875E00309BBEB40DEE49C42BAD76A8EB08754F241469F608FB241D771AB809756

Function 10001D56 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

IsBadCodePtr.KERNEL32(00000000), ref: 10001D73

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: Code
String ID:
API String ID: 3609698214-0
Opcode ID: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
Instruction ID: e6d0952806afafb3bf167878436ee8aac056beef16ad5c6831721f9da55ad4d1
Opcode Fuzzy Hash: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
Instruction Fuzzy Hash: E8118B70900209FBEB60DF64CC05BED7BB4EF01390F2041AAED08AA1D4DB729A15DB85

Function 10013C18 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D4C9,?), ref: 10013C79

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
Instruction ID: 374fef4b2e02d52e2e07c0ca9dad6c55ed4794edc6ac8ae58a0c039705d7fb64
Opcode Fuzzy Hash: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
Instruction Fuzzy Hash: CC0171B5E0020DABDB00FFE09D82BAEBBB9EB04301F404466F50876105EB71EA549B92

Function 1001A031 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D50D,?), ref: 1001A092

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
Instruction ID: cb7720b851b721871b731c706f7cbe3d90cdbd700e2746e4ab45e97b10e25004
Opcode Fuzzy Hash: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
Instruction Fuzzy Hash: 5C018DB5D00218ABDB11FFD09C82B9E77B8EB09341F804466F50476111D7719B988792

Function 10022882 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D51D,00000040), ref: 100228E3

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
Instruction ID: c1b15002a30057ddc80440081b4ff6bc33ecde6fccf9cd62e387e343abd0d63a
Opcode Fuzzy Hash: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
Instruction Fuzzy Hash: DF014DB5D0021DFBEB10EFE0AC82B9E7778EB14644F904066F50466151EB719B549B91

Function 10006C96 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D3FD,08000000), ref: 10006CF7

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
Instruction ID: 4cade7ef096b15f562c821cb4de08ab4d3fc558eeb9d0de8a70c828ff9c11a3c
Opcode Fuzzy Hash: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
Instruction Fuzzy Hash: 170175B5E0020DEBEB00EFE0EC82FAE7B79EF04240F504066E51566105D771AB549B92

Function 1000FCB0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D481,00000000), ref: 1000FD11

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
Instruction ID: 0aed2d4544eee8039acc50f3c1f3685790efcc1e5774387d789b9b1403c596f7
Opcode Fuzzy Hash: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
Instruction Fuzzy Hash: 9A0188B5D0430DABEB10FFE09C82FAE7779EB04280F40046BF505A6505DB71AA14EB92

Function 10003116 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D3E1,00000004), ref: 10003177

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
Instruction ID: 385097fba51063c84e9e930c69dc2d7aac367372f62906f312b1c310141ed2ce
Opcode Fuzzy Hash: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
Instruction Fuzzy Hash: 40015275D00208E7EB01EFE09C92BEF7B78EB08280F404066E51566155DB71AA149B92

Function 1000FD4D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D485,00000000), ref: 1000FDAE

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
Instruction ID: 3f7b499d2902c1e46d25e5c31060a7ca09a1136a131adf16b63838e7b32e6cd5
Opcode Fuzzy Hash: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
Instruction Fuzzy Hash: 0B018875D0024CABEB00FFE0DC82EAE7779EB05380F50006AF505A6115DB716A54EB92

Function 10008DA3 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D43D,?), ref: 10008E04

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
Instruction ID: 4c97a0654b066084171f968f8b0ad47121c2de6078470ba5a976a0987d87b010
Opcode Fuzzy Hash: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
Instruction Fuzzy Hash: EC0175B5D00219E7EB00FFE0EC82BAE7B78FB14240F504466F54566145EB716B549B92

Function 10007DB8 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D40D,00000008), ref: 10007E19

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
Instruction ID: 3b8a368ce3914a44cda768e978636fd60f477d925661c7c420499c797e447cb4
Opcode Fuzzy Hash: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
Instruction Fuzzy Hash: 9B0171B5D00249ABEB00FFE0EC82AAEBB78FB04240F404466E60966115DB75AB549B92

Function 10008E40 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D441,?), ref: 10008EA1

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
Instruction ID: 1686f6cdf9a679c1f5c84585fd33387023eb604c586a5dba44084a63d2e43e5f
Opcode Fuzzy Hash: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
Instruction Fuzzy Hash: 9C0171B5D00359ABEB10FFE0DC82BAEBB78FB04380F400066E64576115EB71AB54CB92

Function 1000FA6F Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
Instruction ID: 82e752f980966cf0ba4425328bdbe0b5f15696934bb6f442517d9b0340b204dc
Opcode Fuzzy Hash: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
Instruction Fuzzy Hash: 510179B5E00209EBEB00FFE09C82AAEB778EB05240F504466F54566145EBB16654DB92

Function 10022A80 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D521,00000000), ref: 10022AE1

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
Instruction ID: 1a66ded8f8981fca5c39a2578b95296ca62aec53b1f76630b0cdbd515d7a4f8c
Opcode Fuzzy Hash: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
Instruction Fuzzy Hash: D60175B5D00308BBDB11EFE0AC82FEEBB78EB14344F400066E90566501E7B56B14DB92

Function 10011E89 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D4B9,10026CF1), ref: 10011EEA

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
Instruction ID: ae9516facd56fc145b0b9ba1995b908798816dd09d6beae3d77d7b55205b3fe1
Opcode Fuzzy Hash: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
Instruction Fuzzy Hash: AF0184B5E0420CABDB00FFE0EC82BEEBBB9EB04244F400466F5056A111DB75EA549B92

Function 100246E4 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D525,00000000), ref: 10024745

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
Instruction ID: 4f30fde94411f2541dcfd4e169ebb1e46575794177a9fc60b21b5106f81313a2
Opcode Fuzzy Hash: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
Instruction Fuzzy Hash: 1001D8B5D0431CA7DB00FFE0ACC2FAEBB78EB05300F810465E51566101EBB16A14DB92

Function 10008B27 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D435,?), ref: 10008B88

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
Instruction ID: 91e5747cc3fe246938bda6916c84b67a4fdfd623eeedb860250414ba6297eca5
Opcode Fuzzy Hash: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
Instruction Fuzzy Hash: 7B0171B5D0020DABEB50FFE49C82EAEBBB8FB04240F500466E54466115EB71AB14DB92

Function 1000833D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D411,?), ref: 1000839E

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
Instruction ID: 31dc5b1c38583c82a0824eac09af333b299f07736d69ab93248bda9d1065cdb0
Opcode Fuzzy Hash: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
Instruction Fuzzy Hash: 390175B5D04308A7EB40FFE09C82AAE7778FB04640F405476F54466145D771AB54CB92

Function 1000B353 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D44D,00000000), ref: 1000B3B4

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
Instruction ID: a0f89ea6e8a02a489adc9b983919e457af64c69ca27a1623b1b8ea733fed46f6
Opcode Fuzzy Hash: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
Instruction Fuzzy Hash: 5F0184B5D0030CEBEB00FFE0AD92FAEBB78EB04240F504066F50466145DBB1AB54DB92

Function 100137A3 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D4C5,00000014), ref: 10013804

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
Instruction ID: 3d49d6b3b442fbd771079eef3efcaca9525747ce25c9376b7200e1962427cb25
Opcode Fuzzy Hash: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
Instruction Fuzzy Hash: 420152B5D04309A7EB00FFE09C82AAEB778EF04240F504066F50466151EB75AA54DB92

Function 10008BC4 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D439,?), ref: 10008C25

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
Instruction ID: e89bca5dfd4d69b457f6ee300803ba63458d7d33b5f739f05a8734b2afd2cb97
Opcode Fuzzy Hash: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
Instruction Fuzzy Hash: 4C0171B5D00209ABEB00FFE49CC2EAEBB78FB04240F900466E55566116DB71AB549BA6

Function 10013FC8 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D4D9,?), ref: 10014029

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
Instruction ID: 2564c689c805b87f96d1dc3a9772f8e9f463aef008d258d62ef8b45eff4f05b1
Opcode Fuzzy Hash: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
Instruction Fuzzy Hash: 8E01D875D0030CA7DB11FFE09C82F9E7779EB08300F400026F615A7112DB75EA549B92

Function 10007BCA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D409,00000001), ref: 10007C2B

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
Instruction ID: c3b43e173740565f2226f67ccfeaefedf346a2cdf78e56352eac70fc933f1a03
Opcode Fuzzy Hash: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
Instruction Fuzzy Hash: B0017575D0020CA7FB00FFE09C86F9EBB78FB14340F44446AE61966105E775AA549B92

Function 100253E7 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D52D,00000000), ref: 10025448

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
Instruction ID: 3e1362fdfd7180a89e2653fc66fb6b654d9ba0ea71b3ee1e512a707afa301e7c
Opcode Fuzzy Hash: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
Instruction Fuzzy Hash: 730188B5D0021CA7DB00FFE0AC82B9EB7B8EB04345F904467F90566111D7B29A549B96

Function 1000B3F0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D451,00000000), ref: 1000B451

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
Instruction ID: 8d0e244bf49903d48fd7c686830ea074e98c76a4a96eec9f774984162f9bf409
Opcode Fuzzy Hash: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
Instruction Fuzzy Hash: BF0148B5D0431DABEB00FFE09C82FAEB778EB14340F904465F50566116EB71AB54DB92

Function 100236FF Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetAncestor.USER32(100236B8,00000001,?,?,100236B8), ref: 1002371A

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: Ancestor
String ID:
API String ID: 4063365101-0
Opcode ID: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
Instruction ID: eb8589c6fe16dd3324ac60df81f06840749ea93634a8b87ae7cb4ae9ae9ba44e
Opcode Fuzzy Hash: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
Instruction Fuzzy Hash: C3F03CB4E44308EBDB10EF90E9467ADFB70EB06741F509065E6047B180E7B25A509A8A

Function 10010199 Relevance: 1.5, APIs: 1, Instructions: 29synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000001,00000001,00000000,00000000,00000001), ref: 100101C4

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
Instruction ID: 16cce99742d90ffd21a6e538df0c97e42957f62968f0f4cbc8e65f9f29ad9446
Opcode Fuzzy Hash: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
Instruction Fuzzy Hash: D8F03970E45208FBDB21EF95DC02BADBB74EB05741F1080A5FA087A180D7B5AB509B95

Function 1000634E Relevance: 1.5, APIs: 1, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,1000702C), ref: 1000635D

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: MutexRelease
String ID:
API String ID: 1638419-0
Opcode ID: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
Instruction ID: 7b3213fa97c1f7abe5e99e727b00606adf76b996470ce0c1231a1946aded7527
Opcode Fuzzy Hash: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
Instruction Fuzzy Hash: 3AD017B0D45308B7E610AE90EC03B69BA34D706761F105161FA082A190E6B2AB2496DA

Function 1000F7AC Relevance: 1.3, APIs: 1, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,00000000), ref: 1000F7E5

Part of subcall function 1000FA6F: InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: AllocExchangeHeapInterlocked
String ID:
API String ID: 3051970009-0
Opcode ID: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
Instruction ID: 8cc4e7238832c14419a96c129bec8d194933ec370394a89dab4d823145446c67
Opcode Fuzzy Hash: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
Instruction Fuzzy Hash: 51310270D40209FEFB11DFA0CC02BEDBBB5FB04780F208169F614BA194DBB56A54AB55

Function 10002461 Relevance: 1.3, APIs: 1, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
Instruction ID: 104a27a5d458cbbbe33f9f96244b29e3d4c33b82fd0089700704125604d1dba2
Opcode Fuzzy Hash: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
Instruction Fuzzy Hash: BDE08634D85308B7E610EF40DC03F29BA38E702751F508012FA083A090D6B25A649B87

Function 1000B90D Relevance: 1.0, Instructions: 984COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
Instruction ID: b82dc38e16616ddd987b864122364eac5c1fff58b477e30fd6f02d7e5179368c
Opcode Fuzzy Hash: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
Instruction Fuzzy Hash: 85721AB5E40309ABEB00DF94ECC2FDDBBB5EB0C354F644025F604BA296D7B269548B25

Function 10012B40 Relevance: .9, Instructions: 871COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
Instruction ID: 551f598227d6dd39184c223fb6ed838a91ab17f663f6174eca7434abf6d8a969
Opcode Fuzzy Hash: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
Instruction Fuzzy Hash: 40624CB5E41208BBEF11DFD0EC82BDDBBB5EF08354F204029F604BA291D7B5A9958B14

Function 10010255 Relevance: .7, Instructions: 748COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
Instruction ID: a5955423d14317f839d9afbcb2b9ced9374c1de9beecc9198591da7258e3e5d6
Opcode Fuzzy Hash: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
Instruction Fuzzy Hash: 5D32F7B1B412529BFB00CF58ECC0B59B7A5EFA9324F290074E946AF341D379B861DB61

Function 10010AD6 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
Instruction ID: 3de84c3e889b2c0bc8bcd444dabd38468fbc88aeca599d708b385d83fa676b17
Opcode Fuzzy Hash: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
Instruction Fuzzy Hash: 8E22F8B2B812529BFB00CB58ECC0B55B7A5EFA5328F290474E9469F341D379F861DB21

Function 10002628 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
Instruction ID: 2248021ac5db34a560a572e85a1c1eea5c01ad721331a673fc7f7bdbc18de49f
Opcode Fuzzy Hash: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
Instruction Fuzzy Hash: 90524471D00259CBEB20CFA4D8857DDBBB0FF48344F2180A4D599BB249DB756AA5CF90

Function 1000A7A2 Relevance: .6, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
Instruction ID: fa5432d9c06c826fba32fdae05fe74482de4f60f477d8ade94ddac0ef3f6a6e0
Opcode Fuzzy Hash: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
Instruction Fuzzy Hash: 602215B5E00309AFEF10CF94DC82BEEBBB0FF09354F204025EA14BA296D77569548B65

Function 10017ECA Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
Instruction ID: 15cd058cb613ad93b2deb671447fd93daff6b1ebb966e0e7c4ee6c7ed785d811
Opcode Fuzzy Hash: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
Instruction Fuzzy Hash: BDA160B5E00209ABEB40DEE4DC85FDE7BB8EF08354F144065FA04AA241EB75EB94CB51

Function 1001847E Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
Instruction ID: 14e6b09ccae86c50f75a937e7e6fe01258ff4770b1647dfaac81a6f85d8f69f1
Opcode Fuzzy Hash: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
Instruction Fuzzy Hash: 7A911EB5E0020AABEF10DF94DC85B9E7BB5EF18344F204025FA14BB281D775EB948B65

Function 10025977 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
Instruction ID: 03d07b771d78d2ead9be031f4861621435dfbb7e08fb32216ea170559a01278e
Opcode Fuzzy Hash: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
Instruction Fuzzy Hash: 078123B5E4025AABEF00CF94ECC1B9DBBB4FF19310F640025E549BB245D775A851CB25

Function 10024C38 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
Instruction ID: fa026d6154386471c9ed67b0d764591261ae5350a3fbb2125f892fb7990afb2f
Opcode Fuzzy Hash: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
Instruction Fuzzy Hash: 7D7135B5E4125AABEF00DFA8ECC1B9DBBB4FF18310F650025E545BB241DB75A851CB21

Function 1001A236 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ObjectSelect
String ID:
API String ID: 1517587568-0
Opcode ID: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
Instruction ID: 38d14c2f8622cd03f50353335eeab2373c5cbc47d148ebdcbde86e05c5d9d7ee
Opcode Fuzzy Hash: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
Instruction Fuzzy Hash: 4E6134B1E40349ABEB10DFE4DC86FEF76F4EB05704F500425F615BA281D7B6AA848B52

Function 1001121A Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ComputeCrc32CreateMutex
String ID:
API String ID: 2647859408-0
Opcode ID: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
Instruction ID: 6e8f39effab6ffe8abe8ce8b2f006d743ef601de1a83054572dbacb1371b805f
Opcode Fuzzy Hash: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
Instruction Fuzzy Hash: FA611274E40319EBEB00EF91DC87BEEBB71EB05750F200026F6147A191D7B1AA51DB96

Function 1001385A Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
Instruction ID: b3edc6188f52fe0267c65f768a9f0694fa0e22adacd15ae2cea2a64ff053d747
Opcode Fuzzy Hash: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
Instruction Fuzzy Hash: E4512774E40316ABEB10CF94DC96FAE77B4EF04700F604019FA49BE291D7F59A948B92

Function 10017B68 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
Instruction ID: 3ff1e0272834ebdf1ae0fa1b74ff5d017005019b99e03679453d0ba0a45af6fd
Opcode Fuzzy Hash: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
Instruction Fuzzy Hash: E2512EB5D0021AABEB00DF94DCC1BAE77B4FF18314F140465E508EB301E775AA50CB62

Function 1001A4E7 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
Instruction ID: 740361c2a2a7975ea98c5d6579f5497acae074faf2527958cbce1f24f1a7fcbb
Opcode Fuzzy Hash: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
Instruction Fuzzy Hash: 84516B75E00209EBEB00CF94DC86FAE77F4EB05344F654055F914BE281E776DA948B62

Function 100024AC Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
Instruction ID: 6e2a16805fa032cb188a6ab09911055340e312e86faa01d054a0585f1b90ccec
Opcode Fuzzy Hash: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
Instruction Fuzzy Hash: 14312270D44609EBEF00EF80DC46BAEBB71EB06355F205169FA043A191D3B64A54DF9A

Function 1000F472 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
Instruction ID: fcd9660d6a72fe45eefc1d8f4cbc8b5498bd8d2469cb5e857af72b9432f5bd19
Opcode Fuzzy Hash: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
Instruction Fuzzy Hash: F3313575E40308AFEB50DF94DC82B9DBBB4EB0C741F504065F608EB745E7B59A409B52

Function 1000FDEA Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
Instruction ID: 0e6d90bd3a1296b327673a782b8a2de37a0e9d786c9d2f722c0ab1c87383cc98
Opcode Fuzzy Hash: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
Instruction Fuzzy Hash: 69317375E40308AFEB40DF94DC82B9EBBB4EB08340F504075E608EB696E3B56A409B52

Function 1001A6C7 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
Instruction ID: f5bd11c3930f14deff6542fe37b9d91d6d9d9f7f47c674184f68d859604aa839
Opcode Fuzzy Hash: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
Instruction Fuzzy Hash: 8821F975A04209EFEB41CF90CD82BAE77F8EB05754F244015B908BA181E7B5EAD09B62

Function 10014096 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
Instruction ID: cb764db9af18425858f0870d561dcf750e8236d090e6b6f48ce3485ee4cf3179
Opcode Fuzzy Hash: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
Instruction Fuzzy Hash: 7E114634845224FBEA11FF90DC42B68BBA1E712345F215067F6042A0B5DBB2ADD6DA42

Function 1000AE99 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
Instruction ID: eeae7fc577553641f4f664837c49950aecc16b69e97dd8631aebf4018e73b438
Opcode Fuzzy Hash: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
Instruction Fuzzy Hash: FA2137B090060AEAFB10DFA0C844BEEBAB8FB05380F204271F990A6198D7349AD5D754

Function 10018801 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
Instruction ID: ba505964bce734d70dae5fb9ba97fd24188bee46f8c6b217aecce00d80479512
Opcode Fuzzy Hash: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
Instruction Fuzzy Hash: C9112875D00208FBEF00DF90C84579DBBB0EB05345F508069F908AE290DB759B94DB91

Function 100189E6 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
Instruction ID: 8996d56321af788ecdb48f59df6a7f6deac0e56e76c4d4795bf28b9d59f37b7c
Opcode Fuzzy Hash: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
Instruction Fuzzy Hash: D3110975D0020DABEB00DFD0DC46BAEBBB8FF04704F104455F914BA190E7B2AB549B91

Function 10011C1A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
Instruction ID: aa05f780bf07b04a9dbad2cba23d858d9fb5007feb3f8ac9aeeac6949bb19c5c
Opcode Fuzzy Hash: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
Instruction Fuzzy Hash: 07015335980208FBEF11DFA1DD02BDEBB74EB00350F108022BA146E1A0D772DAA0ABC1

Function 10011772 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
Instruction ID: f86e8bef0b9f5b7b48e3b9b3acc0b6cb1fd06cabc4355fe6e2609782588421e0
Opcode Fuzzy Hash: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
Instruction Fuzzy Hash: B401EC7594020CBEEF11DF80DC42FEDBB79EB09740F108051FA046D091D7B29AA5AB95

Function 10014203 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
Instruction ID: e7353d8a689e469959c960a5bb5359493e28a0ae3a5db89d5c895ffd79e8d98e
Opcode Fuzzy Hash: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
Instruction Fuzzy Hash: 64F04970D00208FBEB10DF90CC06BADBFB0EB01341F204065F9007A1A0D7B6AB94DB85

Function 100111A7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
Instruction ID: 682ee749917f4e023bc7197140f76a097522797ecf20c1f45cbbd45c019d52a4
Opcode Fuzzy Hash: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
Instruction Fuzzy Hash: 3CF0FE74D44258EBDB14EE90D8057EDBA74E706305F504266EA04AE190D3B18BA4DB96

Function 10019EDC Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
Instruction ID: 02fc14b9e54e6900d73ffd4e28a19c8708dbe27031dd51c44bf3dba7fdb031ba
Opcode Fuzzy Hash: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
Instruction Fuzzy Hash: ECF05474A00308FBEB21CF94CD81B9CBBB0EF09300F2080E4FE0467381E6B15A509B51

Function 100101FB Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
Instruction ID: bbfaceb90791bb35eed418166a23c42ee1e6653db07919fbe020635ad9369783
Opcode Fuzzy Hash: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
Instruction Fuzzy Hash: B9F03975D00218EBDB00EE90D80ABAEBA78EB15301F100465EA086E190D3B59B54DA96

Function 1001BADE Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
Instruction ID: 33dc01a3c2299a3cd355405e5767cb27c6d7fba89f237eed4e622fd5132f0db0
Opcode Fuzzy Hash: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
Instruction Fuzzy Hash: 5AE08C34D49308B7D610EF40AC87B28BA35E706701F505056FA043A090E7F2AA649A8A

Function 1001BB29 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
Instruction ID: 761fadcd4debd2308a54b226b4f8dff580185d7010702b48f65d1b5b1071df53
Opcode Fuzzy Hash: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
Instruction Fuzzy Hash: 66E08C34D45308B7D610EF50EC43B6CBB34E707700F108056FA083A1A0D7B29E60ABCA

Function 10005FDA Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
Instruction ID: 1fae9ae4253266a87bc96311d46508b5db8f13d56845d8971887a42445dbbd4a
Opcode Fuzzy Hash: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
Instruction Fuzzy Hash: 7DD05B70D45218F7DA10EF54AC03B39BB34D707761F205261FB143E1D5D6B25920D5DA

Function 1001A4C7 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
Instruction ID: 2a9e0740773b8b6f5e110bd1e2332ab73de667f723c53b2bed2784798aa44a4a
Opcode Fuzzy Hash: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
Instruction Fuzzy Hash: 90B01232125BD44EC1038309C423B11B7ECE300D48F090090D451C7542C14CF610C494

Function 004C3AB0 Relevance: 33.3, APIs: 22, Instructions: 293windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 004C3B3F
GetWindowRect.USER32(?,?), ref: 004C3B96
GetParent.USER32(?), ref: 004C3BA6
GetParent.USER32(?), ref: 004C3BD9
GlobalSize.KERNEL32(00000000), ref: 004C3C23
GlobalLock.KERNEL32(00000000), ref: 004C3C2B
IsWindow.USER32(?), ref: 004C3C44
GetTopWindow.USER32(?), ref: 004C3C81
GetWindow.USER32(00000000,00000002), ref: 004C3C9A
SetParent.USER32(?,?), ref: 004C3CC6
SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 004C3D11
SendMessageA.USER32(?,00008076,00000000,00000000), ref: 004C3D20
GetParent.USER32(?), ref: 004C3D33
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 004C3D4C
GetWindowLongA.USER32(?,000000F0), ref: 004C3D54
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C3D84
SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 004C3D92
IsWindow.USER32(?), ref: 004C3DDE
GetFocus.USER32 ref: 004C3DE8
SetFocus.USER32(?,00000000), ref: 004C3E00
GlobalUnlock.KERNEL32(00000000), ref: 004C3E0B
GlobalFree.KERNEL32(00000000), ref: 004C3E12

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
String ID:
API String ID: 300820980-0
Opcode ID: 6b2d19022c303c560a606d4373abd6d474ffda4d7c8ed9712acb6c180502ab52
Instruction ID: d64792a409ee377208514b965d62652c23c408aba312b1830a5aeadd8349051f
Opcode Fuzzy Hash: 6b2d19022c303c560a606d4373abd6d474ffda4d7c8ed9712acb6c180502ab52
Instruction Fuzzy Hash: D6A1AB75204301AFD724DF65CC88F2BBBE8BB88701F108A1DF94697391DB78E9058B65

Function 10029640 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113librarywindowstringCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 10029652
LoadLibraryA.KERNEL32(?), ref: 1002965F
wsprintfA.USER32 ref: 10029676
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C

Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25

atoi.MSVCRT(?), ref: 100296CB
strchr.MSVCRT ref: 10029703
GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
wsprintfA.USER32 ref: 10029739
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F

Strings

DLL ERROR, xrefs: 10029685, 10029748

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5

Function 10028E60 Relevance: 16.7, APIs: 11, Instructions: 162registrystringCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
strrchr.MSVCRT ref: 10028EC7
RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
??2@YAPAXI@Z.MSVCRT ref: 10028F03
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
String ID:
API String ID: 1380196384-0
Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2

Function 0053AF25 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,005338A2,?,Microsoft Visual C++ Runtime Library,00012010,?,007C9F0C,?,007C9F5C,?,?,?,Runtime Error!Program: ), ref: 0053AF37
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0053AF4F
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0053AF60
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0053AF6D

Strings

GetLastActivePopup, xrefs: 0053AF62
user32.dll, xrefs: 0053AF32
MessageBoxA, xrefs: 0053AF49
GetActiveWindow, xrefs: 0053AF5A

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 604af9be48b74d6b37cba5a06dcc955a4dab07b5c7217c3233dd45b2da2f4d19
Instruction ID: f0e1bba689a84424b36bc535488d7273ea80ded20c6c35011142a7bf629c30a5
Opcode Fuzzy Hash: 604af9be48b74d6b37cba5a06dcc955a4dab07b5c7217c3233dd45b2da2f4d19
Instruction Fuzzy Hash: F90175B56043037F87219FB5AC88DA63F98B758741B04452DF185C2161DB78C856DB62

Function 00536CA4 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,007CA19C,00000001,00000000,00000000,7591E860,0082CD44,?,?,?,0052F41D,?,?,?,00000000), ref: 00536CE6
LCMapStringA.KERNEL32(00000000,00000100,007CA198,00000001,00000000,00000000,?,?,0052F41D,?,?,?,00000000,00000001), ref: 00536D02
LCMapStringA.KERNEL32(?,?,?,0052F41D,?,?,7591E860,0082CD44,?,?,?,0052F41D,?,?,?,00000000), ref: 00536D4B
MultiByteToWideChar.KERNEL32(?,0082CD45,?,0052F41D,00000000,00000000,7591E860,0082CD44,?,?,?,0052F41D,?,?,?,00000000), ref: 00536D83
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0052F41D,?,00000000,?,?,0052F41D,?), ref: 00536DDB
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0052F41D,?), ref: 00536DF1
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0052F41D,?), ref: 00536E24
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0052F41D,?), ref: 00536E8C

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 24bfa6ab88c75c27c8b184671c76d6921041d24ea99ff31d5ae9fdc4d14a49df
Instruction ID: 7e62f9c2904481175a4bf4a769525b53bb9e801f03825a17d46423ec3d378b8e
Opcode Fuzzy Hash: 24bfa6ab88c75c27c8b184671c76d6921041d24ea99ff31d5ae9fdc4d14a49df
Instruction Fuzzy Hash: 29515676900249BFCF228F94CC45EAF7FB9FB89754F208519F954A21A0C3328D25EB60

Function 004D1040 Relevance: 12.4, APIs: 8, Instructions: 368windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 004D11BE
AppendMenuA.USER32(?,?,00000000,?), ref: 004D1321
AppendMenuA.USER32(?,00000000,00000000,?), ref: 004D1359
ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 004D1377
AppendMenuA.USER32(?,?,00000000,?), ref: 004D13D5
ModifyMenuA.USER32(?,?,?,?,?), ref: 004D13FA
AppendMenuA.USER32(?,?,?,?), ref: 004D1442
ModifyMenuA.USER32(?,?,?,?,?), ref: 004D1467

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: Menu$Append$Modify$CreatePopup
String ID:
API String ID: 3846898120-0
Opcode ID: 72680fa215ec3d319d3ca8b81f974e3cafc247a1d5bed14a48b48924bde05489
Instruction ID: ba02b69285cb63d79b01c4d172c792f21ce8e92849659d4e7f0852d82744984b
Opcode Fuzzy Hash: 72680fa215ec3d319d3ca8b81f974e3cafc247a1d5bed14a48b48924bde05489
Instruction Fuzzy Hash: AED178B1A04300ABD714DF18C894A6BBBE4EF89754F04452EFD8593361E779EC05CBAA

Function 0053377E Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 005337EB
GetStdHandle.KERNEL32(000000F4,007C9F0C,00000000,00000000,00000000,?), ref: 005338C1
WriteFile.KERNEL32(00000000), ref: 005338C8

Strings

<program name unknown>, xrefs: 005337FB
..., xrefs: 0053383D
Microsoft Visual C++ Runtime Library, xrefs: 00533897
Runtime Error!Program: , xrefs: 00533851

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 39f9735ca91d60f41570321e6ef46a0dab1f2a023fb08d5050bddd71bcc139b6
Instruction ID: 0b6ad3c494b87d0136ac5ac153a61c78c0e9e297ae616589726871a24d135e90
Opcode Fuzzy Hash: 39f9735ca91d60f41570321e6ef46a0dab1f2a023fb08d5050bddd71bcc139b6
Instruction Fuzzy Hash: B031B4B2A012197FDF20EA60CD4AF99BB6CFF89301F10056EF545D6091E674EA448B52

Function 100283F0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

%lf, xrefs: 10028618
%I64d, xrefs: 100285E2

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID:
String ID: %I64d$%lf
API String ID: 0-1545097854
Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392

Function 005331B7 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052D6FE), ref: 005331D2
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052D6FE), ref: 005331E6
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052D6FE), ref: 00533212
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052D6FE), ref: 0053324A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052D6FE), ref: 0053326C
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0052D6FE), ref: 00533285
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052D6FE), ref: 00533298
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 005332D6

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 2dc31ee5f9dde6b73461f66eda9cec09d5fece40f736755a31cb8567cf034021
Instruction ID: 64c6afea7cee3d6c7fa56bc722d699f0b762b898e42925471947c3ae899326f4
Opcode Fuzzy Hash: 2dc31ee5f9dde6b73461f66eda9cec09d5fece40f736755a31cb8567cf034021
Instruction Fuzzy Hash: 603128765083656FDB307FB5ACC883BBF9CFB46358F26092DF552C3150EA228E858261

Function 004C02A0 Relevance: 10.8, APIs: 7, Instructions: 268windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004C02DD
GetParent.USER32(?), ref: 004C02EF
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C0317
GetWindowRect.USER32(?,?), ref: 004C03A1
InvalidateRect.USER32(?,?,00000001,?), ref: 004C03C4
GetWindowRect.USER32(?,?), ref: 004C058C
InvalidateRect.USER32(?,?,00000001,?), ref: 004C05AD

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: Rect$Window$Invalidate$MessageParentSend
String ID:
API String ID: 236041146-0
Opcode ID: 81d391b1a723e09b9c18cc64043a067ec70dd673582f5b40f8d30b79793eff16
Instruction ID: 937ae44d16426e21a2b4a2e884431875b6552d52f83649002b11723826816f3d
Opcode Fuzzy Hash: 81d391b1a723e09b9c18cc64043a067ec70dd673582f5b40f8d30b79793eff16
Instruction Fuzzy Hash: 5791D475600305EBC764EF258890F6B77E8AF84758F04061EFD45AB391EB38ED058BA9

Function 0053A478 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,007CA19C,00000001,?,7591E860,0082CD44,?,?,0052F41D,?,?,?,00000000,00000001), ref: 0053A4B7
GetStringTypeA.KERNEL32(00000000,00000001,007CA198,00000001,?,?,0052F41D,?,?,?,00000000,00000001), ref: 0053A4D1
GetStringTypeA.KERNEL32(?,?,?,?,0052F41D,7591E860,0082CD44,?,?,0052F41D,?,?,?,00000000,00000001), ref: 0053A505
MultiByteToWideChar.KERNEL32(?,0082CD45,?,?,00000000,00000000,7591E860,0082CD44,?,?,0052F41D,?,?,?,00000000,00000001), ref: 0053A53D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0052F41D,?), ref: 0053A593
GetStringTypeW.KERNEL32(?,?,00000000,0052F41D,?,?,?,?,?,?,0052F41D,?), ref: 0053A5A5

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: b4d4fee43a7458e732e2d999d20c072156b80c36ac08699a833b659e2c3f4ecf
Instruction ID: ef5c5989a5ad02be5d7cc3584b3f9404c80540e5917e1d93e8e8ffff131a742d
Opcode Fuzzy Hash: b4d4fee43a7458e732e2d999d20c072156b80c36ac08699a833b659e2c3f4ecf
Instruction Fuzzy Hash: 4841AB72A00219AFCF219F94DC8AEAF7FB8FB08750F104929F951E6190D3358951DBA2

Function 005494EF Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00828A84,00828A74,00000000,?,00828A84,?,00549757,00828A74,00000000,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836), ref: 005494FA
EnterCriticalSection.KERNEL32(00828AA0,00000010,?,00828A84,?,00549757,00828A74,00000000,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836), ref: 00549549
LeaveCriticalSection.KERNEL32(00828AA0,00000000,?,00828A84,?,00549757,00828A74,00000000,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836), ref: 0054955C
LocalAlloc.KERNEL32(00000000,00000004,?,00828A84,?,00549757,00828A74,00000000,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836), ref: 00549572
LocalReAlloc.KERNEL32(?,00000004,00000002,?,00828A84,?,00549757,00828A74,00000000,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836), ref: 00549584
TlsSetValue.KERNEL32(00828A84,00000000), ref: 005495C0

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 09c08a3a4eb80fab8db2f2d42db08bcd85555a3e9850e7eec76cd9f337a95e60
Instruction ID: d314953437a65988bf00e03e6e0fd61df6850875b249dd34258c7cb7a2996c41
Opcode Fuzzy Hash: 09c08a3a4eb80fab8db2f2d42db08bcd85555a3e9850e7eec76cd9f337a95e60
Instruction Fuzzy Hash: 24318B75100606AFD724CF25D89AFAABBF8FF84365F108518E41AC7690EB70E909CB61

Function 005335A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 005335BF
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 005335F4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00533654

Strings

__MSVCRT_HEAP_SELECT, xrefs: 005335EF
__GLOBAL_HEAP_SELECTED, xrefs: 0053362E

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: b607b6ef8efe049945f403024f125693ff9173641362d9219b2631418e714a53
Instruction ID: 57df116f9518b6539dae56cc20ffea0985c980ffa13df89a4c189f76b5e3d1fe
Opcode Fuzzy Hash: b607b6ef8efe049945f403024f125693ff9173641362d9219b2631418e714a53
Instruction Fuzzy Hash: 913108719412587EEF318770ACABBDD3F68BB16704F2404E9E186D6282E631CF89CB11

Function 0054A013 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A044

Part of subcall function 0054A130: lstrlenA.KERNEL32(00000104,00000000,?,0054A074), ref: 0054A167

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A0E5
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A112

Strings

.INI, xrefs: 0054A10C
.HLP, xrefs: 0054A0DF

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: fb49887c37ddf0ed12a10b4492493638add2dc4591c4057a0a5c557e31854f7d
Instruction ID: d4e897bc804fbd9a06e482a31eb32c3122f19a2f0776b96c4610414395a546e5
Opcode Fuzzy Hash: fb49887c37ddf0ed12a10b4492493638add2dc4591c4057a0a5c557e31854f7d
Instruction Fuzzy Hash: 453170B5944719AFDB61EB70D889BC6BBFCBB04314F10496AE19AD3151EB70A984CB10

Function 004C50E0 Relevance: 7.9, APIs: 5, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971fa5ec1ac9746eab38bb25744c1630ed5b487fb411abd4c832412803407726
Instruction ID: 91f9a213ac50948b85aaf26671f61340b6d754f088b8aef3b03e40e6761f5808
Opcode Fuzzy Hash: 971fa5ec1ac9746eab38bb25744c1630ed5b487fb411abd4c832412803407726
Instruction Fuzzy Hash: ACC182755046029FC354DF28C881E6FB7F8ABC4348F404A1EF84697251EB38F9468BAA

Function 005332E9 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00533347
GetFileType.KERNEL32(?,?,00000000), ref: 005333F2
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00533455
GetFileType.KERNEL32(00000000,?,00000000), ref: 00533463
SetHandleCount.KERNEL32 ref: 0053349A

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: d6e37824fc1fcd17a0ba4b0e5ba39c154400018abfcd94fd87971b40fcb334b9
Instruction ID: e4926ee63d62097997140b7dbf1029f50fe98d1243084f8f1a2e0731c6be5e19
Opcode Fuzzy Hash: d6e37824fc1fcd17a0ba4b0e5ba39c154400018abfcd94fd87971b40fcb334b9
Instruction Fuzzy Hash: 885103319042118FDB22CB78D8887697FA0FF11324F298B6CD5A2DB2E1DB70DA46D751

Function 004C5F20 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004C5F90
GetMenu.USER32(?), ref: 004C5F9F
DestroyAcceleratorTable.USER32(?), ref: 004C5FEC
SetMenu.USER32(?,00000000), ref: 004C6001
DestroyMenu.USER32(?), ref: 004C6011

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: Menu$Destroy$AcceleratorTableWindow
String ID:
API String ID: 1240299919-0
Opcode ID: 9b1d58f53bbe6370dbf0b6d65112e3aea7c1c26efba9697c471bf99ff4dec6e5
Instruction ID: 7c0535e941d7d3fd0b10e7b007c20aedc11c57f6f93d57a8f4ef3e243c0a8a7e
Opcode Fuzzy Hash: 9b1d58f53bbe6370dbf0b6d65112e3aea7c1c26efba9697c471bf99ff4dec6e5
Instruction Fuzzy Hash: FE3193B5600306AFC720EF65DC84E6B77A9EF84358F02451EBD0597252EA38E809CBB5

Function 0053350C Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0052FA12,00532327,00000000,?,?,00000000,00000001), ref: 0053350E
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 0053351C
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00533568

Part of subcall function 0052FE06: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00533531,00000001,00000074,?,?,00000000,00000001), ref: 0052FEFC

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00533540
GetCurrentThreadId.KERNEL32 ref: 00533551

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: bc7cd2e637902eaac407db08a1f109314cb19395c12542a2cb2172fe85cf5b20
Instruction ID: 113c38dc11d51d1f46bf1de2cba831703df6c8726d96940d9c0845b0ef1d0721
Opcode Fuzzy Hash: bc7cd2e637902eaac407db08a1f109314cb19395c12542a2cb2172fe85cf5b20
Instruction Fuzzy Hash: 1CF0B436501732ABD7212B78BC1D61D3F64FF51772F114629F981D61F1CF248A41D6A1

Function 10027B50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 10027B78
MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F

Strings

error, xrefs: 10027B87
program internal error number is %d. %s, xrefs: 10027B72

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616

Function 00537AFC Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,007EADD0,007EADD0,?,?,00537FC8,00000000,00000010,00000000,00000009,00000009,?,0052F051,00000010,00000000), ref: 00537B1D
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00537FC8,00000000,00000010,00000000,00000009,00000009,?,0052F051,00000010,00000000), ref: 00537B41
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00537FC8,00000000,00000010,00000000,00000009,00000009,?,0052F051,00000010,00000000), ref: 00537B5B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00537FC8,00000000,00000010,00000000,00000009,00000009,?,0052F051,00000010,00000000,?), ref: 00537C1C
HeapFree.KERNEL32(00000000,00000000,?,?,00537FC8,00000000,00000010,00000000,00000009,00000009,?,0052F051,00000010,00000000,?,00000000), ref: 00537C33

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: be17aa462f055b61432a0e776fc9fac0b8f745695e918528d87bf5a2ab635a17
Instruction ID: c0061202501f72a443a32e163fcfa371bd33615edaab93cf94516d343ee5523c
Opcode Fuzzy Hash: be17aa462f055b61432a0e776fc9fac0b8f745695e918528d87bf5a2ab635a17
Instruction Fuzzy Hash: 6A31F0B0A4570EABD331CF24EC45B21BBE4FB8C756F118A39E0559B690E778A840DB49

Function 004C24E0 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004C2554
GetParent.USER32(00000000), ref: 004C25A4
IsWindow.USER32(?), ref: 004C25C4
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 004C263F

Part of subcall function 00543BFA: ShowWindow.USER32(?,?,004C05BC,00000000), ref: 00543C08

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: Window$ParentShow
String ID:
API String ID: 2052805569-0
Opcode ID: 1b81bce4c9786c850dedb856b074b5a48fab155c1fc0002ee67d46a371345eb3
Instruction ID: 734b0cee86b26a234b7f9e257adaf741cea80643d3f18d4d8b90665461c56b41
Opcode Fuzzy Hash: 1b81bce4c9786c850dedb856b074b5a48fab155c1fc0002ee67d46a371345eb3
Instruction Fuzzy Hash: 2641C175700311ABD360EE249D81FABB3A4AB94754F04052EFD459B381EBF8E80587B5

Function 10029F50 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 10029FB3
LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
free.MSVCRT ref: 10029FF6
free.MSVCRT ref: 1002A014

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: free$Stringmalloc
String ID:
API String ID: 3576809655-0
Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365

Function 10028DB0 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35

Memory Dump Source

Source File: 00000000.00000002.3532799323.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_212.jbxd

Similarity

API ID: CloseFileHandle$CreateWrite
String ID:
API String ID: 3602564925-0
Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66

Function 0053285F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00532873

Strings

, xrefs: 00532898
, xrefs: 005328BC

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 8c1aaf76b25d6f05240ea32e0cbc6f725ae848651f37e42dfbfab02a40d5dc74
Instruction ID: 85d05cce4c69b0810045db96ff863c61d2d62803bd692396316a6bd731f7d104
Opcode Fuzzy Hash: 8c1aaf76b25d6f05240ea32e0cbc6f725ae848651f37e42dfbfab02a40d5dc74
Instruction Fuzzy Hash: 0A416A321047985EDB129724DD59BFBBFA9FF05700F1404E5E689C7093C2B14984DBB2

Function 005458D1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 005458D6

Part of subcall function 0054523B: __EH_prolog.LIBCMT ref: 00545240

Strings

V5 , xrefs: 005458F0
x|, xrefs: 00545915

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: H_prolog
String ID: V5 $x|
API String ID: 3519838083-3630372689
Opcode ID: ad4ced9f119e328dbc1b8e0862f8412738c3a41ad5f8b807d7ee4921ce6b9a10
Instruction ID: 11e78c95d9830636b35809e9f5242a07e6ec0bfd3a8bb92be5ab6e30082daf07
Opcode Fuzzy Hash: ad4ced9f119e328dbc1b8e0862f8412738c3a41ad5f8b807d7ee4921ce6b9a10
Instruction Fuzzy Hash: 1DF0C871A00701EBDB24AF78844E7DDBBE4FB44728F10892EB206A65C2D7788A00CB50

Function 0053765A Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00537422,00000000,00000000,00000000,0052EFF3,00000000,00000000,?,00000000,00000000,00000000), ref: 00537682
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00537422,00000000,00000000,00000000,0052EFF3,00000000,00000000,?,00000000,00000000,00000000), ref: 005376B6
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 005376D0
HeapFree.KERNEL32(00000000,?), ref: 005376E7

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 08594dd17b18ef06082ac5740638665e31d113129a95d4f8ea61ba918e90c519
Instruction ID: 764e403e53829eb9d4fa736f669aef0edaf75a1ef21885287a91f9564f54dfcb
Opcode Fuzzy Hash: 08594dd17b18ef06082ac5740638665e31d113129a95d4f8ea61ba918e90c519
Instruction Fuzzy Hash: 6A118C702407019FC7308F59EC8993A7FB2FF887A0B208A29F152D65B0C370A846DF50

Function 0054A42C Relevance: 5.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00828C38,?,00000000,?,?,0054979D,00000010,?,00000000,?,?,?,00549184,005491E7,00548A5D,0054918A), ref: 0054A467
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0054979D,00000010,?,00000000,?,?,?,00549184,005491E7,00548A5D,0054918A), ref: 0054A479
LeaveCriticalSection.KERNEL32(00828C38,?,00000000,?,?,0054979D,00000010,?,00000000,?,?,?,00549184,005491E7,00548A5D,0054918A), ref: 0054A482
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0054979D,00000010,?,00000000,?,?,?,00549184,005491E7,00548A5D,0054918A,00544591), ref: 0054A494

Part of subcall function 0054A399: GetVersion.KERNEL32(?,0054A43C,?,0054979D,00000010,?,00000000,?,?,?,00549184,005491E7,00548A5D,0054918A,00544591,00545836), ref: 0054A3AC

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: eeb8bb5024f9acf617f97ddcae4ce853d8abeed9d9bbde64eb01bfc1e8be555a
Instruction ID: 0502c22259dd1447086d2e8451fb73bfd939e29c9455a3ea79def485902db523
Opcode Fuzzy Hash: eeb8bb5024f9acf617f97ddcae4ce853d8abeed9d9bbde64eb01bfc1e8be555a
Instruction Fuzzy Hash: 63F0447504231ADFCF60DF54FC98996B76CFB7031AB40542AE64593061DB34A45BCAA1

Function 00535D7B Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,005334AB,?,0052D6D8), ref: 00535D88
InitializeCriticalSection.KERNEL32(?,005334AB,?,0052D6D8), ref: 00535D90
InitializeCriticalSection.KERNEL32(?,005334AB,?,0052D6D8), ref: 00535D98
InitializeCriticalSection.KERNEL32(?,005334AB,?,0052D6D8), ref: 00535DA0

Memory Dump Source

Source File: 00000000.00000002.3529914239.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3529881107.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530064954.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530390852.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530415279.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530441852.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530472003.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530501753.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530529733.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530556367.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530582960.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3530720242.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_212.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: b47d094a598671442320a0e7a37f87d8b3c70ec60b0162c471f1b67a473be826
Instruction ID: f09b7e46a3944a21f6efb323c7c42375265d9e7b4a21461fe96da00fa37f67c0
Opcode Fuzzy Hash: b47d094a598671442320a0e7a37f87d8b3c70ec60b0162c471f1b67a473be826
Instruction Fuzzy Hash: 71C002719021B4FBCA512B55FE89C463F67EB1C261301C077A1045D470862E2C50EFD6

Analysis Process: 212.exePID: 2072, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	51.7%
Signature Coverage:	0%
Total number of Nodes:	662
Total number of Limit Nodes:	24

Executed Functions

Function 100193C2 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 424
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF

Strings

@, xrefs: 10019521

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
String ID: @
API String ID: 183890193-2766056989
Opcode ID: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
Opcode Fuzzy Hash: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

Function 1000710E Relevance: 5.1, APIs: 3, Instructions: 556
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: Version$InfoNumbersSystem
String ID:
API String ID: 995872648-0
Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

Function 10007FDD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00000000), ref: 1000806F

Strings

`+v, xrefs: 1000806F

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: Close
String ID: `+v
API String ID: 3535843008-2805226579
Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91

Function 10018AD3 Relevance: 3.3, APIs: 2, Instructions: 304
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05

HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51

Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: Create$Heap$ComputeCrc32Mutex
String ID:
API String ID: 3311811139-0
Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52

Function 1001A199 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92

Function 10018EEA Relevance: 1.5, APIs: 1, Instructions: 23synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696

Function 004C3F90 Relevance: 15.3, APIs: 10, Instructions: 281
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,007E95F4), ref: 004C3FF7
LoadLibraryA.KERNEL32(?,?,007F9FD8), ref: 004C40E7
LoadLibraryA.KERNEL32(?,?), ref: 004C412D
LoadLibraryA.KERNEL32(?,?,007F9EE0,?), ref: 004C4175
LoadLibraryA.KERNEL32(?), ref: 004C418B
GetProcAddress.KERNEL32(00000000,?), ref: 004C419D
FreeLibrary.KERNEL32(00000000), ref: 004C4230

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: Library$Load$AddressProc$Free
String ID:
API String ID: 3120990465-0
Opcode ID: 9b10ded3165ffa8ed911674d8f4cba4c92a7c6affc743818d7843ed4808c0364
Instruction ID: e578664c677171d07b919bf33d0cfa4dc7b4e38d6a97b4071a74072c46e41feb
Opcode Fuzzy Hash: 9b10ded3165ffa8ed911674d8f4cba4c92a7c6affc743818d7843ed4808c0364
Instruction Fuzzy Hash: 1AA1A0B9A00702ABC754DF64C895FABB7A8BFD8314F044A2EF85587341DB38E9058B95

Function 00549380 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00828AA0,00828A74,00000000,?,00828A84,00828A84,0054971B,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836,?,00000000), ref: 0054938F
GlobalAlloc.KERNEL32(00002002,00000000,?,?,00828A84,00828A84,0054971B,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836,?,00000000), ref: 005493E4
GlobalHandle.KERNEL32(00BC4280), ref: 005493ED
GlobalUnlock.KERNEL32(00000000), ref: 005493F6
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00549408
GlobalHandle.KERNEL32(00BC4280), ref: 0054941F
GlobalLock.KERNEL32(00000000), ref: 00549426
LeaveCriticalSection.KERNEL32(0052D748,?,?,00828A84,00828A84,0054971B,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836,?,00000000), ref: 0054942C
GlobalLock.KERNEL32(00000000), ref: 0054943B
LeaveCriticalSection.KERNEL32(?), ref: 00549484

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
Instruction ID: 19dbcf0657b61c1cc227c06bdba581954e5447f19367e633dfe00b6d56813a3a
Opcode Fuzzy Hash: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
Instruction Fuzzy Hash: 863162752007069FDB249F24DC9A96ABBE9FB84305F015E2DF452C36A1E771E849CB10

Function 100294C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
GetTickCount.KERNEL32 ref: 10029543
wsprintfA.USER32 ref: 10029558
PathFileExistsA.SHLWAPI(?), ref: 10029565

Strings

%s%x.tmp, xrefs: 10029552

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: Path$CountExistsFileTempTickwsprintf
String ID: %s%x.tmp
API String ID: 3843276195-78920241
Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

Function 10027BB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
RtlAllocateHeap.NTDLL(00BC0000,00000008,?,?,10028674), ref: 10027BCD
MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6

Strings

error, xrefs: 10027BDB

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: Heap$AllocateMessageProcess
String ID: error
API String ID: 2992861138-1574812785
Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

Function 10028D40 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C

Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(00BC0000,00000008,?,?,10028674), ref: 10027BCD
Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6

ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
String ID:
API String ID: 749537981-0
Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

Function 005445A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 005445B4
SetWindowsHookExA.USER32(000000FF,V`H,00000000,00000000), ref: 005445C4

Part of subcall function 0054977C: __EH_prolog.LIBCMT ref: 00549781

Strings

V`H, xrefs: 005445BD

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID: V`H
API String ID: 2183259885-1425837005
Opcode ID: a968092648243b1de3933c13ca20f37d9bfa769727cd23695748f94c2b568f44
Instruction ID: cafaa9d5175e1b4fcbafa3d351b0214de027a49dc63830424b1166ee167f086c
Opcode Fuzzy Hash: a968092648243b1de3933c13ca20f37d9bfa769727cd23695748f94c2b568f44
Instruction Fuzzy Hash: A4F0EC724403527FCF603BB0AD0FBDA3E50BF41329F051658B112565E2DE704884CB51

Function 00549FB0 Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00000000,00000000,00545855,00000000,00000000,00000000,00000000,?,00000000,?,0053CFE3,00000000,00000000,00000000,00000000,0052D748), ref: 00549FB9
SetErrorMode.KERNEL32(00000000,?,00000000,?,0053CFE3,00000000,00000000,00000000,00000000,0052D748,00000000), ref: 00549FC0

Part of subcall function 0054A013: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A044
Part of subcall function 0054A013: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A0E5
Part of subcall function 0054A013: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A112

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: f5cc11b3060c09880d13a835071dac1ff441f947291634e4d0d4758776c38180
Instruction ID: f8c6a5041a6189f4a9727753535ba19f80266c4f89c0d2c832ce6d820c9130e8
Opcode Fuzzy Hash: f5cc11b3060c09880d13a835071dac1ff441f947291634e4d0d4758776c38180
Instruction Fuzzy Hash: A0F03771A442128FDB54BF24D449B8A7FE5BF84724F06848AB4489B3A2CB70D844CB66

Function 004C3A50 Relevance: 3.0, APIs: 2, Instructions: 30
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004C3A67
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004C3A8D

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
Instruction ID: 76e8f1ffa07dd898dc716bdc8894ed582a4827aed8380352d3db6b074b258331
Opcode Fuzzy Hash: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
Instruction Fuzzy Hash: 82F02B35740302BBFB30EAA48C07F5B37686F44B00F58445AF741AB1C0D6B4E5048BE9

Function 005336E8 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,0052D6C6,00000001), ref: 005336F9

Part of subcall function 005335A0: GetVersionExA.KERNEL32 ref: 005335BF

HeapDestroy.KERNEL32 ref: 00533738

Part of subcall function 00536FB5: HeapAlloc.KERNEL32(00000000,00000140,00533721,000003F8), ref: 00536FC2

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: a74c570746986a0d0ea47059bd758b4a4c67e8f0631b46f34643c4d50467435d
Instruction ID: 4c67345b98219cc9fbcd319bd06b0996eed072ab7f9ead6850bd63d8d21f0bfd
Opcode Fuzzy Hash: a74c570746986a0d0ea47059bd758b4a4c67e8f0631b46f34643c4d50467435d
Instruction Fuzzy Hash: C6F0E5F15543029ADF316B71AC4A7396FD4FB94B92F208825F401C51F5EB609781D651

Function 10027C40 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
RtlFreeHeap.NTDLL(00BC0000,00000000,00000000), ref: 10027C80

Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: FreeHandleHeapModuleRead
String ID:
API String ID: 627478288-0
Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2

Function 0052EFA5 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0052F08C

Part of subcall function 00535DA4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0052FEBC,00000009,00000000,00000000,00000001,00533531,00000001,00000074,?,?,00000000,00000001), ref: 00535DE1
Part of subcall function 00535DA4: EnterCriticalSection.KERNEL32(?,?,?,0052FEBC,00000009,00000000,00000000,00000001,00533531,00000001,00000074,?,?,00000000,00000001), ref: 00535DFC

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: b50a54126d5f03314ace5bce555d84f4417006c255ac018d07a5b83e6c35a0ba
Instruction ID: fda5f1372ea282848f20700875a3b7f291e02e6ecb51f2ca8f5cdd57d303a4dd
Opcode Fuzzy Hash: b50a54126d5f03314ace5bce555d84f4417006c255ac018d07a5b83e6c35a0ba
Instruction Fuzzy Hash: 07219131A00225ABDB20DB65FD4ABAE7F74FF05B20F148635F512EB1C2D774A9418754

Function 0052EE7E Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0052FEBC,00000009,00000000,00000000,00000001,00533531,00000001,00000074), ref: 0052EF52

Part of subcall function 00535DA4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0052FEBC,00000009,00000000,00000000,00000001,00533531,00000001,00000074,?,?,00000000,00000001), ref: 00535DE1
Part of subcall function 00535DA4: EnterCriticalSection.KERNEL32(?,?,?,0052FEBC,00000009,00000000,00000000,00000001,00533531,00000001,00000074,?,?,00000000,00000001), ref: 00535DFC

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapInitialize
String ID:
API String ID: 641406236-0
Opcode ID: 24c306d7923f459035ffe69cb54918f162b565b98831144c1282bc373f874ba9
Instruction ID: 2cd68e3eda54daa632ce78adaa8977869d60c8453585af0fd4ff57cff763c124
Opcode Fuzzy Hash: 24c306d7923f459035ffe69cb54918f162b565b98831144c1282bc373f874ba9
Instruction Fuzzy Hash: 2C21077280566AABDF209B54ED0BBDE7F78FF45720F280529F410B61C0D7348940CBA0

Function 10004B1B Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789

Function 00545111 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

LoadStringA.USER32(?,?,?,?), ref: 00545128

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: e00ba2af5c0ab2ebee51c7ba3a58208dc53a8c205b24856cabd4796f089c07ce
Instruction ID: f866337a6e553ccfb506ae1d9a70e8dbcc8f7b4d9878c9d426e063b8485df80a
Opcode Fuzzy Hash: e00ba2af5c0ab2ebee51c7ba3a58208dc53a8c205b24856cabd4796f089c07ce
Instruction Fuzzy Hash: ADD0A7725093629BC751DF50880CDCFBFA8BF54320B050C0DF58443212D320C804CB61

Function 00543BFA Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?,004C05BC,00000000), ref: 00543C08

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
Instruction ID: 252037205515f111dae06e2208d33911f0af6dae1e059eb374bc1af3dd6e5d94
Opcode Fuzzy Hash: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
Instruction Fuzzy Hash: C7D09231204200EFCF058F60CA88A5ABBA2BF94709F249968E5469A166D732DD62FF01

Function 10028E50 Relevance: 1.5, APIs: 1, Instructions: 4fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21

Non-executed Functions

Function 004CBF30 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 93libraryloaderwindowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004CBF3C
IsZoomed.USER32(?), ref: 004CBF4A
LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 004CBF74
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004CBF87
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004CBF95
FreeLibrary.KERNEL32(00000000), ref: 004CBFCB
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004CBFE1
IsWindow.USER32(?), ref: 004CC00E
ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 004CC01B

Strings

H, xrefs: 004CBFB8
MonitorFromWindow, xrefs: 004CBF81
User32.dll, xrefs: 004CBF69
GetMonitorInfoA, xrefs: 004CBF8D

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
API String ID: 447426925-661446951
Opcode ID: 8b34f5fbba60183606cc67ad269d2bff897997b10f0a45e32e74d7b78f754ff6
Instruction ID: ca2de38681900c8b3a34e365fa1ea7a15dce86e6860c6c7bd0eacf66f68d9767
Opcode Fuzzy Hash: 8b34f5fbba60183606cc67ad269d2bff897997b10f0a45e32e74d7b78f754ff6
Instruction Fuzzy Hash: 33316D75300302AFDB209F65CC5AF2B77A8EF94B41F04841DFA05E7290DB78E9098BA5

Function 100221E2 Relevance: 6.3, APIs: 4, Instructions: 331fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59

Function 1001A8BE Relevance: 6.3, APIs: 4, Instructions: 265COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 1001A976
SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: ObjectSelect$Release
String ID:
API String ID: 3581861777-0
Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96

Function 1001A6F8 Relevance: 6.1, APIs: 4, Instructions: 133windowthreadCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 1001A773
IsWindowVisible.USER32(00000000), ref: 1001A7AC
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
GetWindow.USER32(00000000,00000002), ref: 1001A872

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: Window$ProcessThreadVisible
String ID:
API String ID: 569392824-0
Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96

Function 1001419C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34nativesynchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,?,10026B6B), ref: 100141AB
NtClose.NTDLL(?), ref: 100141D7

Strings

`+v, xrefs: 100141D7

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: CloseMutexRelease
String ID: `+v
API String ID: 2985832019-2805226579
Opcode ID: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
Instruction ID: 38ac61447b851c898caa1bdb063a432cf123be9b48bf26603be34453f4d11833
Opcode Fuzzy Hash: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
Instruction Fuzzy Hash: 69F08CB0E41308F7DA00AF50DC03B7DBA30EB16751F105021FA087E0A0DBB29A659A9A

Function 004C3AB0 Relevance: 33.3, APIs: 22, Instructions: 293windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 004C3B3F
GetWindowRect.USER32(?,?), ref: 004C3B96
GetParent.USER32(?), ref: 004C3BA6
GetParent.USER32(?), ref: 004C3BD9
GlobalSize.KERNEL32(00000000), ref: 004C3C23
GlobalLock.KERNEL32(00000000), ref: 004C3C2B
IsWindow.USER32(?), ref: 004C3C44
GetTopWindow.USER32(?), ref: 004C3C81
GetWindow.USER32(00000000,00000002), ref: 004C3C9A
SetParent.USER32(?,?), ref: 004C3CC6
SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 004C3D11
SendMessageA.USER32(?,00008076,00000000,00000000), ref: 004C3D20
GetParent.USER32(?), ref: 004C3D33
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 004C3D4C
GetWindowLongA.USER32(?,000000F0), ref: 004C3D54
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C3D84
SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 004C3D92
IsWindow.USER32(?), ref: 004C3DDE
GetFocus.USER32 ref: 004C3DE8
SetFocus.USER32(?,00000000), ref: 004C3E00
GlobalUnlock.KERNEL32(00000000), ref: 004C3E0B
GlobalFree.KERNEL32(00000000), ref: 004C3E12

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
String ID:
API String ID: 300820980-0
Opcode ID: 6b2d19022c303c560a606d4373abd6d474ffda4d7c8ed9712acb6c180502ab52
Instruction ID: d64792a409ee377208514b965d62652c23c408aba312b1830a5aeadd8349051f
Opcode Fuzzy Hash: 6b2d19022c303c560a606d4373abd6d474ffda4d7c8ed9712acb6c180502ab52
Instruction Fuzzy Hash: D6A1AB75204301AFD724DF65CC88F2BBBE8BB88701F108A1DF94697391DB78E9058B65

Function 10029640 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113librarywindowstringCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 10029652
LoadLibraryA.KERNEL32(?), ref: 1002965F
wsprintfA.USER32 ref: 10029676
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C

Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25

atoi.MSVCRT(?), ref: 100296CB
strchr.MSVCRT ref: 10029703
GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
wsprintfA.USER32 ref: 10029739
MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F

Strings

DLL ERROR, xrefs: 10029685, 10029748

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
String ID: DLL ERROR
API String ID: 3187504500-4092134112
Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5

Function 10028E60 Relevance: 16.7, APIs: 11, Instructions: 162registrystringCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
strrchr.MSVCRT ref: 10028EC7
RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
??2@YAPAXI@Z.MSVCRT ref: 10028F03
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
String ID:
API String ID: 1380196384-0
Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2

Function 0053AF25 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,005338A2,?,Microsoft Visual C++ Runtime Library,00012010,?,007C9F0C,?,007C9F5C,?,?,?,Runtime Error!Program: ), ref: 0053AF37
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0053AF4F
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0053AF60
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0053AF6D

Strings

user32.dll, xrefs: 0053AF32
MessageBoxA, xrefs: 0053AF49
GetLastActivePopup, xrefs: 0053AF62
GetActiveWindow, xrefs: 0053AF5A

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 604af9be48b74d6b37cba5a06dcc955a4dab07b5c7217c3233dd45b2da2f4d19
Instruction ID: f0e1bba689a84424b36bc535488d7273ea80ded20c6c35011142a7bf629c30a5
Opcode Fuzzy Hash: 604af9be48b74d6b37cba5a06dcc955a4dab07b5c7217c3233dd45b2da2f4d19
Instruction Fuzzy Hash: F90175B56043037F87219FB5AC88DA63F98B758741B04452DF185C2161DB78C856DB62

Function 00536CA4 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,007CA19C,00000001,00000000,00000000,7591E860,0082CD44,?,?,?,0052F41D,?,?,?,00000000), ref: 00536CE6
LCMapStringA.KERNEL32(00000000,00000100,007CA198,00000001,00000000,00000000,?,?,0052F41D,?,?,?,00000000,00000001), ref: 00536D02
LCMapStringA.KERNEL32(?,?,?,0052F41D,?,?,7591E860,0082CD44,?,?,?,0052F41D,?,?,?,00000000), ref: 00536D4B
MultiByteToWideChar.KERNEL32(?,0082CD45,?,0052F41D,00000000,00000000,7591E860,0082CD44,?,?,?,0052F41D,?,?,?,00000000), ref: 00536D83
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0052F41D,?,00000000,?,?,0052F41D,?), ref: 00536DDB
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0052F41D,?), ref: 00536DF1
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0052F41D,?), ref: 00536E24
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0052F41D,?), ref: 00536E8C

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 24bfa6ab88c75c27c8b184671c76d6921041d24ea99ff31d5ae9fdc4d14a49df
Instruction ID: 7e62f9c2904481175a4bf4a769525b53bb9e801f03825a17d46423ec3d378b8e
Opcode Fuzzy Hash: 24bfa6ab88c75c27c8b184671c76d6921041d24ea99ff31d5ae9fdc4d14a49df
Instruction Fuzzy Hash: 29515676900249BFCF228F94CC45EAF7FB9FB89754F208519F954A21A0C3328D25EB60

Function 004D1040 Relevance: 12.4, APIs: 8, Instructions: 368windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 004D11BE
AppendMenuA.USER32(?,?,00000000,?), ref: 004D1321
AppendMenuA.USER32(?,00000000,00000000,?), ref: 004D1359
ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 004D1377
AppendMenuA.USER32(?,?,00000000,?), ref: 004D13D5
ModifyMenuA.USER32(?,?,?,?,?), ref: 004D13FA
AppendMenuA.USER32(?,?,?,?), ref: 004D1442
ModifyMenuA.USER32(?,?,?,?,?), ref: 004D1467

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: Menu$Append$Modify$CreatePopup
String ID:
API String ID: 3846898120-0
Opcode ID: 72680fa215ec3d319d3ca8b81f974e3cafc247a1d5bed14a48b48924bde05489
Instruction ID: ba02b69285cb63d79b01c4d172c792f21ce8e92849659d4e7f0852d82744984b
Opcode Fuzzy Hash: 72680fa215ec3d319d3ca8b81f974e3cafc247a1d5bed14a48b48924bde05489
Instruction Fuzzy Hash: AED178B1A04300ABD714DF18C894A6BBBE4EF89754F04452EFD8593361E779EC05CBAA

Function 0053377E Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 005337EB
GetStdHandle.KERNEL32(000000F4,007C9F0C,00000000,00000000,00000000,?), ref: 005338C1
WriteFile.KERNEL32(00000000), ref: 005338C8

Strings

Runtime Error!Program: , xrefs: 00533851
Microsoft Visual C++ Runtime Library, xrefs: 00533897
..., xrefs: 0053383D
<program name unknown>, xrefs: 005337FB

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 39f9735ca91d60f41570321e6ef46a0dab1f2a023fb08d5050bddd71bcc139b6
Instruction ID: 0b6ad3c494b87d0136ac5ac153a61c78c0e9e297ae616589726871a24d135e90
Opcode Fuzzy Hash: 39f9735ca91d60f41570321e6ef46a0dab1f2a023fb08d5050bddd71bcc139b6
Instruction Fuzzy Hash: B031B4B2A012197FDF20EA60CD4AF99BB6CFF89301F10056EF545D6091E674EA448B52

Function 100283F0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

%lf, xrefs: 10028618
%I64d, xrefs: 100285E2

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID:
String ID: %I64d$%lf
API String ID: 0-1545097854
Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392

Function 005331B7 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052D6FE), ref: 005331D2
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052D6FE), ref: 005331E6
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052D6FE), ref: 00533212
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052D6FE), ref: 0053324A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052D6FE), ref: 0053326C
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0052D6FE), ref: 00533285
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052D6FE), ref: 00533298
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 005332D6

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 2dc31ee5f9dde6b73461f66eda9cec09d5fece40f736755a31cb8567cf034021
Instruction ID: 64c6afea7cee3d6c7fa56bc722d699f0b762b898e42925471947c3ae899326f4
Opcode Fuzzy Hash: 2dc31ee5f9dde6b73461f66eda9cec09d5fece40f736755a31cb8567cf034021
Instruction Fuzzy Hash: 603128765083656FDB307FB5ACC883BBF9CFB46358F26092DF552C3150EA228E858261

Function 004C02A0 Relevance: 10.8, APIs: 7, Instructions: 268windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004C02DD
GetParent.USER32(?), ref: 004C02EF
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C0317
GetWindowRect.USER32(?,?), ref: 004C03A1
InvalidateRect.USER32(?,?,00000001,?), ref: 004C03C4
GetWindowRect.USER32(?,?), ref: 004C058C
InvalidateRect.USER32(?,?,00000001,?), ref: 004C05AD

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: Rect$Window$Invalidate$MessageParentSend
String ID:
API String ID: 236041146-0
Opcode ID: 81d391b1a723e09b9c18cc64043a067ec70dd673582f5b40f8d30b79793eff16
Instruction ID: 937ae44d16426e21a2b4a2e884431875b6552d52f83649002b11723826816f3d
Opcode Fuzzy Hash: 81d391b1a723e09b9c18cc64043a067ec70dd673582f5b40f8d30b79793eff16
Instruction Fuzzy Hash: 5791D475600305EBC764EF258890F6B77E8AF84758F04061EFD45AB391EB38ED058BA9

Function 0053A478 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,007CA19C,00000001,?,7591E860,0082CD44,?,?,0052F41D,?,?,?,00000000,00000001), ref: 0053A4B7
GetStringTypeA.KERNEL32(00000000,00000001,007CA198,00000001,?,?,0052F41D,?,?,?,00000000,00000001), ref: 0053A4D1
GetStringTypeA.KERNEL32(?,?,?,?,0052F41D,7591E860,0082CD44,?,?,0052F41D,?,?,?,00000000,00000001), ref: 0053A505
MultiByteToWideChar.KERNEL32(?,0082CD45,?,?,00000000,00000000,7591E860,0082CD44,?,?,0052F41D,?,?,?,00000000,00000001), ref: 0053A53D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0052F41D,?), ref: 0053A593
GetStringTypeW.KERNEL32(?,?,00000000,0052F41D,?,?,?,?,?,?,0052F41D,?), ref: 0053A5A5

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: b4d4fee43a7458e732e2d999d20c072156b80c36ac08699a833b659e2c3f4ecf
Instruction ID: ef5c5989a5ad02be5d7cc3584b3f9404c80540e5917e1d93e8e8ffff131a742d
Opcode Fuzzy Hash: b4d4fee43a7458e732e2d999d20c072156b80c36ac08699a833b659e2c3f4ecf
Instruction Fuzzy Hash: 4841AB72A00219AFCF219F94DC8AEAF7FB8FB08750F104929F951E6190D3358951DBA2

Function 005494EF Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00828A84,00828A74,00000000,?,00828A84,?,00549757,00828A74,00000000,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836), ref: 005494FA
EnterCriticalSection.KERNEL32(00828AA0,00000010,?,00828A84,?,00549757,00828A74,00000000,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836), ref: 00549549
LeaveCriticalSection.KERNEL32(00828AA0,00000000,?,00828A84,?,00549757,00828A74,00000000,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836), ref: 0054955C
LocalAlloc.KERNEL32(00000000,00000004,?,00828A84,?,00549757,00828A74,00000000,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836), ref: 00549572
LocalReAlloc.KERNEL32(?,00000004,00000002,?,00828A84,?,00549757,00828A74,00000000,?,00000000,0054916E,00548A5D,0054918A,00544591,00545836), ref: 00549584
TlsSetValue.KERNEL32(00828A84,00000000), ref: 005495C0

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 09c08a3a4eb80fab8db2f2d42db08bcd85555a3e9850e7eec76cd9f337a95e60
Instruction ID: d314953437a65988bf00e03e6e0fd61df6850875b249dd34258c7cb7a2996c41
Opcode Fuzzy Hash: 09c08a3a4eb80fab8db2f2d42db08bcd85555a3e9850e7eec76cd9f337a95e60
Instruction Fuzzy Hash: 24318B75100606AFD724CF25D89AFAABBF8FF84365F108518E41AC7690EB70E909CB61

Function 005335A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 005335BF
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 005335F4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00533654

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 0053362E
__MSVCRT_HEAP_SELECT, xrefs: 005335EF

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: b607b6ef8efe049945f403024f125693ff9173641362d9219b2631418e714a53
Instruction ID: 57df116f9518b6539dae56cc20ffea0985c980ffa13df89a4c189f76b5e3d1fe
Opcode Fuzzy Hash: b607b6ef8efe049945f403024f125693ff9173641362d9219b2631418e714a53
Instruction Fuzzy Hash: 913108719412587EEF318770ACABBDD3F68BB16704F2404E9E186D6282E631CF89CB11

Function 0054A013 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A044

Part of subcall function 0054A130: lstrlenA.KERNEL32(00000104,00000000,?,0054A074), ref: 0054A167

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A0E5
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A112

Strings

.HLP, xrefs: 0054A0DF
.INI, xrefs: 0054A10C

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: fb49887c37ddf0ed12a10b4492493638add2dc4591c4057a0a5c557e31854f7d
Instruction ID: d4e897bc804fbd9a06e482a31eb32c3122f19a2f0776b96c4610414395a546e5
Opcode Fuzzy Hash: fb49887c37ddf0ed12a10b4492493638add2dc4591c4057a0a5c557e31854f7d
Instruction Fuzzy Hash: 453170B5944719AFDB61EB70D889BC6BBFCBB04314F10496AE19AD3151EB70A984CB10

Function 004C50E0 Relevance: 7.9, APIs: 5, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971fa5ec1ac9746eab38bb25744c1630ed5b487fb411abd4c832412803407726
Instruction ID: 91f9a213ac50948b85aaf26671f61340b6d754f088b8aef3b03e40e6761f5808
Opcode Fuzzy Hash: 971fa5ec1ac9746eab38bb25744c1630ed5b487fb411abd4c832412803407726
Instruction Fuzzy Hash: ACC182755046029FC354DF28C881E6FB7F8ABC4348F404A1EF84697251EB38F9468BAA

Function 005332E9 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00533347
GetFileType.KERNEL32(?,?,00000000), ref: 005333F2
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00533455
GetFileType.KERNEL32(00000000,?,00000000), ref: 00533463
SetHandleCount.KERNEL32 ref: 0053349A

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: d6e37824fc1fcd17a0ba4b0e5ba39c154400018abfcd94fd87971b40fcb334b9
Instruction ID: e4926ee63d62097997140b7dbf1029f50fe98d1243084f8f1a2e0731c6be5e19
Opcode Fuzzy Hash: d6e37824fc1fcd17a0ba4b0e5ba39c154400018abfcd94fd87971b40fcb334b9
Instruction Fuzzy Hash: 885103319042118FDB22CB78D8887697FA0FF11324F298B6CD5A2DB2E1DB70DA46D751

Function 004C5F20 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004C5F90
GetMenu.USER32(?), ref: 004C5F9F
DestroyAcceleratorTable.USER32(?), ref: 004C5FEC
SetMenu.USER32(?,00000000), ref: 004C6001
DestroyMenu.USER32(?), ref: 004C6011

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: Menu$Destroy$AcceleratorTableWindow
String ID:
API String ID: 1240299919-0
Opcode ID: 9b1d58f53bbe6370dbf0b6d65112e3aea7c1c26efba9697c471bf99ff4dec6e5
Instruction ID: 7c0535e941d7d3fd0b10e7b007c20aedc11c57f6f93d57a8f4ef3e243c0a8a7e
Opcode Fuzzy Hash: 9b1d58f53bbe6370dbf0b6d65112e3aea7c1c26efba9697c471bf99ff4dec6e5
Instruction Fuzzy Hash: FE3193B5600306AFC720EF65DC84E6B77A9EF84358F02451EBD0597252EA38E809CBB5

Function 0053350C Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0052FA12,00532327,00000000,?,?,00000000,00000001), ref: 0053350E
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 0053351C
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00533568

Part of subcall function 0052FE06: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00533531,00000001,00000074,?,?,00000000,00000001), ref: 0052FEFC

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00533540
GetCurrentThreadId.KERNEL32 ref: 00533551

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: bc7cd2e637902eaac407db08a1f109314cb19395c12542a2cb2172fe85cf5b20
Instruction ID: 113c38dc11d51d1f46bf1de2cba831703df6c8726d96940d9c0845b0ef1d0721
Opcode Fuzzy Hash: bc7cd2e637902eaac407db08a1f109314cb19395c12542a2cb2172fe85cf5b20
Instruction Fuzzy Hash: 1CF0B436501732ABD7212B78BC1D61D3F64FF51772F114629F981D61F1CF248A41D6A1

Function 10027B50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 10027B78
MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F

Strings

error, xrefs: 10027B87
program internal error number is %d. %s, xrefs: 10027B72

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: Messagewsprintf
String ID: error$program internal error number is %d. %s
API String ID: 300413163-3752934751
Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616

Function 00537AFC Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,007EADD0,007EADD0,?,?,00537FC8,00000000,00000010,00000000,00000009,00000009,?,0052F051,00000010,00000000), ref: 00537B1D
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00537FC8,00000000,00000010,00000000,00000009,00000009,?,0052F051,00000010,00000000), ref: 00537B41
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00537FC8,00000000,00000010,00000000,00000009,00000009,?,0052F051,00000010,00000000), ref: 00537B5B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00537FC8,00000000,00000010,00000000,00000009,00000009,?,0052F051,00000010,00000000,?), ref: 00537C1C
HeapFree.KERNEL32(00000000,00000000,?,?,00537FC8,00000000,00000010,00000000,00000009,00000009,?,0052F051,00000010,00000000,?,00000000), ref: 00537C33

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: be17aa462f055b61432a0e776fc9fac0b8f745695e918528d87bf5a2ab635a17
Instruction ID: c0061202501f72a443a32e163fcfa371bd33615edaab93cf94516d343ee5523c
Opcode Fuzzy Hash: be17aa462f055b61432a0e776fc9fac0b8f745695e918528d87bf5a2ab635a17
Instruction Fuzzy Hash: 6A31F0B0A4570EABD331CF24EC45B21BBE4FB8C756F118A39E0559B690E778A840DB49

Function 004C24E0 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004C2554
GetParent.USER32(00000000), ref: 004C25A4
IsWindow.USER32(?), ref: 004C25C4
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 004C263F

Part of subcall function 00543BFA: ShowWindow.USER32(?,?,004C05BC,00000000), ref: 00543C08

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: Window$ParentShow
String ID:
API String ID: 2052805569-0
Opcode ID: 1b81bce4c9786c850dedb856b074b5a48fab155c1fc0002ee67d46a371345eb3
Instruction ID: 734b0cee86b26a234b7f9e257adaf741cea80643d3f18d4d8b90665461c56b41
Opcode Fuzzy Hash: 1b81bce4c9786c850dedb856b074b5a48fab155c1fc0002ee67d46a371345eb3
Instruction Fuzzy Hash: 2641C175700311ABD360EE249D81FABB3A4AB94754F04052EFD459B381EBF8E80587B5

Function 10029F50 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 10029FB3
LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
free.MSVCRT ref: 10029FF6
free.MSVCRT ref: 1002A014

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: free$Stringmalloc
String ID:
API String ID: 3576809655-0
Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365

Function 0052D668 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0052D68E

Part of subcall function 005336E8: HeapCreate.KERNEL32(00000000,00001000,00000000,0052D6C6,00000001), ref: 005336F9
Part of subcall function 005336E8: HeapDestroy.KERNEL32 ref: 00533738

GetCommandLineA.KERNEL32 ref: 0052D6EE
GetStartupInfoA.KERNEL32(?), ref: 0052D719
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0052D73C

Part of subcall function 0052D795: ExitProcess.KERNEL32 ref: 0052D7B2

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 0628e629c6cb789062e5930e7e98b9449164dc3c39a12ae0ff9b831c0963d826
Instruction ID: fe17ad6629eb14775e6edcfa1fb380c5c3f9d267a9a03c527cbe546e9254be7a
Opcode Fuzzy Hash: 0628e629c6cb789062e5930e7e98b9449164dc3c39a12ae0ff9b831c0963d826
Instruction Fuzzy Hash: AC21B1B1900716AFDB18AFB4EC4ABAE7FB8FF85B10F144419F9019B291DB748841C760

Function 10028DB0 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35

Memory Dump Source

Source File: 00000003.00000002.3532854891.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_212.jbxd

Similarity

API ID: CloseFileHandle$CreateWrite
String ID:
API String ID: 3602564925-0
Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66

Function 0053285F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00532873

Strings

, xrefs: 00532898
, xrefs: 005328BC

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 8c1aaf76b25d6f05240ea32e0cbc6f725ae848651f37e42dfbfab02a40d5dc74
Instruction ID: 85d05cce4c69b0810045db96ff863c61d2d62803bd692396316a6bd731f7d104
Opcode Fuzzy Hash: 8c1aaf76b25d6f05240ea32e0cbc6f725ae848651f37e42dfbfab02a40d5dc74
Instruction Fuzzy Hash: 0A416A321047985EDB129724DD59BFBBFA9FF05700F1404E5E689C7093C2B14984DBB2

Function 005458D1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 005458D6

Part of subcall function 0054523B: __EH_prolog.LIBCMT ref: 00545240

Strings

x|, xrefs: 00545915
V5 , xrefs: 005458F0

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: H_prolog
String ID: V5 $x|
API String ID: 3519838083-3630372689
Opcode ID: ad4ced9f119e328dbc1b8e0862f8412738c3a41ad5f8b807d7ee4921ce6b9a10
Instruction ID: 11e78c95d9830636b35809e9f5242a07e6ec0bfd3a8bb92be5ab6e30082daf07
Opcode Fuzzy Hash: ad4ced9f119e328dbc1b8e0862f8412738c3a41ad5f8b807d7ee4921ce6b9a10
Instruction Fuzzy Hash: 1DF0C871A00701EBDB24AF78844E7DDBBE4FB44728F10892EB206A65C2D7788A00CB50

Function 0053765A Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00537422,00000000,00000000,00000000,0052EFF3,00000000,00000000,?,00000000,00000000,00000000), ref: 00537682
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00537422,00000000,00000000,00000000,0052EFF3,00000000,00000000,?,00000000,00000000,00000000), ref: 005376B6
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 005376D0
HeapFree.KERNEL32(00000000,?), ref: 005376E7

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 08594dd17b18ef06082ac5740638665e31d113129a95d4f8ea61ba918e90c519
Instruction ID: 764e403e53829eb9d4fa736f669aef0edaf75a1ef21885287a91f9564f54dfcb
Opcode Fuzzy Hash: 08594dd17b18ef06082ac5740638665e31d113129a95d4f8ea61ba918e90c519
Instruction Fuzzy Hash: 6A118C702407019FC7308F59EC8993A7FB2FF887A0B208A29F152D65B0C370A846DF50

Function 0054A42C Relevance: 5.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00828C38,?,00000000,?,?,0054979D,00000010,?,00000000,?,?,?,00549184,005491E7,00548A5D,0054918A), ref: 0054A467
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0054979D,00000010,?,00000000,?,?,?,00549184,005491E7,00548A5D,0054918A), ref: 0054A479
LeaveCriticalSection.KERNEL32(00828C38,?,00000000,?,?,0054979D,00000010,?,00000000,?,?,?,00549184,005491E7,00548A5D,0054918A), ref: 0054A482
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0054979D,00000010,?,00000000,?,?,?,00549184,005491E7,00548A5D,0054918A,00544591), ref: 0054A494

Part of subcall function 0054A399: GetVersion.KERNEL32(?,0054A43C,?,0054979D,00000010,?,00000000,?,?,?,00549184,005491E7,00548A5D,0054918A,00544591,00545836), ref: 0054A3AC

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: eeb8bb5024f9acf617f97ddcae4ce853d8abeed9d9bbde64eb01bfc1e8be555a
Instruction ID: 0502c22259dd1447086d2e8451fb73bfd939e29c9455a3ea79def485902db523
Opcode Fuzzy Hash: eeb8bb5024f9acf617f97ddcae4ce853d8abeed9d9bbde64eb01bfc1e8be555a
Instruction Fuzzy Hash: 63F0447504231ADFCF60DF54FC98996B76CFB7031AB40542AE64593061DB34A45BCAA1

Function 00535D7B Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,005334AB,?,0052D6D8), ref: 00535D88
InitializeCriticalSection.KERNEL32(?,005334AB,?,0052D6D8), ref: 00535D90
InitializeCriticalSection.KERNEL32(?,005334AB,?,0052D6D8), ref: 00535D98
InitializeCriticalSection.KERNEL32(?,005334AB,?,0052D6D8), ref: 00535DA0

Memory Dump Source

Source File: 00000003.00000002.3529858242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3529829165.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530027150.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530374735.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530401701.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530425031.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530452406.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530481171.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530503219.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530531778.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530555017.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3530691976.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_212.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: b47d094a598671442320a0e7a37f87d8b3c70ec60b0162c471f1b67a473be826
Instruction ID: f09b7e46a3944a21f6efb323c7c42375265d9e7b4a21461fe96da00fa37f67c0
Opcode Fuzzy Hash: b47d094a598671442320a0e7a37f87d8b3c70ec60b0162c471f1b67a473be826
Instruction Fuzzy Hash: 71C002719021B4FBCA512B55FE89C463F67EB1C261301C077A1045D470862E2C50EFD6

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 212.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\47ae76.tmp

C:\Users\user\AppData\Local\Temp\47af22.tmp

C:\Users\user\AppData\Local\Temp\47eeac.tmp

C:\Users\user\AppData\Local\Temp\47ef0a.tmp

C:\Users\user\Desktop\ .bmp

C:\Users\user\Desktop\ 1.bmp

C:\Users\user\Desktop\ 2.bmp

C:\Users\user\Desktop\ .bmp

C:\Users\user\Desktop\ 4.bmp

C:\Users\user\Desktop\ 404.bmp

C:\Users\user\Desktop\QQWER.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
212.exe

Function 004C3F90 Relevance: 15.3, APIs: 10, Instructions: 281
libraryloaderCOMMON

Function 10027BB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
memorywindowCOMMON

Function 100193C2 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 424
memoryfileCOMMON

Function 1000710E Relevance: 5.1, APIs: 3, Instructions: 556
COMMON

Function 10007FDD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
nativeCOMMON

Function 10018AD3 Relevance: 3.3, APIs: 2, Instructions: 304
memoryCOMMON

Function 00549380 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMON

Function 100294C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86
COMMON

Function 10028D40 Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Function 005445A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
threadCOMMON

Function 00549FB0 Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Function 004C3A50 Relevance: 3.0, APIs: 2, Instructions: 30
windowCOMMON