Edit tour

Windows Analysis Report
#U4ee3#U7406.exe

Overview

General Information

Sample name:	#U4ee3#U7406.exe renamed because original name is a hash value
Original sample name:	.exe
Analysis ID:	1560005
MD5:	b01a11449dd83a10497833b23fb0887d
SHA1:	8f5276ee02a5b4b23cb7e9d500dd0df71382e211
SHA256:	9b165f6672e74ed5dc437040829bd602afc411ce8c948c41b6d739bf1fbfb09a
Tags:	exemalwareopendiruser-Joker
Infos:

Detection

Gh0stCringe, Neshta, RunningRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Gh0stCringe

Yara detected Neshta

Yara detected RunningRAT

AI detected suspicious sample

Checks if browser processes are running

Contains functionality to detect sleep reduction / modifications

Creates a Windows Service pointing to an executable in C:\Windows

Creates an undocumented autostart registry key

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Classes Autorun Keys Modification

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

#U4ee3#U7406.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\#U4ee3#U7406.exe" MD5: B01A11449DD83A10497833B23FB0887D)

#U4ee3#U7406.exe (PID: 7648 cmdline: "C:\Users\user~1\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe" MD5: 3E1B9039148D196063AB784E4548E798)

look2.exe (PID: 7696 cmdline: C:\Users\user~1\AppData\Local\Temp\\look2.exe MD5: 2F3B6F16E33E28AD75F3FDAEF2567807)

HD_#U4ee3#U7406.exe (PID: 7748 cmdline: C:\Users\user~1\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe MD5: 8BACAD1C57463F2E403CA5656FFA129E)

svchost.exe (PID: 7712 cmdline: C:\Windows\SysWOW64\svchost.exe -k "svchcst" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

svchost.exe (PID: 7728 cmdline: C:\Windows\SysWOW64\svchost.exe -k "svchcst" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

svchcst.exe (PID: 7880 cmdline: C:\Windows\system32\svchcst.exe "c:\windows\system32\5718562.bat",MainThread MD5: 889B99C52A60DD49227C5E485A016679)

svchost.exe (PID: 7804 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
neshta	Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."	No Attribution	https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html https://www.mandiant.com/resources/pe-file-infecting-malware-ot https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest https://www.virusradar.com/en/Win32_Neshta.A/description	https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

Name	Description	Attribution	Blogpost URLs	Link
Running RAT	NJCCIC characterizes RunningRAT as a remote access trojan (RAT) that operates using two DLL files. When the trojan is loaded onto a system, it executes the first DLL. This is used to disable anti-malware solutions, unpack and execute the main RAT DLL, and gain persistence. The trojan installs a Windows batch file dx.bat that attempts to kill the daumcleaner.exe task, a Korean security program. The file then attempts to remove itself. Once the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server to change the address the trojan communicates with. The second DLL gathers information about the victim's system, including its operating system and driver and processor information. The RAT can log user keystrokes, copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and more. The second DLL also uses several anti-bugging techniques.	No Attribution	https://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/	https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
#U4ee3#U7406.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
#U4ee3#U7406.exe	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
#U4ee3#U7406.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Windows\SysWOW64\5718562.bat	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Uninstall.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Uninstall.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Windows\svchost.com	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Windows\svchost.com	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Users\user\AppData\Local\Temp\look2.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Users\user\AppData\Local\Temp\look2.exe	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
C:\Users\user\AppData\Local\Temp\look2.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Users\user\AppData\Local\Temp\chrome.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Users\user\AppData\Local\Temp\chrome.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Info.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Au3Info.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Check.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Au3Check.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Check.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Check.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Users\user\AppData\Local\Temp\HD_X.dat	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
Click to see the 329 entries

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.3756117605.000000001000C000.00000004.00000001.01000000.00000007.sdmp	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
00000005.00000002.3756117605.000000001000C000.00000004.00000001.01000000.00000007.sdmp	JoeSecurity_Gh0stCringe	Yara detected Gh0stCringe	Joe Security
00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
00000008.00000002.3755940840.000000001000C000.00000004.00000001.01000000.00000007.sdmp	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
00000008.00000002.3755940840.000000001000C000.00000004.00000001.01000000.00000007.sdmp	JoeSecurity_Gh0stCringe	Yara detected Gh0stCringe	Joe Security
00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
00000000.00000002.1844064757.0000000000409000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
Process Memory Space: #U4ee3#U7406.exe PID: 7600	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
Process Memory Space: #U4ee3#U7406.exe PID: 7600	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
Process Memory Space: #U4ee3#U7406.exe PID: 7648	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
Process Memory Space: look2.exe PID: 7696	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
Process Memory Space: look2.exe PID: 7696	JoeSecurity_Gh0stCringe	Yara detected Gh0stCringe	Joe Security
Process Memory Space: svchost.exe PID: 7728	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
Process Memory Space: svchost.exe PID: 7728	JoeSecurity_Gh0stCringe	Yara detected Gh0stCringe	Joe Security
Process Memory Space: svchcst.exe PID: 7880	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
Process Memory Space: svchcst.exe PID: 7880	JoeSecurity_Gh0stCringe	Yara detected Gh0stCringe	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.svchcst.exe.10000000.1.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
8.2.svchcst.exe.10000000.1.unpack	JoeSecurity_Gh0stCringe	Yara detected Gh0stCringe	Joe Security
0.0.#U4ee3#U7406.exe.400000.0.unpack	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
0.0.#U4ee3#U7406.exe.400000.0.unpack	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
3.2.look2.exe.441158.1.unpack	JoeSecurity_Gh0stCringe	Yara detected Gh0stCringe	Joe Security
5.2.svchost.exe.10000000.0.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
5.2.svchost.exe.10000000.0.unpack	JoeSecurity_Gh0stCringe	Yara detected Gh0stCringe	Joe Security
2.3.#U4ee3#U7406.exe.3426a8b.4.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.3.#U4ee3#U7406.exe.283ea8b.6.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
0.3.#U4ee3#U7406.exe.20f7b77.1.raw.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.3.#U4ee3#U7406.exe.260aa8b.8.raw.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.0.#U4ee3#U7406.exe.481a63.1.raw.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.3.#U4ee3#U7406.exe.2b67a8b.9.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.2.#U4ee3#U7406.exe.481a63.1.raw.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.3.#U4ee3#U7406.exe.31eaa83.3.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.2.#U4ee3#U7406.exe.481a63.1.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
3.2.look2.exe.400000.0.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
3.2.look2.exe.400000.0.unpack	JoeSecurity_Gh0stCringe	Yara detected Gh0stCringe	Joe Security
2.0.#U4ee3#U7406.exe.481a63.1.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.3.#U4ee3#U7406.exe.2603a83.1.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
0.3.#U4ee3#U7406.exe.20f7b77.1.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.3.#U4ee3#U7406.exe.31eaa83.3.raw.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.3.#U4ee3#U7406.exe.260aa8b.8.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.3.#U4ee3#U7406.exe.3426a8b.4.raw.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.3.#U4ee3#U7406.exe.2603a83.1.raw.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.3.#U4ee3#U7406.exe.2b67a8b.9.raw.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
3.0.look2.exe.400000.0.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.3.#U4ee3#U7406.exe.283ea8b.6.raw.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.2.#U4ee3#U7406.exe.400000.0.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
2.0.#U4ee3#U7406.exe.400000.0.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: Classes Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\#U4ee3#U7406.exe, ProcessId: 7600, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, ParentCommandLine: "C:\Users\user\Desktop\#U4ee3#U7406.exe", ParentImage: C:\Users\user\Desktop\#U4ee3#U7406.exe, ParentProcessId: 7600, ParentProcessName: #U4ee3#U7406.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe" , ProcessId: 7648, ProcessName: #U4ee3#U7406.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe -k "svchcst", CommandLine: C:\Windows\SysWOW64\svchost.exe -k "svchcst", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe -k "svchcst", ProcessId: 7712, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: #U4ee3#U7406.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Neshta.A

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: #U4ee3#U7406.exe

ReversingLabs: Detection: 97%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: #U4ee3#U7406.exe

Joe Sandbox ML: detected

Source: #U4ee3#U7406.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: mpextms.pdb source: mpextms.exe0.0.dr
Source:	Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source:	Binary string: rundll32.pdbGCTL source: svchost.exe, 00000005.00000003.1300930829.0000000003033000.00000004.00000020.00020000.00000000.sdmp, svchcst.exe, 00000008.00000000.1342238714.0000000000F01000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb# source: aimgr.exe0.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoev.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb source: aimgr.exe0.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb source: msoev.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr
Source:	Binary string: lper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
Source:	Binary string: rundll32.pdb source: svchost.exe, 00000005.00000003.1300930829.0000000003033000.00000004.00000020.00020000.00000000.sdmp, svchcst.exe, svchcst.exe, 00000008.00000000.1342238714.0000000000F01000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
Source:	Binary string: mpextms.pdbGCTL source: mpextms.exe0.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr

Spreading

Yara detected Neshta

Source: Yara match	File source: #U4ee3#U7406.exe, type: SAMPLE
Source: Yara match	File source: 0.0.#U4ee3#U7406.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1844064757.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U4ee3#U7406.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00412510 FindNextFileA,FindClose,FindFirstFileA,FindClose,	2_2_00412510
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00405240 FindFirstFileA,FindClose,	2_2_00405240
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00471E54 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	2_2_00471E54
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00419320 FindFirstFileA,FindClose,	2_2_00419320
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00409630 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	2_2_00409630
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0041E372 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	3_2_0041E372
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0042051A FindFirstFileA,FindClose,	3_2_0042051A
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_004180E0 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	6_2_004180E0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00420F80 FindNextFileA,FindClose,FindFirstFileA,FindClose,	6_2_00420F80
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00429300 FindFirstFileA,FindClose,	6_2_00429300
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0049B634 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	6_2_0049B634

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 4x nop then sub esp, 14h	2_2_00404D12
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 4x nop then push FFFFFFFFh	6_2_00418742
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 4x nop then push FFFFFFFFh	6_2_0042B422

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe

Code function: 2_2_004242A0 ioctlsocket,recvfrom,

2_2_004242A0

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: kinh.xmcxmr.com

Source: integrator.exe.0.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ssvagent.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: armsvc.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: #U4ee3#U7406.exe, 00000000.00000002.1844004338.0000000000191000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: #U4ee3#U7406.exe, #U4ee3#U7406.exe.0.dr	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: integrator.exe.0.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: integrator.exe.0.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: Aut2exe.exe.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Aut2exe.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe

Code function: 2_2_0042D340 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,

2_2_0042D340

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0042D340 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,	2_2_0042D340
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0045FB20 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	2_2_0045FB20
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0043D3C0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,	6_2_0043D3C0

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe

Code function: 2_2_0042D4A0 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0042D4A0

Source: integrator.exe.0.dr

Binary or memory string: RegisterRawInputDevices

memstr_c414bd37-7

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00418030 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow,	2_2_00418030
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_004764E3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	2_2_004764E3
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_004749ED GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	2_2_004749ED
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_004194D0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	2_2_004194D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0042BBA0 GetKeyState,GetKeyState,GetKeyState,CopyRect,	2_2_0042BBA0
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0041A0C9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	3_2_0041A0C9
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0042B165 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,	3_2_0042B165
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0042B17A GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,	3_2_0042B17A
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0042C5CE GetKeyState,GetKeyState,GetKeyState,	3_2_0042C5CE
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_004185D6 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	3_2_004185D6
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_00427583 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,	3_2_00427583
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0041CF35 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	3_2_0041CF35
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0049E1EC GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	6_2_0049E1EC
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_004294B0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	6_2_004294B0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00427790 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow,	6_2_00427790
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0043BC20 GetKeyState,GetKeyState,GetKeyState,CopyRect,	6_2_0043BC20
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0049FD0E GetKeyState,GetKeyState,GetKeyState,GetKeyState,	6_2_0049FD0E

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\SysWOW64\svchost.exe

Code function: memset,lstrlenA,strstr,lstrcpyA,CreateProcessA, Applications\iexplore.exe\shell\open\command

5_2_10003990

System Summary

Malicious sample detected (through community Yara rule)

Source: #U4ee3#U7406.exe, type: SAMPLE	Matched rule: Detects Neshta Author: ditekSHen
Source: 0.0.#U4ee3#U7406.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Windows\svchost.com, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen

Source: C:\Windows\SysWOW64\svchcst.exe	Code function: 8_2_00F05CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,	8_2_00F05CF1
Source: C:\Windows\SysWOW64\svchcst.exe	Code function: 8_2_00F040B1 NtQuerySystemInformation,	8_2_00F040B1
Source: C:\Windows\SysWOW64\svchcst.exe	Code function: 8_2_00F05D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,	8_2_00F05D6A
Source: C:\Windows\SysWOW64\svchcst.exe	Code function: 8_2_00F04136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,DestroyWindow,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,	8_2_00F04136
Source: C:\Windows\SysWOW64\svchcst.exe	Code function: 8_2_00F05911 PathIsRelativeW,RtlSetSearchPathMode,SearchPathW,GetFileAttributesW,CreateActCtxW,CreateActCtxWWorker,CreateActCtxWWorker,CreateActCtxWWorker,GetModuleHandleW,CreateActCtxWWorker,ActivateActCtx,SetWindowLongW,GetWindowLongW,GetWindow,memset,GetClassNameW,CompareStringW,GetWindow,GetWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	8_2_00F05911

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_10002760 OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,

5_2_10002760

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_100027E0 LoadLibraryA,GetProcAddress,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,WTSGetActiveConsoleSessionId,SetTokenInformation,CreateProcessAsUserA,CloseHandle,CloseHandle,FreeLibrary,

5_2_100027E0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_100032D0 ExitWindowsEx,

5_2_100032D0

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Windows\svchost.com	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	File created: C:\Windows\SysWOW64\5718562.bat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	File created: C:\Windows\SysWOW64\ini.ini	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Windows\SysWOW64\svchcst.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00414010	2_2_00414010
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_004480A0	2_2_004480A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0043E112	2_2_0043E112
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0045C1F0	2_2_0045C1F0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0044C211	2_2_0044C211
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_004582E0	2_2_004582E0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0045E340	2_2_0045E340
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0044C3C4	2_2_0044C3C4
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0045A500	2_2_0045A500
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_004485E0	2_2_004485E0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0045266E	2_2_0045266E
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0043E670	2_2_0043E670
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0044C63E	2_2_0044C63E
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_004446D0	2_2_004446D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0045C770	2_2_0045C770
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00422730	2_2_00422730
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_004107B0	2_2_004107B0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_004528BE	2_2_004528BE
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_004449E0	2_2_004449E0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0044CA70	2_2_0044CA70
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00412B20	2_2_00412B20
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0044AD10	2_2_0044AD10
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00458D80	2_2_00458D80
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00444E10	2_2_00444E10
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00462E30	2_2_00462E30
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0044CF40	2_2_0044CF40
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_004490A0	2_2_004490A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0043B150	2_2_0043B150
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0044D170	2_2_0044D170
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_004533D0	2_2_004533D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0043B480	2_2_0043B480
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0044B550	2_2_0044B550
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0043B610	2_2_0043B610
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0041B780	2_2_0041B780
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00453870	2_2_00453870
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0043D87B	2_2_0043D87B
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00449890	2_2_00449890
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00435A50	2_2_00435A50
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0044BA69	2_2_0044BA69
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0043FA80	2_2_0043FA80
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00437BD0	2_2_00437BD0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00419B90	2_2_00419B90
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0043DBAD	2_2_0043DBAD
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0044DBB0	2_2_0044DBB0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0046DCFF	2_2_0046DCFF
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00473C8E	2_2_00473C8E
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0044BF26	2_2_0044BF26
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00469F86	2_2_00469F86
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00427FA0	2_2_00427FA0
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0040E1B4	3_2_0040E1B4
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_004173D0	3_2_004173D0
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_00412B2A	3_2_00412B2A
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0041BF41	3_2_0041BF41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_10004320	5_2_10004320
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00476010	6_2_00476010
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00438020	6_2_00438020
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_004580F0	6_2_004580F0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0044E102	6_2_0044E102
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0046C250	6_2_0046C250
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0045C261	6_2_0045C261
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00468330	6_2_00468330
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0046E3A0	6_2_0046E3A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0045C414	6_2_0045C414
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00476430	6_2_00476430
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0046A560	6_2_0046A560
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0044E660	6_2_0044E660
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00458630	6_2_00458630
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0045C68E	6_2_0045C68E
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_004626BE	6_2_004626BE
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00454720	6_2_00454720
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_004327D0	6_2_004327D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0046C7D0	6_2_0046C7D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0046290E	6_2_0046290E
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00454A30	6_2_00454A30
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0045CAC0	6_2_0045CAC0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00422A80	6_2_00422A80
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0045AD60	6_2_0045AD60
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00468DD0	6_2_00468DD0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00492D96	6_2_00492D96
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00454E60	6_2_00454E60
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00484E10	6_2_00484E10
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00496E85	6_2_00496E85
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0045CF90	6_2_0045CF90
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_004590F0	6_2_004590F0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0044B140	6_2_0044B140
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0045D1C0	6_2_0045D1C0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0041F220	6_2_0041F220
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00485320	6_2_00485320
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0044B470	6_2_0044B470
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00463420	6_2_00463420
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0049D488	6_2_0049D488
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00421590	6_2_00421590
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0045B5A0	6_2_0045B5A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0044B600	6_2_0044B600
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0042B860	6_2_0042B860
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_004638C0	6_2_004638C0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_004598E0	6_2_004598E0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0048B920	6_2_0048B920
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_004859E0	6_2_004859E0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_004799B0	6_2_004799B0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0044FA70	6_2_0044FA70
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0045BAB9	6_2_0045BAB9
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00429B70	6_2_00429B70
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00445B20	6_2_00445B20
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00479BE0	6_2_00479BE0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0044DB9D	6_2_0044DB9D
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00447C70	6_2_00447C70
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0045DC00	6_2_0045DC00
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0045BF76	6_2_0045BF76

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe 6AB1464D7BA02FA63FDDFAF5295237352F14F7AF63E443E55D3FFB68A304C304

Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: String function: 0048D118 appears 95 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: String function: 00454160 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: String function: 0049C548 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: String function: 00453EE0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: String function: 00453D50 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: String function: 0040A334 appears 218 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: String function: 00472D4F appears 44 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: String function: 00443E90 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: String function: 00444110 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: String function: 0046295B appears 41 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: String function: 00443D00 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: String function: 004642C8 appears 91 times

Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreeeim.exe vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002147000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGradualChange.EXEF vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamefreeeim.exe vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGradualChange.EXEF vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreeeim.exe vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe, 00000002.00000003.1305160853.000000000323A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGradualChange.EXEF vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreeeim.exe vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreeeim.exe vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreeeim.exe vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe, 00000002.00000000.1297884455.00000000004D1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameGradualChange.EXEF vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreeeim.exe vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreeeim.exe vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamefreeeim.exe vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe	Binary or memory string: OriginalFilenamefreeeim.exe vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe	Binary or memory string: OriginalFilenameGradualChange.EXEF vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe.0.dr	Binary or memory string: OriginalFilenamefreeeim.exe vs #U4ee3#U7406.exe
Source: #U4ee3#U7406.exe.0.dr	Binary or memory string: OriginalFilenameGradualChange.EXEF vs #U4ee3#U7406.exe

Source: #U4ee3#U7406.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: #U4ee3#U7406.exe, type: SAMPLE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 0.0.#U4ee3#U7406.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Windows\svchost.com, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta

Source: MpCmdRun.exe0.0.dr

Binary string: IdImageFileNameFirst Resource TypeTypeScan SourceFirst Resource PathEngineIdResource CountReasonProcessMessagePIDStartStopDataIsSignedFile\Device\\\?\\FI_UNKNOWN\drivers\error: invalid data: System Windows path changed during the trace from "%ls" to "%ls"

Source: classification engine

Classification label: mal100.spre.bank.troj.evad.winEXE@12/171@10/1

Source: C:\Windows\SysWOW64\svchcst.exe

Code function: 8_2_00F03C66 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,

8_2_00F03C66

Source: C:\Users\user\AppData\Local\Temp\look2.exe

Code function: 3_2_00421104 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,

3_2_00421104

Source: C:\Windows\SysWOW64\svchost.exe

Code function: OpenSCManagerA,_local_unwind2,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,wsprintfA,StartServiceA,

5_2_10002310

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe

Code function: 2_2_0045ED20 FindWindowA,GetWindowThreadProcessId,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,TerminateProcess,

2_2_0045ED20

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe

Code function: 2_2_0045E790 SHGetFileInfoA,CoCreateInstance,lstrlenA,

2_2_0045E790

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe

Code function: 2_2_004724DC __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,

2_2_004724DC

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_10002310 OpenSCManagerA,_local_unwind2,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,wsprintfA,StartServiceA,

5_2_10002310

Source: C:\Windows\SysWOW64\svchcst.exe

Mutant created: \Sessions\1\BaseNamedObjects\kinh.xmcxmr.com:442:svchcst

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe

File created: C:\Users\user~1\AppData\Local\Temp\3582-490

Jump to behavior

Source: C:\Windows\SysWOW64\svchcst.exe	Command line argument: WLDP.DLL		8_2_00F04136
Source: C:\Windows\SysWOW64\svchcst.exe	Command line argument: localserver		8_2_00F04136

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: integrator.exe.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: integrator.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: #U4ee3#U7406.exe

ReversingLabs: Detection: 97%

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe

File read: C:\Users\user\Desktop\#U4ee3#U7406.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U4ee3#U7406.exe "C:\Users\user\Desktop\#U4ee3#U7406.exe"
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe "C:\Users\user~1\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe"
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process created: C:\Users\user\AppData\Local\Temp\look2.exe C:\Users\user~1\AppData\Local\Temp\\look2.exe
Source: unknown	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k "svchcst"
Source: unknown	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k "svchcst"
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe C:\Users\user~1\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchcst.exe C:\Windows\system32\svchcst.exe "c:\windows\system32\5718562.bat",MainThread
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe "C:\Users\user~1\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process created: C:\Users\user\AppData\Local\Temp\look2.exe C:\Users\user~1\AppData\Local\Temp\\look2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe C:\Users\user~1\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchcst.exe C:\Windows\system32\svchcst.exe "c:\windows\system32\5718562.bat",MainThread	Jump to behavior

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\look2.exe

File written: C:\Windows\SysWOW64\ini.ini

Jump to behavior

Source: #U4ee3#U7406.exe

Static file information: File size 2282014 > 1048576

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: mpextms.pdb source: mpextms.exe0.0.dr
Source:	Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source:	Binary string: rundll32.pdbGCTL source: svchost.exe, 00000005.00000003.1300930829.0000000003033000.00000004.00000020.00020000.00000000.sdmp, svchcst.exe, 00000008.00000000.1342238714.0000000000F01000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb# source: aimgr.exe0.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoev.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb source: aimgr.exe0.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb source: msoev.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr
Source:	Binary string: lper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
Source:	Binary string: rundll32.pdb source: svchost.exe, 00000005.00000003.1300930829.0000000003033000.00000004.00000020.00020000.00000000.sdmp, svchcst.exe, svchcst.exe, 00000008.00000000.1342238714.0000000000F01000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
Source:	Binary string: mpextms.pdbGCTL source: mpextms.exe0.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe

Code function: 2_2_00411DA0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

2_2_00411DA0

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_004642C8 push eax; ret	2_2_004642E6
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00462300 push eax; ret	2_2_0046232E
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0040A334 push eax; ret	3_2_0040A352
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0040AFB0 push eax; ret	3_2_0040AFDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_100094C0 push eax; ret	5_2_100094EE
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0048ADE0 push eax; ret	6_2_0048AE0E
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0048D118 push eax; ret	6_2_0048D136
Source: C:\Windows\SysWOW64\svchcst.exe	Code function: 8_2_00F06883 push ecx; ret	8_2_00F06896
Source: C:\Windows\SysWOW64\svchcst.exe	Code function: 8_2_00F0682D push ecx; ret	8_2_00F06840

Persistence and Installation Behavior

Yara detected Neshta

Source: Yara match	File source: #U4ee3#U7406.exe, type: SAMPLE
Source: Yara match	File source: 0.0.#U4ee3#U7406.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1844064757.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U4ee3#U7406.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED

Creates a Windows Service pointing to an executable in C:\Windows

Source: C:\Users\user\AppData\Local\Temp\look2.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters ServiceDll C:\Windows\system32\5718562.bat

Jump to behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\svchost.exe

Executable created and started: C:\Windows\SysWOW64\svchcst.exe

Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\look2.exe	File created: C:\Windows\SysWOW64\5718562.bat	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Windows\SysWOW64\svchcst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	File created: C:\Users\user\AppData\Local\Temp\HD_X.dat	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	File created: C:\Users\user\AppData\Local\Temp\look2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\look2.exe	File created: C:\Windows\SysWOW64\5718562.bat	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Windows\SysWOW64\svchcst.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\look2.exe

File created: C:\Windows\SysWOW64\5718562.bat

Jump to dropped file

Boot Survival

Yara detected Neshta

Source: Yara match	File source: #U4ee3#U7406.exe, type: SAMPLE
Source: Yara match	File source: 0.0.#U4ee3#U7406.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1844064757.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U4ee3#U7406.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\look2.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svchcst

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_10002310 OpenSCManagerA,_local_unwind2,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,wsprintfA,StartServiceA,

5_2_10002310

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_004107B0 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus,	2_2_004107B0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00460970 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_00460970
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00419220 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,	2_2_00419220
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0042B21D IsWindowVisible,IsIconic,	3_2_0042B21D
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_00415330 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,	3_2_00415330
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_004266D6 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	3_2_004266D6
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_00414B80 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,	3_2_00414B80
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_00421D44 GetParent,GetParent,GetParent,IsIconic,	3_2_00421D44
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_00402DAB IsIconic,GetWindowPlacement,GetWindowRect,	3_2_00402DAB
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00424590 DestroyCursor,IsWindowVisible,IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMenu,DeleteMenu,GetSystemMenu,	6_2_00424590
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00428980 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,	6_2_00428980
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00424C60 IsIconic,IsZoomed,	6_2_00424C60
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0041F220 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus,	6_2_0041F220
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00489430 IsIconic,GetWindowPlacement,GetWindowRect,	6_2_00489430

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_10006B50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_10006B50

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_10004DA0

5_2_10004DA0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: malloc,malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,free,

5_2_100041C0

Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 2766			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 7232			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\HD_X.dat	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\look2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	API coverage: 4.3 %
Source: C:\Users\user\AppData\Local\Temp\look2.exe	API coverage: 2.7 %
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	API coverage: 4.4 %

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_10004DA0

5_2_10004DA0

Source: C:\Windows\SysWOW64\svchost.exe TID: 7744	Thread sleep count: 2766 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7744	Thread sleep time: -2766000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7744	Thread sleep count: 7232 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7744	Thread sleep time: -7232000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe TID: 7896	Thread sleep count: 83 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchcst.exe TID: 7896	Thread sleep time: -83000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00412510 FindNextFileA,FindClose,FindFirstFileA,FindClose,	2_2_00412510
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00405240 FindFirstFileA,FindClose,	2_2_00405240
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00471E54 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	2_2_00471E54
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00419320 FindFirstFileA,FindClose,	2_2_00419320
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_00409630 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	2_2_00409630
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0041E372 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	3_2_0041E372
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0042051A FindFirstFileA,FindClose,	3_2_0042051A
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_004180E0 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	6_2_004180E0
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00420F80 FindNextFileA,FindClose,FindFirstFileA,FindClose,	6_2_00420F80
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_00429300 FindFirstFileA,FindClose,	6_2_00429300
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_0049B634 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	6_2_0049B634

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_10003F10 GetSystemInfo,wsprintfA,

5_2_10003F10

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior

Source: svchcst.exe, 00000008.00000002.3755389070.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: svchost.exe, 00000007.00000002.3755590927.00000181DDC2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	API call chain: ExitProcess graph end node			graph_2-50582
Source: C:\Windows\SysWOW64\svchcst.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchcst.exe

Code function: 8_2_00F05E4F LdrResolveDelayLoadedAPI,

8_2_00F05E4F

Source: C:\Windows\SysWOW64\svchcst.exe

Code function: 8_2_00F025B2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

8_2_00F025B2

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe

Code function: 2_2_00411DA0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

2_2_00411DA0

Source: C:\Windows\SysWOW64\svchcst.exe

Code function: 8_2_00F03F6B mov esi, dword ptr fs:[00000030h]

8_2_00F03F6B

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe

Code function: 2_2_004368B0 GetProcessHeap,OleInitialize,GetModuleFileNameA,SetCurrentDirectoryA,LoadCursorA,GetStockObject,GetCurrentThreadId,

2_2_004368B0

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0046C9A2 SetUnhandledExceptionFilter,	2_2_0046C9A2
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe	Code function: 2_2_0046C9B4 SetUnhandledExceptionFilter,	2_2_0046C9B4
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0040F826 SetUnhandledExceptionFilter,	3_2_0040F826
Source: C:\Users\user\AppData\Local\Temp\look2.exe	Code function: 3_2_0040F838 SetUnhandledExceptionFilter,	3_2_0040F838
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_004962ED SetUnhandledExceptionFilter,	6_2_004962ED
Source: C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe	Code function: 6_2_004962FF SetUnhandledExceptionFilter,	6_2_004962FF
Source: C:\Windows\SysWOW64\svchcst.exe	Code function: 8_2_00F061C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00F061C0
Source: C:\Windows\SysWOW64\svchcst.exe	Code function: 8_2_00F06510 SetUnhandledExceptionFilter,	8_2_00F06510

HIPS / PFW / Operating System Protection Evasion

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe			Jump to dropped file
Source: C:\Users\user\Desktop\#U4ee3#U7406.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\svchost.exe

Code function: CreateToolhelp32Snapshot,Process32First,_strcmpi,OpenProcess,TerminateProcess,_strcmpi,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe

5_2_10003C80

Source: C:\Users\user\Desktop\#U4ee3#U7406.exe

Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe "C:\Users\user~1\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe"

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe

Code function: 2_2_00463730 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

2_2_00463730

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe

Code function: 2_2_0046CC1C GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

2_2_0046CC1C

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe

Code function: 2_2_0047B8B2 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

2_2_0047B8B2

Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: acs.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: vsserv.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: avcenter.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: kxetray.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: avp.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: cfp.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: KSafeTray.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: rtvscan.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: 360tray.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: ashDisp.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: TMBMSRV.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: avgwdsvc.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: AYAgent.aye
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: RavMonD.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: Mcshield.exe
Source: #U4ee3#U7406.exe, 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, #U4ee3#U7406.exe, 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, look2.exe, 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected Gh0stCringe

Source: Yara match	File source: 8.2.svchcst.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.look2.exe.441158.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.look2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3756117605.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3755940840.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: look2.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchcst.exe PID: 7880, type: MEMORYSTR

Yara detected Neshta

Source: Yara match	File source: #U4ee3#U7406.exe, type: SAMPLE
Source: Yara match	File source: 0.0.#U4ee3#U7406.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1844064757.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U4ee3#U7406.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED

Yara detected RunningRAT

Source: Yara match	File source: #U4ee3#U7406.exe, type: SAMPLE
Source: Yara match	File source: 8.2.svchcst.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.3426a8b.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.283ea8b.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.#U4ee3#U7406.exe.20f7b77.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.260aa8b.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.#U4ee3#U7406.exe.481a63.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.2b67a8b.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.#U4ee3#U7406.exe.481a63.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.31eaa83.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.#U4ee3#U7406.exe.481a63.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.look2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.#U4ee3#U7406.exe.481a63.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.2603a83.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.#U4ee3#U7406.exe.20f7b77.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.31eaa83.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.260aa8b.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.3426a8b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.2603a83.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.2b67a8b.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.look2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.283ea8b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.#U4ee3#U7406.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.#U4ee3#U7406.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3756117605.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3755940840.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U4ee3#U7406.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #U4ee3#U7406.exe PID: 7648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: look2.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchcst.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\5718562.bat, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\HD_X.dat, type: DROPPED

Remote Access Functionality

Yara detected Gh0stCringe

Source: Yara match	File source: 8.2.svchcst.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.look2.exe.441158.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.look2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3756117605.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3755940840.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: look2.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchcst.exe PID: 7880, type: MEMORYSTR

Yara detected RunningRAT

Source: Yara match	File source: #U4ee3#U7406.exe, type: SAMPLE
Source: Yara match	File source: 8.2.svchcst.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.3426a8b.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.283ea8b.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.#U4ee3#U7406.exe.20f7b77.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.260aa8b.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.#U4ee3#U7406.exe.481a63.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.2b67a8b.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.#U4ee3#U7406.exe.481a63.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.31eaa83.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.#U4ee3#U7406.exe.481a63.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.look2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.#U4ee3#U7406.exe.481a63.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.2603a83.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.#U4ee3#U7406.exe.20f7b77.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.31eaa83.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.260aa8b.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.3426a8b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.2603a83.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.2b67a8b.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.look2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.#U4ee3#U7406.exe.283ea8b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.#U4ee3#U7406.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.#U4ee3#U7406.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3756117605.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3755940840.000000001000C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U4ee3#U7406.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #U4ee3#U7406.exe PID: 7648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: look2.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchcst.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\SysWOW64\5718562.bat, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\look2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\HD_X.dat, type: DROPPED

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_100078D0 socket,bind,getsockname,inet_addr,		5_2_100078D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_100073B0 socket,htons,bind,closesocket,listen,closesocket,getsockname,htons,CreateThread,CreateThread,CreateThread,		5_2_100073B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Service Execution	132 Windows Service	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	5 System Information Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	132 Windows Service	1 DLL Side-Loading	NTDS	241 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	22 Process Injection	33 Masquerading	LSA Secrets	1 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 Valid Accounts	Cached Domain Credentials	12 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	22 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
#U4ee3#U7406.exe	97%	ReversingLabs	Win32.Virus.Neshta
#U4ee3#U7406.exe	100%	Avira	W32/Neshta.A
#U4ee3#U7406.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Au3Info.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	97%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Uninstall.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	97%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	100%	ReversingLabs	Win32.Virus.Neshta

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kinh.xmcxmr.com	127.0.0.1	true	false		high
time.windows.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.eyuyan.com)DVarFileInfo$	#U4ee3#U7406.exe, #U4ee3#U7406.exe.0.dr	false	high
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	integrator.exe.0.dr	false	high
http://www.autoitscript.com/autoit3/8	Aut2exe.exe.0.dr	false	high
http://nsis.sf.net/NSIS_ErrorError	#U4ee3#U7406.exe, 00000000.00000002.1844004338.0000000000191000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.0.dr	false	high
http://www.autoitscript.com/autoit3/	Aut2exe.exe.0.dr	false	high
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith	msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.dr	false	high
https://www.autoitscript.com/autoit3/	Aut2exe.exe.0.dr	false	high
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff	msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560005
Start date and time:	2024-11-21 09:39:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#U4ee3#U7406.exe renamed because original name is a hash value
Original Sample Name:	.exe
Detection:	MAL
Classification:	mal100.spre.bank.troj.evad.winEXE@12/171@10/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 49 Number of non-executed functions: 286
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 20.101.57.9
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: #U4ee3#U7406.exe

Simulations

Behavior and APIs

Time	Type	Description
05:13:57	API Interceptor	8943552x Sleep call for process: svchost.exe modified
05:15:09	API Interceptor	52x Sleep call for process: svchcst.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\AutoIt3\Au3Check.exe	Ovtc3T3fD8.exe	Get hash	malicious	INC Ransomware, Neshta	Browse
	a.hta	Get hash	malicious	DarkComet, DarkTortilla, Neshta	Browse
	win.exe	Get hash	malicious	Lynx, Neshta	Browse
	bWrRSlOThY.exe	Get hash	malicious	AsyncRAT, Neshta	Browse
	ex - k.exe	Get hash	malicious	Neshta	Browse
	DefenderControl.exe	Get hash	malicious	Neshta	Browse
	KaUsrTsk.exe	Get hash	malicious	Neshta	Browse
	LfZoUaTFP7.exe	Get hash	malicious	Neshta, XRed	Browse
	TQ1Aw6M5eY.exe	Get hash	malicious	Neshta, XRed	Browse
	rfQ3afwShz.exe	Get hash	malicious	AsyncRAT, Neshta, PureLog Stealer, RedLine	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	275560
Entropy (8bit):	6.2970746701197715
Encrypted:	false
SSDEEP:	3072:sr85CqP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwOvOIXM:k9q4VQjVsxyItKQNhigibKCM
MD5:	C5611345B2807155BF89ECA90379AB14
SHA1:	03A0F7BD2A50895DF6A9311DB3E5C58B574E1BA3
SHA-256:	6AB1464D7BA02FA63FDDFAF5295237352F14F7AF63E443E55D3FFB68A304C304
SHA-512:	18C164973DE987AD9ED1CFCB2AE5557238692B5C50E0F8B8DCECF0B11B2DADBA6C0B5990C532AE8DB578F04BD1CAB3086C78493866C8B989A41DD6251693CA98
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Joe Sandbox View:	Filename: Ovtc3T3fD8.exe, Detection: malicious, Browse Filename: a.hta, Detection: malicious, Browse Filename: win.exe, Detection: malicious, Browse Filename: bWrRSlOThY.exe, Detection: malicious, Browse Filename: ex - k.exe, Detection: malicious, Browse Filename: DefenderControl.exe, Detection: malicious, Browse Filename: KaUsrTsk.exe, Detection: malicious, Browse Filename: LfZoUaTFP7.exe, Detection: malicious, Browse Filename: TQ1Aw6M5eY.exe, Detection: malicious, Browse Filename: rfQ3afwShz.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	217704
Entropy (8bit):	6.606010943993646
Encrypted:	false
SSDEEP:	3072:sr85CFxFVaK4T6fWSlXe0lJQafeyrR0kr/yh5DEU/Pk13TfwqiTP0McBUNnUxTtM:k9P2K4TSFo5Y683TdiQMcGNUl4N
MD5:	D103610D5A97A461DE47D79EBC364E23
SHA1:	B7AC0C939E39117C2FA939D47322A8B9FAF5AD0D
SHA-256:	6CF772752F25B150052F17600F5D08876E87FCAF774CE834A896688B1836BFD7
SHA-512:	97A467B62C96BF51CC5904B1EF1CB0D416364B2C835A326BFE7F5357823B07F5541C8DF5AD2195583ED108B90E5EDF820E2C3CAD42CFAA5FB67BF8CC1B9026E2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Reputation:	moderate, very likely benign file
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	237160
Entropy (8bit):	6.441042873341931
Encrypted:	false
SSDEEP:	3072:sr85CuyRnuBGwl/1Gc9QnvGqyWQ93kr/yh5DEU/P5kP0zU35iuvQBUeGMLu:k9tl3wdYtcH9b5Y651zU77Ea
MD5:	3256A5B6BEBFC57A3CC7C74801B06B57
SHA1:	7AEFDEDF3B79F68884A780082FC12AF565FE80DA
SHA-256:	A2791E10861628C1AC263A540A6D575275F9E3E22A31BB62AB1320EAAED0C982
SHA-512:	111928B9435B7F6721919E58C3248E985C1FA76EB2E9C18559374847C6B8F54499BE6FDA36724F568384A32F1E4D91EC6F0A51ABECFE585740CE1916E5205B09
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1675872
Entropy (8bit):	7.455008835300499
Encrypted:	false
SSDEEP:	24576:LC51xB6B9YNgqe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+l:sK0eqkSR7Xgo4TiRPnLWvJY
MD5:	3E25798A6593021C594E9B0F5E4D1CC0
SHA1:	0F412F338A8323C62D21606629B121DDC5A11C2F
SHA-256:	4ED44421F087BC78474EE5512BC85FDF8602D651C144CC97449C332E19B07C10
SHA-512:	ABAF3628ADB6C48F606DFE67EB777EB3C2B5D3E635996E6E673E3183ACC766A5E0341F1FB79436268DCF0FFF6889F997A77344CC39CC65D06248ADE8A9F43991
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1841760
Entropy (8bit):	7.348031538890329
Encrypted:	false
SSDEEP:	24576:5EeK2NocwiN/jc41p3qp11JsqbhOUe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+i:rfYP1JsEDkSR7Xgo4TiRPnLWvJD
MD5:	A80324ADD872CA0150B9A23F0FE412D0
SHA1:	D8B4074235B24DB9B9238FE7985C4D0A909297E1
SHA-256:	6BB5BB976CDDCA2A12E007B6B65E675990ABE3819906069DD6DB5867C0AFD943
SHA-512:	BC1AE9D3976F210F161EE1B8E43698C9B717E216B3E35F6E15C7D38FE5D82DEFB843104B0FBEF56842E7B10CF50DFE2206F7E5C2117AFF0D99AB7B4EE7708915
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346624
Entropy (8bit):	7.904139028422803
Encrypted:	false
SSDEEP:	6144:k9ypXDXz7yIrozs0WuNd3ojusBdgnNW6r4F53ttuGENGFdVCLEYnPO1D7YYoSyZV:V9zGImAjJdcH4j3ttzFdVCLNSfHoSWCG
MD5:	4D2A6099D369E478E6B97ECA38DF66FF
SHA1:	F8A2EFB513BC22A550E1DAADB7765D3691795D05
SHA-256:	E8657C5096C1D6059D7862D842C93EE9D7C16331EFBEC02C99BECA1ACEF0E4D7
SHA-512:	7BC01CBF7A591AAC71439A126940D1374B6BB49A3109651EB9525026EAB22AD70558FFB8723838C33830467D1B7DBE72E76BA84925BFECD405E10B83FFDF8A45
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	165976
Entropy (8bit):	6.142151879298232
Encrypted:	false
SSDEEP:	3072:sr85C54kvQ4gXIRSG+7IJqC3CJyoDjpBnjkP0XGx2SYg+b/Q+y1s3:k96nGZLknnj1X62SYdb4I
MD5:	DC83EC579923AE57218540FC07BF2040
SHA1:	E66D11E9A1E1C5FAD6A6D7B3F4ABDEB1A446A873
SHA-256:	13E946747F9CD00EC7347780C1D0887C22EE43B8677337B32B0C9CA8070E09B5
SHA-512:	3990D01D0B492961B1F15A15BA12E0213A5C5B72D5B2809B2A58BFF6A2AB2C37058540D8C9F8E5524FA6EBBE72A0BEB1317AA07D06E8D326DCC234EF4F82CC13
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1113176
Entropy (8bit):	6.4474669878621365
Encrypted:	false
SSDEEP:	24576:wTC6Rb6qu1PyC+NRLtpScpzbtT7pyOolKL8Sq/jrc5xaNIBg:w+6AqSPyC+NltpScpzbtvpJoMQSq/jrL
MD5:	17047620C59D9FE748AA05010D507AC9
SHA1:	5B0D5B70529A435FF5BC75376B472393485C9871
SHA-256:	C539E191A88228427976838CDBEC85CCDBD82540544615055E8F91BE803568D5
SHA-512:	21EE706E62D205C09602EDAC232878743F46EEDDF76CD6625926F7C64E89AB27883497A1785D31D8D354E0F20C05C39F39566F6505450B9DB47D057FD7E5BAA1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2414080
Entropy (8bit):	6.729178086017267
Encrypted:	false
SSDEEP:	49152:3EGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL8:U4OEtwiICvYMpfc
MD5:	249BBE06632E2A230917599D7E07C3B0
SHA1:	E61C25BBEBA924006CA9DCED18549C72856FC205
SHA-256:	A232299F45362340795849140E955B1FE202928E21FF5BB016A03471C80A2FA3
SHA-512:	537050319C5BC05A3DF9A5629CAD25FC2CD4A28078CF6932C0434F5FF135653300D90030D1F097607FD7257130D70A91B7235AAD82A07199891C25E8EE5DD8B1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\AutoIt3\Uninstall.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	113233
Entropy (8bit):	6.788395365702366
Encrypted:	false
SSDEEP:	3072:sr85CWCrNGEtajbefY/TU9fE9PEtuGCrK:k9WCrAEt+cYa6YCrK
MD5:	BA9FF8A299799820F7252C401EA47ECB
SHA1:	D8123BDB9E57F1364E304209F149360880F26C3F
SHA-256:	6938E7E71C8AB309A57D7C7C2B764F888AD6A9B8807200E573CA6B7183B11FF6
SHA-512:	A62D6818EFB2FAAE9012377319277B7E8F31FD32326EFE1011D1D874006B3C6020DC3F4DE429B9DD4F4B137E2954A0469DEF997692BA72DF21AFC0F6B505C54B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	409608
Entropy (8bit):	6.462760862163708
Encrypted:	false
SSDEEP:	6144:k9hvqF1Ged2RYbguEuFuTkdj+zRGa7JkjrXyPyMMWvpBVOaqahUqjAGT:LbgvuFuQdj+zRTJkX8yMhB3jhBAi
MD5:	1641D233388AEAE9D77CFC976D5427FD
SHA1:	C33533FCDC02E6255A1863102038C961E82BFD63
SHA-256:	D996D5C70C926BD6265607C6536C2B575427F11046E5FCA5AC32768E2AE81EF6
SHA-512:	A959BC2A3F6A96EC44EE1F58A0E5C6D791158D4935DE8357091A273F2120993438B4883A9C919824F7C6D91462F7B97C7BAA6B3AF4829B63204A5135D4895CDD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	214512
Entropy (8bit):	6.4940889932550885
Encrypted:	false
SSDEEP:	3072:sr85CxGnUI/9FXK4+PoSZSb5qURwubvvnzdl1CkTlxAenDl3SoxceC76JNKjzDI5:k9xGUcsvZZvUmubv7hTHA8l3yROJyDI5
MD5:	BB00882A877F34EF5C0FB4FEEFE0C351
SHA1:	79B64FE2910FF50820B0C83BD52857ADBAEE5AC2
SHA-256:	45E860894975F6F06D453668E5A4BC99A9C9F20E1D10B29C889280C03FBD6174
SHA-512:	C7EBBA30720AE9482D889C27A7434328D098A66CC08BFD6A4F96B92C7799FB6E3784BD63BA00E5C03F168D45B164DAB8953042AAF1D9450452C217A9C724AAB9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	568400
Entropy (8bit):	6.67410873638024
Encrypted:	false
SSDEEP:	12288:pyvTCXdXikLj2jR7trg6Qi3vYsKTU00vq:pyyLj8trn3wsq0vq
MD5:	4742CA122FBE7E689F0AB4DCE9507986
SHA1:	5DF6FDFA6E97A57A4F957EEB4520BA378F850B16
SHA-256:	D91AA424DAFC703F0DD4173FDFAF017F8203D42F78E2219C21714E81F740991B
SHA-512:	0643D24C897A268C2537F0EA885AB7C1263E1648AEE3350521C04695ABAABC2908C5A1F262C17A6918C30608D40D1B61A5EE9A0BB027BDFF9D8D6FA7AFA7996F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1252432
Entropy (8bit):	6.763931251276611
Encrypted:	false
SSDEEP:	24576:R0n7Ubxk/uRvJqLGJLQ4a56duA/85RkV4l7/ZeoMOp:S4iwwGJra0uAUfkVy7/ZX
MD5:	B248EF0A955B4F85B13A4F2039C4F757
SHA1:	B48E6437A4D0998F47606660AE97BAD147D2E873
SHA-256:	E46F55F9E2C74FD3E46A67DA5CB29EB2458ABCF8134D2E447AE91F408B5CD3DD
SHA-512:	EE58707EF36F8E0499CD45C985A91390241064F07CFB1F74B2F5AF1270631C5DB34A9F517F89C45EADF9D8914301C24A80359C22589934C98716E472AC21AB50
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	790096
Entropy (8bit):	6.746361102520175
Encrypted:	false
SSDEEP:	12288:/MvcR0D0B6PyxoxIlZwM+R6R4uFjs1Z7FMN0TzJqccvbXkN58AuimIh:TR0gB6axoCfyR6RLQRF/TzJqe58BimIh
MD5:	CC11EF3CDA871E739075E19C7E011FFB
SHA1:	C0B20B62646FB9C3C3AAA61BA6D806AAE86FC93B
SHA-256:	5F4334AE0F8BB573E6179BABD9C7DF94C0FA33A081390FEE7C04DDBEF1CE5BC4
SHA-512:	4DF027A3FF53C549AE181C43BDA619460A373E96564B448C74EEFA5ECD820A39B51C763FA5FDCCED1939CF900E51826E5D6087272E91DD95629E2C7615B268E0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	562776
Entropy (8bit):	6.434910305077969
Encrypted:	false
SSDEEP:	6144:k9H0dzerObMhDGJ9UM3sunrXj9BMHmD1tYFLqY/W5R02qO7VKCy7KCzDSEBPj:peqbWqB3sunrT9+aYFLq3ny7JSEBPj
MD5:	AAFEB56FD7F7B3864CE0172C11BFFC87
SHA1:	8628FEF6AA9346B4CA3E0534632AC831DA737C15
SHA-256:	8620ED2307EE8B35B5109D765F8BFBF8FDC2CF5D451E52706F9C5C2A13248609
SHA-512:	16BD91F2F348D6FB6B35AD47225B9CF80AD0EC5D0BEB0AEEF7D84D9CE164DCE23DBAE529CCCEC7CD6577E115935D93913DCF6446C92499C96BA11E986271E5FE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	127512
Entropy (8bit):	6.339948095606413
Encrypted:	false
SSDEEP:	3072:sr85CqPo10JOSdnvEhEyr1hg9uCRFRzsxeZ:k9qg1MOc81hmRFJs0Z
MD5:	1307001D8EECE24439EE9F2E353163CA
SHA1:	0D5EC348BFB5B53CF8A0AEE1FD325BA0BAC476B2
SHA-256:	D5842746263ED287CEFF18A1C03D784AEB007D7BF63D6548C324B21FE7B6F3D5
SHA-512:	5A23D430C6117CC2467E2FBA4935829EED4752A6F10F2AEE81C66B239567BC3A3F2822D3A039AE450CF5CC89F27FED2E1EFCC8260D5A650AD3570671D65B247A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299136
Entropy (8bit):	6.791456127636419
Encrypted:	false
SSDEEP:	6144:k9/0LYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:G0EbH0j4x7R6SvyCMqn
MD5:	7663DA5345AED4E2CE3AE00F1569BAD3
SHA1:	10BF6A77F04B10292030C2456066EB519A4F50A0
SHA-256:	14093EE670E445270AD20D7451E89F37B7E8335C5EC73460A0154232852BA3C6
SHA-512:	1F8E1BEFA7E2462CA5C0DEB8756DF7B8FFD71D82F09FA0B93EF9CA2D32CACB21688713F5AFA8053B9F83463E9253D428818AA9334202ACB147A608827E4027F1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299136
Entropy (8bit):	6.793867878392893
Encrypted:	false
SSDEEP:	6144:k9/lXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:GlXCs/YAh/elvhI7Wd
MD5:	BB0E7591812BC27C3D6D3DA565AF925B
SHA1:	BCF62126B5381B32D7C614EFDFA30CF7F385463D
SHA-256:	F251861114A4932B3AE9FDC95524EED50D2BD6DBE1E498C48FAE4BD095D4BD7F
SHA-512:	EA133EB067DC32BE2EE47D1BC50CE77FA87DA2379CA5991EDB837EAED7BCE9BDAAA179A7997220E0D8520926F846D998948B92607DA330128D74B1E000E8E1A5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	437888
Entropy (8bit):	6.42684511221715
Encrypted:	false
SSDEEP:	12288:GGNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:9KiBLZ05jNTmJWExixM
MD5:	2607BC5BE23EF6AFA96E1B243164745B
SHA1:	50B602076CB054022A35790FDCF0512CA1D9B68D
SHA-256:	EE438CBF24A8CC6303A4930BD3D84EA306C350A92384F3705364058BECAB050A
SHA-512:	59C7C4CF7B43726B774A4BE770B5B02573EDBE035C3DEAC909EC3230A1A05A2E2D6814F08F9D81F9E86433748082D1A04B914C7444585D90D511C348C8367D33
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	343328
Entropy (8bit):	6.646237652723173
Encrypted:	false
SSDEEP:	6144:k9zkTpB8HHvBjruphfgesnAhAOQp2EwckjQx+m8zhPLlZp3:OklinJruphfg26p2Ewix+m8Nln3
MD5:	E08B11A49D68A60193D50788A23FEEC1
SHA1:	5348D03F4BE33DE456F7E319C1F0F0DD2B281881
SHA-256:	AD46D94722B50EED787512D44634295F8EAC6AB5851F75CC14B40DB095D18244
SHA-512:	F397CA818F0F9902DC4111D240C6CE0E29B75477B4571D89BE9F4BEC2144AFE6E1BECC6058E3701B18C0090BF2FA15C8153173C024203655A3D757572E7E6DF5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	443680
Entropy (8bit):	6.399332197842204
Encrypted:	false
SSDEEP:	12288:r3gaHC2zUM2WJoROZVXk8hbodzbaw8x0Cx+wnx:rx5k8hb0Haw+x5x
MD5:	BFEF6D485809D5E865C0CE57F5C30761
SHA1:	67C6C40D604D094508A7A54B2C1B984D6B284B16
SHA-256:	AF62AE439BF04032F161BE6720D989A4CF6D79F74916849D06F1118B77303B70
SHA-512:	7F1715A1CAC7CFD1AC321F70DB92E1255DE06E6B98BD8D05F84219C729714DFAFA2C15B12CA55F5A3F7AE93FD53B74927D29F4627F27BCA7E65BC3D925A61912
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	203552
Entropy (8bit):	6.1365331355493
Encrypted:	false
SSDEEP:	3072:sr85C8aKavT/DvbEvK9aobNI2B+Nl4jz+b0atWH1TmFtotpcat8iKdlVST31OK8I:k98aK2h9H/B+rEtiPC
MD5:	3F7B572F1D8E16AEB92DD112EA5DDCBD
SHA1:	FE399BE4D0126B73A2F1793B205D75F52923913F
SHA-256:	617E36E5B66F2D8C2CB7534E883744EF115F2F1EC8B8210FAD308E21338A78E6
SHA-512:	B5E7D7601A159DEE555A0E98D0D7D0A1BD2EAB68931C8520AC8965B2C05FFFB66D0320EA79713645A4991017A1D753E68F01267311B1C35AD86BE9731D3102E6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	149792
Entropy (8bit):	6.511104209826025
Encrypted:	false
SSDEEP:	3072:sr85CV4vzT+PjZpsB+2h+EOXkMxJ7Rfp8K172YPrp:k9npsB+09zMH7cCxPd
MD5:	931BA0AB474211B6F6F46DF9D2685396
SHA1:	46B754C10E0CE63693C1E0C243A180E980CCE688
SHA-256:	37AC3DD2183C224D3E32A772FBA419CB1B63E591C5DF6FA69A15989DA9B2C582
SHA-512:	2E9913BEAECC96FC9BB5BA270B819B7D3FDA82BE9AFF739C294D74A3C0ED7D706A7584D872221B864C3297CAB8C9300FE4DED15A40DA0F687D8E1DB1D60A18FA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	227104
Entropy (8bit):	6.237873657819261
Encrypted:	false
SSDEEP:	6144:k9AWt9h8QlLISZWVRohcq7dvni3F8QrBA/:Hy9hdFIdRoGUxi35rBU
MD5:	19AFE8347886BC20E0AE3FF3168E4A33
SHA1:	C75BF52D95EFB4C1A07F0D55D7A25B765B366087
SHA-256:	58D82570BEE9757A3615789DF93384BC28C77D4F0E60796C0A845265FDB0BADA
SHA-512:	6FE092C3AEB098BC26AF41E64EAD35381C7E49BEECB1847A1DF7DBDBE2449E0826D888B49F099E28C3A752013BA9E7D0DDF256A8B3A57F3A60248A467CB2DACF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	264480
Entropy (8bit):	6.6429855049099995
Encrypted:	false
SSDEEP:	6144:k9YwCtJmRqyFmB6AOKmiMGwIAfx+iQ+FfFyLgG1da6edo:1w6JmRI6Bitwpx+iQafFykG1da6edo
MD5:	9E4A1877CD2731B9DFCE6E0FCD7B5037
SHA1:	45E966F9EF775DD94339782C3374597AA7BC17D0
SHA-256:	224C2EE088EB5EA5D06DA228AB575A704FCF2328B3EB60613983236B13B5CD70
SHA-512:	7A7A6185F7590B1C5BEB2D16DA1FF14BFF15E6EE5BF185562B1588E32F112765BAF20D84892C85299DCD2C1F7127950D78EB3D10EDE6C45727D1D737F022F8BF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	149792
Entropy (8bit):	6.511488043303241
Encrypted:	false
SSDEEP:	3072:sr85CZ4qR8vSZksB+2hdqecER5AhC48S1m2YPrZ:k9HksB+0YlEXAe6QPt
MD5:	1F18312D69028EEB0E96580CBD36232A
SHA1:	E90EB0E84B9D3693EEECAC1979E736802D7AA181
SHA-256:	DD6FC425C8F737BA5054624F638AB7B4ECCCFE3A6A14C1DDF11FDE34B928557F
SHA-512:	487A3C9E58C51210EAC60866105E1E3A6C1F1B9BE39BB958EFDC635D2D7BB7F382E7AC3500CF40B2B83DA16986B1B8982E79E51C452901AB9848AE80666A1B26
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1631792
Entropy (8bit):	7.975199435773668
Encrypted:	false
SSDEEP:	24576:HR1kyOX3l3PScicR9iK5vS8dU+0BeId7JfroHKExAuRBAHToF4rMTgZYhA5QR5sN:/kVX3lfrFfR0BecCqKBs+4o8YhAKi
MD5:	3DF71037F5D9E13497D95C8DA1CDDDC3
SHA1:	32BF295FDEDCE06CB789BC243900AD405BCD2FA3
SHA-256:	D5CBCA7E0315EC041C267A8B97DF0BE9AFA6618E2440E5FC673F473E89CB5A08
SHA-512:	BFE93175001FFAF6B7F07B2B19D10AD7A701642D6316A19457F5C23C8E97ABB9518E17C058E8115377E0D39EF24C4641C0A3561C291A9D8455F11E6FF2907C3D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, Author: Joe Security Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1631792
Entropy (8bit):	7.975199435773668
Encrypted:	false
SSDEEP:	24576:HR1kyOX3l3PScicR9iK5vS8dU+0BeId7JfroHKExAuRBAHToF4rMTgZYhA5QR5sN:/kVX3lfrFfR0BecCqKBs+4o8YhAKi
MD5:	3DF71037F5D9E13497D95C8DA1CDDDC3
SHA1:	32BF295FDEDCE06CB789BC243900AD405BCD2FA3
SHA-256:	D5CBCA7E0315EC041C267A8B97DF0BE9AFA6618E2440E5FC673F473E89CB5A08
SHA-512:	BFE93175001FFAF6B7F07B2B19D10AD7A701642D6316A19457F5C23C8E97ABB9518E17C058E8115377E0D39EF24C4641C0A3561C291A9D8455F11E6FF2907C3D
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299136
Entropy (8bit):	6.791456127636419
Encrypted:	false
SSDEEP:	6144:k9/0LYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:G0EbH0j4x7R6SvyCMqn
MD5:	7663DA5345AED4E2CE3AE00F1569BAD3
SHA1:	10BF6A77F04B10292030C2456066EB519A4F50A0
SHA-256:	14093EE670E445270AD20D7451E89F37B7E8335C5EC73460A0154232852BA3C6
SHA-512:	1F8E1BEFA7E2462CA5C0DEB8756DF7B8FFD71D82F09FA0B93EF9CA2D32CACB21688713F5AFA8053B9F83463E9253D428818AA9334202ACB147A608827E4027F1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	135808
Entropy (8bit):	6.396186166703023
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJC/rmKmGyeVK7qjh3rmKPNbS7cZPxyqPEoCW/ids8nBs+s8nBs8m:sr85C/q4yutjZqMNbSgxbFrj8m
MD5:	2DE190CF047A78DBCAB6E2216701D2BC
SHA1:	9B490C017D00BD20562225FC684D426F44EE3C76
SHA-256:	266452E14A03BE6D5B3CB049E5BBEA4C4787B4C18289FBAA212DFD8B1227B3C1
SHA-512:	E1D62E8CFC1F441ED08ABDE8CD996EDE7636E48E67E0B1787A9CD0865C8885C1D56E736803BB20773EFD98768ADDCDB79C1489912F5D01E5BFAB231394D552FB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299136
Entropy (8bit):	6.793867878392893
Encrypted:	false
SSDEEP:	6144:k9/lXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:GlXCs/YAh/elvhI7Wd
MD5:	BB0E7591812BC27C3D6D3DA565AF925B
SHA1:	BCF62126B5381B32D7C614EFDFA30CF7F385463D
SHA-256:	F251861114A4932B3AE9FDC95524EED50D2BD6DBE1E498C48FAE4BD095D4BD7F
SHA-512:	EA133EB067DC32BE2EE47D1BC50CE77FA87DA2379CA5991EDB837EAED7BCE9BDAAA179A7997220E0D8520926F846D998948B92607DA330128D74B1E000E8E1A5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	437888
Entropy (8bit):	6.42684511221715
Encrypted:	false
SSDEEP:	12288:GGNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:9KiBLZ05jNTmJWExixM
MD5:	2607BC5BE23EF6AFA96E1B243164745B
SHA1:	50B602076CB054022A35790FDCF0512CA1D9B68D
SHA-256:	EE438CBF24A8CC6303A4930BD3D84EA306C350A92384F3705364058BECAB050A
SHA-512:	59C7C4CF7B43726B774A4BE770B5B02573EDBE035C3DEAC909EC3230A1A05A2E2D6814F08F9D81F9E86433748082D1A04B914C7444585D90D511C348C8367D33
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	163456
Entropy (8bit):	6.282119597857022
Encrypted:	false
SSDEEP:	3072:sr85CQ446dewltB2mNd/HOrveW1dexk834fRZ5Nyc:k9Q446d7T/H4X
MD5:	6CAFDAA62D8747DE46D3034200B28419
SHA1:	939138E4EE0DE785F062DBDF928465EEB2653510
SHA-256:	F8C97B577C19232F795F72E2C81D343E7E4CC1A219350419A7FBE781C1FD82B4
SHA-512:	8A390C6A4FB272AC4ADC80018E548AD656504901D580BD6FCDBF9DC6181435FD36AD46B396421F8957E38CE6D981324DA93BA5217FFCF78AD1AE7F2C8BC868E4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	127104
Entropy (8bit):	6.0679650494656965
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJC3s8nBs5s8nBskEsz2zy77hPxIAbBsnzA3QDkrDW8Kq5ns8nBsb:sr85CaUkEsqzy7pxI8BszFJqkb
MD5:	80063F8042BCD9F08243437E883EE0B7
SHA1:	B28DFAAF22CD52264358AFCEFC9272B65DA021BB
SHA-256:	77D52E65380CDF4E98EBBF36F578A5A1406F4BF9D53C434FFDE323AD833158C5
SHA-512:	BD4FC5327D74C0D9FC1A75DC9781AE5F3C147A83E4A22FD7FDBAC370E1210C781A51018D798BC5F39C9A9804E43F56649E548C562D59BB4371ED473113B952F0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	223360
Entropy (8bit):	6.089485930964728
Encrypted:	false
SSDEEP:	3072:sr85CIySSyyXC2BZC5vHa2L8jv+UII6qS2AroAxYN35gwxcPXtxdTsVcCXFzlZBD:k9oSyMZOy406qS2AroAxnw6f9JCXN1
MD5:	8AC992B3CEE15917902FCF4E1BB88AD1
SHA1:	278D893D5B43C8210F04986205F42D7B842B49CA
SHA-256:	2A5F8A9115B28D6E242EC13E0C9B577FC55A4B23AB7605CC6F4BCB7645A7A905
SHA-512:	4ED4B2E050D864F66BEFAA8D587972B5219064D5EE989F36FDB410865D30467EF60D6A1B14D53FF6F6E408644059E473134E74BD8B4AE841D1D74F2642649381
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	203264
Entropy (8bit):	6.630784933207718
Encrypted:	false
SSDEEP:	3072:sr85Ckwl0hzyfN7T34oshWGrAUdaz2w9Lf0M/RHym:k9ZiFIf34hcUsz225/
MD5:	FD99F4BAC9DE9CEA9AEBE10339376F46
SHA1:	657C4D31907420906F6B76E7202DBC8D1ED642C7
SHA-256:	D40F5C5B2B8267AC486BF5E68ED065502630CD8D5C38C84773A3CD8341DE3479
SHA-512:	360A69F494DD27CAB49FC0FBC0A3507593D97D65D41C7D9E7489A89385D1E6ED42F9E4109A3585425F19AC6DD3A19A281CFCB4CCBCB9BBDFD4C914404487A9B5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	209912
Entropy (8bit):	6.339745236465328
Encrypted:	false
SSDEEP:	3072:sr85C6fSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:k96fSoD7q/fji2SUKz7VHwmmtj
MD5:	57C91EFB667D78BE5744B415C921B0D5
SHA1:	875B5401BB112BE99BD150C7F74E5193A2189885
SHA-256:	2ADC50C04426A03D30F96FD5E11F16167DCE5AE4E3202FF5F6A21649DF965401
SHA-512:	A4958FDA3A3C70A61585A7D0D6DBA9BAFACA06FCB3D242924DA41D3CB57A604B8351DA663BCBACDAF57EB833265C511B77148B9FA12B60468540EB7E0B3EE897
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	209912
Entropy (8bit):	6.339745236465328
Encrypted:	false
SSDEEP:	3072:sr85C6fSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:k96fSoD7q/fji2SUKz7VHwmmtj
MD5:	57C91EFB667D78BE5744B415C921B0D5
SHA1:	875B5401BB112BE99BD150C7F74E5193A2189885
SHA-256:	2ADC50C04426A03D30F96FD5E11F16167DCE5AE4E3202FF5F6A21649DF965401
SHA-512:	A4958FDA3A3C70A61585A7D0D6DBA9BAFACA06FCB3D242924DA41D3CB57A604B8351DA663BCBACDAF57EB833265C511B77148B9FA12B60468540EB7E0B3EE897
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	264144
Entropy (8bit):	5.863490790187712
Encrypted:	false
SSDEEP:	3072:sr85CQPEGT3EB2e1aWGNU6ITL85x0HRerzJ0YF6OYLy0PPDq29BA+7891:k9QPEC0QjWGNU6ITL1H0zvjkBA+7891
MD5:	1FD92ADE57DEF19C2D5BF4A14AF53373
SHA1:	88335A048A05FCE5F5F23411D07AAA53DE05FEBE
SHA-256:	7BF6EB7F7150A749DE8581C55BA2E0EB2317B17AA39E39466C22F8E537892070
SHA-512:	1035D82569254BE103EC1A2BAE83F02072A17D7C67DC2BB62F1AADEBD06E3A85FE3B352CED35EC166DB4DA7A06489AB839312CACA2806C544B0D064FD1A8BC6F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	430680
Entropy (8bit):	6.627953214122613
Encrypted:	false
SSDEEP:	6144:k9Bmmt0fSoD7ZAOhPiURg/4KAaxZTTlvIfaUcuI4hWxBP9SGO0zyqEL:Dmt0LDdOUO42ZdocuI4kxBgGONqEL
MD5:	387E91F4FB98718AE0D80D3FEEC3CBFE
SHA1:	2A4DEB9782DDE1E319ACB824F32A19F60CCB71AB
SHA-256:	2AF36D2872119856CBA456CD9BB23623CB05E8957D74EEADBCD5DED57E17F5E5
SHA-512:	1C6029F902DB9F190985B64AE4BA18CB3E770A2DED56511A32C15EBA86198E26B1C8F3BEB399249AAAA9854C72EBF2C50446182F616345004F2FAAD062FDF8BB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4473576
Entropy (8bit):	6.569965325360163
Encrypted:	false
SSDEEP:	98304:pkkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:pkkCqaE68eV+0y8E6L1
MD5:	809D03153D2FCC1C9E1EE574DDF7CD2E
SHA1:	CF1FC95A34AFC5A2FB39504D973BC8380A04BAC1
SHA-256:	C2A715F1396DCDAA9360FB09B89992EE8619362062DFBD6C90CFF751C5272032
SHA-512:	094FE1BC30027336DFE6A32520DB39D8D27AD1A69716E7E00D6B66D44CFB4EAADBD8D48B6D80BC0D00C60EF0E3483437C82D2185BD704137CB544B11063820DA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4316096
Entropy (8bit):	3.9258169272505024
Encrypted:	false
SSDEEP:	98304:nPNLniBaEJhRELqS/rhwov59SRZ5Vb9sybbsK+0rnsQ:PNLniBPJhRELqS/rhb59SRZ5Vb9sybb9
MD5:	D303F362090140A192699993B9B481CC
SHA1:	EA2783C188FBB317661F1FC3A0CB4492BB8EC80B
SHA-256:	DA0ACD313E47ED22E9D7EB3E3E540853B8EA43172CA0CDCAC4E0447868B2B16D
SHA-512:	12932A51ACDB0D184CA0AD6B7B1B9B72C8EF698B19B5747BD45DB6EAEB792B942089D62F5AB43106BA840E50D562092FF0056D3A2BAA97E353B2AA64C433242D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	94600
Entropy (8bit):	6.442216424962596
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJCgELjOzHKd1XI/etzCJQx0cxnIO/IOmOe:sr85CgE/OTKXI/etG8ICILJ
MD5:	3F61817FF96973951F7964C30D7B3E0C
SHA1:	206328C89E5552AAFF1C232D4285EF70BB305CED
SHA-256:	0F2597EFBF9783DB37DE336D0F7C2F2906E09173873EA105C79EAE1B56E8F95D
SHA-512:	C2394D49EF23ABCC1C96DDF60111D2272920698D962F769B3CBB7D77493438201E5B1FB7B196ECE9B709A7DC2E03B26FBCB74699CDE4B1B6AA56C869F287A47B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	101496
Entropy (8bit):	6.2502810194516245
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJC2vpz3ktxGvpzvy5ZWGalHFmMTK0KRTS8bOzc:sr85CwToATzvmN0KRm8bOzc
MD5:	FA4CEDA48FE9CEA7B37D06498BFCAD93
SHA1:	C85C170D39C0BEEA2203B0BEA30C19AABD4E960D
SHA-256:	BFD637624C2C9B5ACDC470E589795C7720710782B618830E70D4C08F2498D64F
SHA-512:	B95C63A1DDA19FFD988DA77C38E04BAF600C61C32FD231981B6577B351A5D8DACAD0A6923ECBB05692BE06BCCFC365A7AC3AEFC957E25D56C7A5B81CBEA4E208
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	455760
Entropy (8bit):	5.934487072040942
Encrypted:	false
SSDEEP:	6144:k9fwACThwS0vn9IdRsLGEJTdPA6lDfZNAGVx:KwACThwSSn2dRANtlF3j
MD5:	EE7FE56AA5473C4CAAF6542F9C89E3B5
SHA1:	F94831FB534FA38C6142CE1A73883A5F181D47CE
SHA-256:	AA77B4D2A82911CFCC76EEB2184FD513F8E8DABB39B90019E7F051172CA128E2
SHA-512:	EE7A769F162F3E4A55A8653F51D601DBEA53533EDBE6F52A96077234E6367FA835EDC9F2DF76F56715EFAEA618D4A77C64F7875725BEF5AC9F5D0E1F799DFC37
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	225704
Entropy (8bit):	6.251097918893843
Encrypted:	false
SSDEEP:	3072:sr85CHLqB8edYkIrv6TXRw9xwqazULDjkAJZo0RAjUIqXfkRC:k9rjilq8OPwRzso6AQ5yC
MD5:	D2E8B30C6DEBFCF6CF8EA10E95D2B52B
SHA1:	E907D9A5B3AC316E5DCB4143A8B9466A548CD247
SHA-256:	2EB9FDCC1BCD91C9734390A0F9543B6DEA8A934F71D14D304D0DFEBD9ABE1608
SHA-512:	811C739AEED909E5F977E3C69FBBB6DD57FD9A0C5D644129C41D298279C369F9CF8482230DCF7762AC6B38958CC78255B1B2A9261ED0C897E9CF85244F056A67
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	84928
Entropy (8bit):	6.496286535630211
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJC367wZClMML07MiapFmPRHyzMwzobtM+zf:sr85C367wZClMMQ7MiawHyzMwsL
MD5:	577ECDB909EA638F824698FC9662A65A
SHA1:	EF5B3EF16FD6E4FCE04774B001C229B091B64242
SHA-256:	917362177EC459D22BC88ABB9EA65E385B50A664A9D314AEBDE4AEE3D4ADDD69
SHA-512:	2D30E0328E250B90731269650174145A7E0993B76D43A90BAF93E05DDE59B7930199755648C90BE80BB11AD7ECE5555C1F54991E1146A62D1985958E6533A854
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83816
Entropy (8bit):	6.5486905453129385
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJC00s7wZClMML072apFmPcnGzLHyxz5pOEtmwxz5E:sr85C0t7wZClMMQ72ahnGzextQyxtE
MD5:	0A60BCB1B4624AEFC401299CF4AC158E
SHA1:	B213E9E2C230E850B70EEE7670A9961DE0DD3B92
SHA-256:	377C6042F55C5245E950DF6C58C8E541F34C68B32BB0EACB04EBDBD4D4890ADB
SHA-512:	B6F2C7F1CF562988BC0B4F45D3E36062C08A640F0CC99A3CE05DA121CB107716193FBE3B9B6012B77712FC8832D3EE19B9889018815F414C1FF0DB1EE5EFA898
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	233832
Entropy (8bit):	6.444055281477179
Encrypted:	false
SSDEEP:	3072:sr85CUW32GhNvMQ/58sl2U2Gszlz4SNBZCgMWku:k9t2GhN0lsdspzPgg1
MD5:	C541C4556C5B21907107E916D65C5212
SHA1:	E70DE78F3C4FD8A9364FD54A8283523572F07F60
SHA-256:	99669ABB3F0C6A61BD44D379FFBC5712D2AB44E63D1071E1B699E46DAF279358
SHA-512:	73761E8DBB28A0A83BA33236CC43609CB11B64716A3CC0EE1394D1C05ED9BD71791566666EBE8B159D13FE3A1B90FB473B865AADAFA69DD3E4513824F1959793
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	502632
Entropy (8bit):	6.71908645689974
Encrypted:	false
SSDEEP:	6144:k90WDxGH79J2VX5gEpvm7JA8I6BHAlSpFG/+Ls3ze30xB7zq2zs:kMxCvm7JK6JAB/6N30xpI
MD5:	266F86A29B1E6B8B760527C50DA9D660
SHA1:	2C054027DC591063B47873D42D973B38B3BDE3F2
SHA-256:	F30F2704E1BD0F7B173E9DE79D3BA9FA3CB1B494C8BF20FB4768B5D5EE6317CA
SHA-512:	1672AEA98C6142E995BD018CCC8FC7836A05E6A5062C7B615D7C5D04E3E80EC4AC37DAF999296C2F095C4FD2A8FB38766DE09BACDB574266DF0257E697522D78
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	352704
Entropy (8bit):	6.38536686774314
Encrypted:	false
SSDEEP:	6144:k9+EshacHeGXduZtZ9zHVcI3uv7FgR3FTzWQ/ZZyp1:ysHHrtuZtPvh3FuQ/jyp1
MD5:	51D8F20B8D5103A7A909B107B6A3B7E4
SHA1:	FB4B5534EB81A82E70652870FC68DCB8EF8C9A6E
SHA-256:	BBC6913BAC290E98B15A7F65E9CDAC0607BCE18A32CD3DCD1D7EAD307F0B51E5
SHA-512:	77A398F43351031F2B6EAACE03F787E49DE72A1C937A24A2847BACFBA8A1FE76B2B031524530E5E5B2648B6B0FA87B53104A92B1A216963F2D233E0D74D03D16
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4395184
Entropy (8bit):	5.937082520516123
Encrypted:	false
SSDEEP:	98304:mXuo5RMru45b5dZlAj0sqW7YDKMzVwgBWMTwLe7G:oR345NRAgsr7QH6h93
MD5:	F57075B760A0D881010E15505F0C483C
SHA1:	0ABC231159F339F651595E385EC7B466E259470C
SHA-256:	3D0EEB0CB3BFBCCB167AE0D1AD90B8EFE17C9B88D491AD5D14A0EFAB223D6E21
SHA-512:	64D97EF9B435579D883DD5C08967737D868C6A6B6347E37E248C5DDFB47FA726B712DCABC179EA62E0A936692355766FC06BB4C1DA3087B81092942940068161
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	603928
Entropy (8bit):	6.530305704021743
Encrypted:	false
SSDEEP:	12288:bzKRgqBDxoiPCLXHLuk/Wg4Reh2mbeF+IGboJdx:/KgMxoiPoXruPi/++IvJdx
MD5:	8F1CAC64758ABE414CC4B882EE8519B8
SHA1:	7018BE9C3FCF4FB4F8138869F9CD40AAB0C9B1A4
SHA-256:	110E1BBB7A4F7A42D2099D8A76F068DDE01D63C28D841AAF06D3EA872F261716
SHA-512:	19F81CA57D67C8D8B784817E88C10E7768906F019950914B391DF69C2C537380296D1D4B92F7070ED25582E9EB7C015E797D3131D77A70CCFF690CDD39CFE4EC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	507024
Entropy (8bit):	6.145143458075982
Encrypted:	false
SSDEEP:	6144:k95yrmBq0RYSv3A5DhW15yChMFt2XTNJWLgCWzzYhPRt+:NrmBjYuALWJMn2XTmL7hPH+
MD5:	F6C667D2590E5294F3272D9576BC3051
SHA1:	13D893A1521C8BA8D1FCBE11EE0FD16F2E0194F9
SHA-256:	03966A5548958182569400B6098219CDDB1EC6C5BCCFB5391A36F66E9F517FC6
SHA-512:	E2FE50A7EE86D8B05CCE91C9F0CA07A24C41631A317F38AB380C996475BD8B9CB05BD7B9D49968AE87442399EE7312C69169447B3D527B539F0C8C1920D986CD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	251560
Entropy (8bit):	6.621260401843092
Encrypted:	false
SSDEEP:	6144:k9BomAAOwPcPIqk4Vsvt0uews+qZP9zOPBxGiryKI:4sAETlVsKzZPixGBKI
MD5:	3DF5147DBAC00F92DDEE6D22533EB194
SHA1:	F7ABB04F99361465F9FA9193E1ED06B49381C688
SHA-256:	A5BD7911E7F7FC76E27F5BFBF2B4AAAAD9FFE0FD304B65D87783409629EE8B25
SHA-512:	84ADC24DBDCBE9EB9A5BD77BBC0F1BC1E59E4C32496F4A435D85ADD042F7FEFFB0FD21D459D62F0BCFF7655CB3262F7BAA491F6947B5F4ADCC650A5B10FCE3E8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	751720
Entropy (8bit):	6.631735781680161
Encrypted:	false
SSDEEP:	12288:DdI8PdgELg6eaBlnjlZcTerWv+xdeFhvCs9TukINOW:Da8PWELTBlZ+erw+xdeFUsUkEh
MD5:	8A6DCA4D7B31FB7626B5FB7430241040
SHA1:	258B527B5F6B30411C8727107B29AB9300163817
SHA-256:	6DFF05FB541A8D3B7847AB3197422E582AA021963A9C4BF63C44100180CF22F5
SHA-512:	2A9714FE31814C0ABE13F59ED77A8EACD0CAF2BF9566FE9B9B0240A942EE5BF5425A5E523F2C51DDBE8BA977675753074901C211A42D899F7AF9F47890280693
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	161968
Entropy (8bit):	6.528134300921485
Encrypted:	false
SSDEEP:	3072:sr85C9NDS5lS1jITI1FeBT77NDS5lS3j+Wzy6oUSA7hZ:k99NDS5lSxFeBTfNDS5lS7zUrsZ
MD5:	9A962710D6C3F23726E18BFDCF7D5BEE
SHA1:	01AE9DB82D4B7E365E30B4A2A930B74FB8C0C5DC
SHA-256:	17D163C4C9AA325EA07FB5E5EFCFC3A308D30D71C7A19BF663350F978EB6418C
SHA-512:	0D51336AF8246C7B6EC30F506206198A7873106E07995A69A51D059FA5F83BC0BE6E6744A0D0306DBAA811DF623239FB472880E7C87AE83CC9BFCE70E7C2960B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	159560
Entropy (8bit):	6.577583568198119
Encrypted:	false
SSDEEP:	3072:sr85CIklWPsom9TiWWWWWWWQM+FtWAzhIwaeENinkf8xw3xUFv2tGPrtPmF:k9ab5zPaNQnBxw34Oita
MD5:	04CD44B46689C390B61090CC9AF0DFC5
SHA1:	DC21D958A5D799B45AC721528216E981AD9FE73E
SHA-256:	19E2D4135729DEEB6086A7B6E50CC9CC238DC19F199BE40CFF80A7280A9D7A8C
SHA-512:	7D91066D2D02853B9C71C1D691D1315E0CBDC1111AEA83A4A45CB40AAB26A53311386579BA93AF557C9074D4D69E0D265B13C41A384C23BC254911591C0C8B5E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2233240
Entropy (8bit):	6.2971498741833525
Encrypted:	false
SSDEEP:	24576:LDZgOA74U4o//sbtwvZTqFDk9sg71SmY90gh/G7QJoma+9duNGeVG29H:vqHVhTr5UmY90sGE5dIDG29H
MD5:	B30942151231700F5D6432BA1B1A0C0E
SHA1:	670E354D40154284F518603B702DC0B7EE94DF82
SHA-256:	F8677E5F13CEF8B175C10B333927AFF942E46A9F0C73BE91E9BA8A424B878ABD
SHA-512:	8652C36DF9B5A8B245E3F0A4AECEC55E46B55D18020A11AA0BFC0BFDB532870AE06CECFDBC15000B287E171177570A4EFEE44E2F2EF9B228221C93074A65DB37
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	214432
Entropy (8bit):	5.994507792871334
Encrypted:	false
SSDEEP:	3072:sr85CIVFptXofXXXXXXuh9gLzltw6Q1hqOJHrtTh:k9YtXofXXXXXXASLzb9uhqK
MD5:	74D1B233AC72ECF698C6A7C899B119BE
SHA1:	EEF35AD9326A5A3E3E9F517DAF69D57D0B700DD3
SHA-256:	A74DA825D78F461489E405F90CCCE848699A5548DA0D921864486DC95F18BAF6
SHA-512:	FA9D2E78E79A108AEFCFAE48D040EAF500B72B77C3F62404565D257642FC848405FEC7364A8F1F98EEF00B5725C25A77B5C4B37B3CB60A0DC3909A2FE3C5D6C0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	620840
Entropy (8bit):	6.585082275251885
Encrypted:	false
SSDEEP:	12288:ioBdI/BUQtsfBCegl2eccL1q/xRyye7BfcwqEhDe:ioM/BB0Bml2m1q/xRPCcwFC
MD5:	91F300014FBA9310BBDBE0CFDEC9A819
SHA1:	8091C24B7EFF0215CAF7424ED956322E0E9B4476
SHA-256:	450D510099056DD9E931D0094D6963A07544E91B3D84A29CA05223C35273A22E
SHA-512:	B39BD37C0DD05D81647E4C42F0E43CEC41DA0291DAC6F7E10670FD524635086B153025F4E4450ED1D51DF6F9C238DC7BAB3DDCDBE68822AEEF9B79827EE1F0F6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1568248
Entropy (8bit):	5.675955532170124
Encrypted:	false
SSDEEP:	12288:+wF+k53zCG2tIuQ6DtJQSZDhLOhkZzV5i9w/lmd+jrcUiACW:bFXG6uQ6D9L2uV50AlmsjYUiAB
MD5:	59BBEC68CF2ABBE0AA71761A90902F8E
SHA1:	CA4DE80AC4640A32C495FCE0237F46D45565745C
SHA-256:	2289860922074D80B8F52D6014A3002061616342E0CA952A6A6608E83434F8C4
SHA-512:	4CED0681CC7B5F9F40E4F7496F692A55C71C0DB1E2DBC93C08D8415DF9914F01FA8E45AA9FD276305DF824B7C3742E39BAE005CBB4A851B9E264E5129216B43E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	634800
Entropy (8bit):	6.709073721775351
Encrypted:	false
SSDEEP:	12288:jf/4sOdw+RfEB6tuAlnWhGZco6ijmn5jFTSt7yCPUkazi7JThVoSZeR6aQTJ:7/4Vdw+Ra6V6g2kazidN6SoEVF
MD5:	93B1C57F0B5C441FF47190254B01C47D
SHA1:	8DDFB09946D30CFC78B8D9C4DA9AB19FD0EAE045
SHA-256:	846FDD3E11DAE5A991888539674DFB6649A1960E724CF72E2D8E37A23C357609
SHA-512:	5B15EBBCBD69C6BE2CCA96D6C0635FFADD5312BB8EE7FFC6A655D191F5EE25EEEA20EA95D92EF45B47D5AC54BB3216C74D0D4DAC3DB1C5A18B0230F285D5B588
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	748192
Entropy (8bit):	6.713281323235293
Encrypted:	false
SSDEEP:	12288:KKxLM1deLycUTc1kZi7zb1QRHhhj7WGvF5PYcdTFtZ3G97aSDGGHrbTwqFwydBf6:KyY14evTc1kZi7zb1KHL8vbTlwOBC
MD5:	D995BB9A7D45C056184104F03848D134
SHA1:	794094754972689F4ADF9F876F60440FA74FBD2B
SHA-256:	CD263241B90D11DB8E0A0EE42D47AB1F7517675F53C2B8D92C61471746BE2276
SHA-512:	89C4B7AF03DF6B2FE3BBF56D476497E9102B0ADD24552A78D164DDAEE453AA1760D12EB4ABA0501A58BD5F00B00DA36CA0BEDD542B271DC08ECFFF9395495643
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1917048
Entropy (8bit):	3.840447707777205
Encrypted:	false
SSDEEP:	6144:k9GBeXsm81c57ZXFzY5Ucyw4TapP25xxlq4cUcMeTOMzwMwZ:DKs78A5UcyOPexxPcUcMeyvZ
MD5:	87330F5547731E2D56AD623ECDA91B68
SHA1:	273DC318E8812B3BC6457B0EBEE15F9A7F1D0C5E
SHA-256:	268E93C44BE7EFF8D80A2B57427FCA2C98E9B08B3E865FFD3C943497AF6408FB
SHA-512:	DF4DBF95080AA5378E2E0BC5BAD584C6C63ED6464BB855F84AB315B00B9CE08948BE4C69D7442C2BB96969E69596964510D2FECE737CAE39833628183550D19E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4099520
Entropy (8bit):	3.72186927452059
Encrypted:	false
SSDEEP:	12288:zyKs7cvZIFpCYVIUN2mGsb8HtkLaHLH04cLbUBRjLmP29DyZbT9oc/m06aCzE6hE:zyKsY+dy0ZScIBqBT11S0
MD5:	25E8600B1421194802B2569899E75383
SHA1:	01EFD3FABD4EDF0733F46D91FB9109523E943C15
SHA-256:	50280C7E926F959E876BA1BB0611F6C0BAB04EDCEB300D936A887FD3CC9EDE1B
SHA-512:	DD49E97D675CADA18BA0EC91B4B0A6DF16A86D17344099E3265D3FAA8C576106DADE231C2829FC1D758EECC24343C6AF345CABEF16E91B3854BDA3824AD61541
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	452120
Entropy (8bit):	6.067280009012926
Encrypted:	false
SSDEEP:	6144:k9xvhCpFviM0OKAOVf3m+2fCz29fx8/eAeTu:GEpFVKj3mFn9q
MD5:	7EDAA2971D821AB859302C57099296BF
SHA1:	3D7F419C517B8C3F3B881E7B248D2C4F7723664D
SHA-256:	CDB80830E3601071C86E0725AE58C9EDCE109BA793910F8C994526EC4E98F275
SHA-512:	4EB61A55475E6E87542748AE5C4CCC5B07C4840BF95A84342F09FE21C193B3C4040C27237EEFA4EA469180D24D44B591B1F2833441E456F4E2671A45B9D24121
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	116664
Entropy (8bit):	6.595026282405323
Encrypted:	false
SSDEEP:	3072:sr85C/uGaz7jFQ68ICP5q0WISDr34W+wst:k9/RazrA5q0WISDrZS
MD5:	42085E45C7B5872D0E034915481A8111
SHA1:	291E458BAD0A8EE5E491301224197ED1B4E00899
SHA-256:	E8180D00A2F330E6EF33CEFC29896F0F77FF21C1FF23A637A003D97FA9DB62D4
SHA-512:	0AFD24F81C375210CC5A379FCFFE82B0A50B709A149AE1FB92E4470BF9F1AAF1500BF128C4F4766071C54AE32E89A15A0FB002D64D715601BD7E010E25E1441D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	167392
Entropy (8bit):	6.553431728074077
Encrypted:	false
SSDEEP:	3072:sr85C6WKZbTKeR3Tzp+8IxR8jYYrjHaVLIPSL1CgNX:k96WK11Rp+8II5SLUgp
MD5:	48284F62E79703C80F768CE0ECE7143D
SHA1:	70DED4ABEB18FEC56583A1F049F4D39507F983B4
SHA-256:	1BFDD1474D84B058F2C6F19216FB31DC42DA4E42FEF61923814B304276CC08F7
SHA-512:	A9DD19BA1321A56C4FE3B9CF83E2AFE51D4C915B4F7078EA90F8C3415F64C9F0C3A52DC614AF785045036710D6D819E270B5887F6B198DCDFF9953B8289EAC72
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	670928
Entropy (8bit):	6.025784704076014
Encrypted:	false
SSDEEP:	12288:ewbRB+ZRhFfGNpzX5PtiPWRnTLtx5eq4/RnYRoS2Ds+2EYR1XLlShtg7ksyST2Rz:ewbT+ZR3fGrzX5PtiPWRnTLtx5eq4/R9
MD5:	7C0014593C4D645EC8F351AB5F1AB01D
SHA1:	967B743450942FF50B9E75281B40B215478D85F0
SHA-256:	638614E2B6B2A4E1EB168BF56825B004EF1F247C6E8F27D103BD1D05F18BB0E6
SHA-512:	E826164FA068FE3709D1D385CBDA3CA3CA5E6A28A50151CFBB214F3C19783D967F67567E40B390E4905655D8340FCC577A63C97293E0110A1E5F3F6651AEB7FC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	115920
Entropy (8bit):	6.223528340566431
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJC5w9K75Rp1Ukkz2zct/rzdaBotnMuvWM6TUaE:sr85C5w9K1Fiz2ir+o5vWM6TUaE
MD5:	499B11002EBE7BD06FB04458174FF873
SHA1:	AF90D819CBB316CC4CD9DB1D1E1876129BF6EABD
SHA-256:	D59CFF7BC9B1DE8E82D900CDC3A6E2969A14E454FECF6FD068B51CDF1FD6125A
SHA-512:	3392C369F2E777155C76E35D1A9309870C87033FBFF32DBA4CCE3AF8525EC49E397C3655016C34B00BC8A7913E0E73151C2C00A0138C639D15CBDC9A16F0478D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	137776
Entropy (8bit):	6.532718929417626
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJCfLS+I1HtQdiHN4zbyezltnzGd1XuDxhkrTJwNZ5wmW1aHbfC:sr85CsMi+zWeXdswvqiHm
MD5:	0113D4FE73CAEE2B078E5C5B22E0A55A
SHA1:	DF82348BA214A6969E368DD516BE07AACADC3144
SHA-256:	1415C64134FA9678BD5CBB27D189C8CC84BEE485E7CD1454FC2180FEABF8864F
SHA-512:	B0DE44B4E1B6B33C7479C54F02EF6663CF3C2F88CD736423438B46B4E199B5FD51C3E99239BB8B16D6888C613A8CE43D124CB9DAB8ADB561100792452FEDEEF5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1206680
Entropy (8bit):	4.883403224196095
Encrypted:	false
SSDEEP:	12288:E61ZFViRpx5tuwZl4asd/arEISgX0IkEMhTy:E61jViRTfVINdCr6gX0hEl
MD5:	C3E399A5C28495C77505132DA8625D40
SHA1:	7F1BC44F6A53E73B222CA0FEC685D4273BD4DFC9
SHA-256:	DBA08F8269955771CC3598E1168843F954B0CBCAB7A74BEF8905F56C111F2C55
SHA-512:	72C810017137B35B956E26BB0730F1E4EFC0CFDE9BDD5266FCB993CE69635CDA50EB9B3223CCFC2C340D336BAD4F78205D60A7625E37A72A2796C0A5537DEA5C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	400336
Entropy (8bit):	6.662296849527125
Encrypted:	false
SSDEEP:	12288:81rOCPapfd5bhooUBuFiExw/LXa20Dj6EzfJ:ArfIbbhooUBu3wzXa/Dj64
MD5:	5087CFC731A5F640730910C5104B27FE
SHA1:	3B723898F092788548173BB2DD0C55A85D1D7C92
SHA-256:	CACE1F97FC187C817C1FAE597C47782279115799F495462F9BA1EBF1C97001A3
SHA-512:	A3FBBB913B2D3827B9191C394D2A0EB76FA71A8C870BAF05BB68A04FFAB76BA0F4500D13B5024FF27E39BA671CEEC9B5BA1715D04BD2961ECE04BC4FE6D8E222
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1662344
Entropy (8bit):	4.282519659984365
Encrypted:	false
SSDEEP:	3072:sr85CdK2OKsuWoZEsVK2OKsuWoZEckAQckAIDpAPfKrss1yyKrss1yAZDvYbNDz8:k9DztkAzkAZqrEdrEAZUCwFjNNYEzcL
MD5:	7A621A47B55EB778A1DC58DA026F13FA
SHA1:	179FC259659B020F4495DBDB9349A78EEA8D172B
SHA-256:	9591264BFC2E13FB5BC8277DDB0FA59F3CB6F9941BE54B340689CB2D3028BDE2
SHA-512:	0964AF4B382A17CE52F817906914D990AD4B2584CCAF7B8887BE7058C4AFE3255741344DE6FC6AD0744717106986E7723F1C9F5CBD7A13A32C552AC70AD25E56
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3531712
Entropy (8bit):	3.7844153091218713
Encrypted:	false
SSDEEP:	6144:k95gSRJQYKV++VYwjatvsDVpDsehRAKzYM:SQYZTWbDj5
MD5:	9144CA1B12B7793E8F18045B281D81C2
SHA1:	843A088B9482492885E81B8A5DB7DF5A7A99313F
SHA-256:	0C4894C91F6FC680FB1A761CF708032C6E792E806F47ABF0C0AD5B674188CB7B
SHA-512:	A609FC1D8A13D6BC46B80E975DC68930D28447852C5F53DE30A471CC989B6CB5C9CBE35A745518B482B283E32A65D6C1E5F41B02B49790E35F91DF1D8D0B3019
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83880
Entropy (8bit):	6.556805464011577
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJCEKfEBr3fHT4nAzHGkYJ+ziw6+zb:sr85CEPh3IAzHGEJn
MD5:	71B80598872DD0D2851C781764A85A22
SHA1:	B6CA4DBD84F0F4E26E641FD8039285AF43AEF337
SHA-256:	8295A24E5CFAB75404E37EA3986F43B62512E269934814EC08A10B36BE6C0B85
SHA-512:	259C91998EE162BCE784798266D60BB5C97A368E62E42A6791FE2F396399D73496ABEE3699453F4C04CFC968E3421F68981A14CA767BEF2E341FE9E950F97CFE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4319112
Entropy (8bit):	3.8167825827469506
Encrypted:	false
SSDEEP:	6144:k9xUh82lTMY/C3uuQyMyquNlBXYJ7M444IB:kkyIgG47B
MD5:	A660A24C48B0673B94A8410325C43C5C
SHA1:	E601D5482D7386BA4731F659A39447D076A4DDB6
SHA-256:	4E5802F6C0D19AE853A12439906714659D4FC2D2C5D72462D905077794E3F3AC
SHA-512:	51DDAB96D9703744D4EE204A064767B2783FE2ED82082CF63149FCFCB983BCA444C9A42554F72D67BE026859C1C476FAB700849C5D0D16E204A213F36756A436
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	785448
Entropy (8bit):	3.9404929226943075
Encrypted:	false
SSDEEP:	6144:k9dWSXeSC+hBMdNRneNMToeGYeneqjpGtBlmF:iLevUEcLe9l2
MD5:	03818EEB657D70002E0746E88B0AD5E0
SHA1:	5B16DC83561232312883A5E49EA8917B1EE45718
SHA-256:	00D746A158A3868BEB2F20D8F66789675BB981242A10DA5D1679B83F3F7BAC9C
SHA-512:	CD71721A34385D604352492D7A148F6C3AC144FB6B72D225A4F2ACDD4B309B703ED0036B429AEB31FE63B731773AD6A8FE77BFD620BA9537036BDEB90BF8313C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1081280
Entropy (8bit):	3.7785410128751282
Encrypted:	false
SSDEEP:	3072:sr85C4yTUawK12P04ti0o5gmQNJDJnJG20FxPlJPJSS12Zzwww6G:k94s4wqmQN59wtSS2zwmG
MD5:	35D2A4B29F56EDDF4C5EE9AA5B79CC61
SHA1:	BC00C9FC4FAE06D0EC90A9F15915345E7025F153
SHA-256:	BC8A2062F6B156A773EBFA34125DC8673F960DD057C579D2C74181901C6AA644
SHA-512:	3CE8168A6EDCBD4A4AB4135EE7BBDF2923A62E4ADECFF19E183B2C54E5903318C5CB956AE28A76F04B63C7A3DD3E464C4AE90AF2D08F1FF5F53F525532B927DB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1722808
Entropy (8bit):	6.4873312334955235
Encrypted:	false
SSDEEP:	49152:Fuoh1EWXRkd+h9y6NsRZ9MtL4kD5G5LVuhqITJemL9SQM3:FuohO2km9PNsRZ9MtL4ktG5LV93
MD5:	F8441CD2F8B20FD75340EDDA57BDB891
SHA1:	E194B384448281D8821C7F78FA2083616B7D7339
SHA-256:	1F73799D4D76692CC95E6083B10990BACBB90BC016AF0D84A3B9DD5C7F03FAE5
SHA-512:	B1825AD19B960FAECDD8AF9675F29999363A3858A26E6FE610E03FBB4E84D62FC68BBBFCCAF7CE51C161B1DA011298CC4EEC43E57F35D24701AD249CC6678F81
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	307784
Entropy (8bit):	6.544986970069708
Encrypted:	false
SSDEEP:	6144:k9Q+OpwoajoJ/cLr6eNI0A2kg79zge/ceeE1+v:zDWhS5g72veeU+v
MD5:	279AEE74740799844410CC17E9D7DD88
SHA1:	B2CD4BDD168C44DD877F12020E236681423F667F
SHA-256:	7FD117BC2E9167ACEB2A2E767F868C300645AE6A81F497B307FB8A5D3CF82DDF
SHA-512:	0447B166C1F28B9EFB7820349CE7277749B7155E98D7195DBB9509DD0FD0C1793E7A1C9B28C18F8618C1C23F9D7AF46704A313BE9FE4AF01886F9576BBF40EA8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	97920
Entropy (8bit):	6.445251735006175
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJCWzKAtCz72I/Q/RPTO5piDDFwzS:sr85CWuFvgy5piDD6zS
MD5:	BC9B4C47C903C054F90FFAF5AE807D5A
SHA1:	5E293D1A9AD5148B5DF0E4B3294C001A01AD81A4
SHA-256:	A26CA014A17928D1EDF1C1560B4B3E53F856C2AEF88C293EE78F6CDAB15FEF91
SHA-512:	7AA4B8756668DBCE4C5232EF7334DD7867E9F5107941E0F65BAE3FBCBC510275E69983372F03BF8A939DC4B4008F41470736D720E25969C5D913A5EDA9D40496
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1994448
Entropy (8bit):	6.549997020090568
Encrypted:	false
SSDEEP:	49152:3l8U9+tiqfG7C+5I6ZOX0Bh4MdDHc/EBRXXZUABfmcQ:3l8+++7hOXODHc/EdQ
MD5:	4BE8C1392D391FEAA6FB26CFA69BDFC9
SHA1:	FA3209AD786AB39EF8A4EF173E9C7291A9BCEB18
SHA-256:	2F182A705D4FED647B1BEC5729151DDC040EC3778825C212158B070F7BF06975
SHA-512:	1D77C2398EDA378C14EF19511C0A490BDCE2437DDF2E28BC9A85E1ED04991DD5FAA178C6C9E6019165C74DF4E8BCCEBDA6973D40067C019911B019AA3BC26677
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	275872
Entropy (8bit):	4.23571320386301
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJCt6gJJRaCAd1uhNRu7z3zHt4s+zbCtbCc0xXNmi9RHYOqEWpVO/:sr85Ct6gxe7z3OzY+9jTYbE+la
MD5:	CB1984EACAD27ABC9F009A4AD963A49A
SHA1:	5C6C4EC164A7C41332B605C6D9817030A473BB48
SHA-256:	DC15534405AA721E4B8F70A910B991ABB4F4F9A5A823A985110D56BAC974B881
SHA-512:	9806C1F7B4436442159BFD3D1D74308850072A343C059C3749BD5FA4DDFEAC9DAB3ED61E5A35A5E1CC717C3CDF2735B93FA1C99D5A27E1ACD276326D17E5ED06
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	751520
Entropy (8bit):	6.5238755488474665
Encrypted:	false
SSDEEP:	12288:PccV8BFJ0kz4uP9V6wY2M48aVNfffNfYRweSat8UVNfffNfRtAUUn4lDW7f5sBzl:POFJbl/6r2M48aVNfffNfWVNfffNfDw+
MD5:	B3C7E94C586500725E1F446C6A930D91
SHA1:	54719B158873B1E2402767498F31256321D856BD
SHA-256:	1A5CEC0A13524316A7D6646039EBA275C22F22CA164F30B4F50316220F299441
SHA-512:	089FE8377087A4EF69D89B75BE8E3442D5C20930C27E7E7FD24E455C96397FE8B7186E3DFF7F1B1FE71853A0C367EB392B6B59B1DCD726C1BEC7937D2BFE4E07
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	182712
Entropy (8bit):	6.326834639732507
Encrypted:	false
SSDEEP:	3072:sr85CRDbGpEPwVH+lMCNy0GEVVS1ikLrDdevXqHai8MBEL4:k9RXSSwVgvfkhvzHcWEM
MD5:	9103C2F76BDB6251CE480EE775266524
SHA1:	0F0C95B1A253D32BB23A99A72F5A77D91387A6B1
SHA-256:	D51F101246783235E88373EF28189EE54C97F41E46341BE0AF0D4DC455016E3A
SHA-512:	8F9598DF6E31EC58FDEEDF42E9A60C42ECC3A278E546614AA36177995DB61F3E2A3887564A2707AB4669082AE3CB2FAB5765D251F7970572C232BB1650216FCA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5174360
Entropy (8bit):	7.263311718032684
Encrypted:	false
SSDEEP:	49152:b/xFnOvtaWIDn0apLKkLJU9nU2foKhA4vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPp:NtLK3BDhtvS0Hpe4zbpaAKQkroGIz
MD5:	1A968E122913ED79596A9EAA5E7BE7B3
SHA1:	96978DB6766A4827206397BA4E8D75A3E3353E7D
SHA-256:	C43AD12F1E78AE1817854FB54903030A89A2023E76D3A2CD6C6275B3AB1C21B0
SHA-512:	56217DD430159D591109231B2F657484BA7B5BC7DF832668A82A4DB8D6A925183633CA9E68C46E85EF759B617343A13D1CED3D8D91A082A87FFCDBB6E795F54F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	139712
Entropy (8bit):	6.527583416477957
Encrypted:	false
SSDEEP:	3072:sr85C4U5adWAKmzUccnzkVBgEuKjj0WWtPPoI:k9/+EjzCg+j6P3
MD5:	EE3F4F49708A511BA220F4C073C8E933
SHA1:	727CE23C7427FD900FDBBF06715F9764F4F24848
SHA-256:	9A7F835403920D85B948447C007988E1C1271D86F87293AA1D1C9DCE4EAD3DDA
SHA-512:	8BE2A84BA4F7845369ED052DC4E71CEED8E3B9C075D66BBF7FD1E1A5935CB50EA08F63AEC2B2EA8CA35DEB001F71EF2AF71C2E185D37A75FDEEB2050C79D7F74
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	380368
Entropy (8bit):	6.677799145653771
Encrypted:	false
SSDEEP:	6144:k9XzgSb/029S2P/7nzGxFrRN0r0ivCZci1FXiO8DaS4wwE0CBlFJmcx:bw/2q/roN7ivCZci1FC74wdBlFYU
MD5:	3B22BCCC611D93FD2228E3098C8909A2
SHA1:	46C93B6587FDD25B710E6C0D0ABC426132DEBAA0
SHA-256:	FC06A5FADD20D729E99EBF82D696F982352147C7A96C7D55D5FF1F7CF1DA9575
SHA-512:	D98A167BC857DF9B7DD4FF2150AF495DAE0290A033C868E3AE00BB01CA7C68EC5D37C75D18BF88B87564CF9E38252360F0914E90AFB64A34929A579C691CB9DE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1269696
Entropy (8bit):	3.750731544998065
Encrypted:	false
SSDEEP:	6144:k9Rvk8/0NhFYAddenZhUhTNnLUrh+9nTGLljX4wuSzVF:y4wXF
MD5:	9344D6088F4232059CC71D89680C627A
SHA1:	B6D50543A01F017F333CB69897FFD6B39DD0430E
SHA-256:	4C9373C646419B656C368FACB9BF903A3BE6C167B7B20DC6BB0D710AEC498FBA
SHA-512:	5B4229DFA9B17BB50F8A3AC1BDFF09395A5B1C0A25CD7B1953297CEEDE312C6DA34295DE61A62DEE6BEDAC1D130F745DC6704E77C8366D954ED72A0914B27CA4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	266648
Entropy (8bit):	4.190895884532524
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJCgRaCAd1uhNRuiazvhzpwtWhz7I3EWwwrwYx6RPWdn6ysl4DU1:sr85CiezzvhF1h3wEWwwbx6ksl4D
MD5:	CB076D561CC084FC380019159755CBFE
SHA1:	911BB4A2E39DDE9197ECC4678367212B1AA253FF
SHA-256:	F9042977D236AF4627461B5F538823FDAD2ADDEF84EF202E0B75ED409D48E3C2
SHA-512:	68736CFD5E6488DFB24D65173726EB819DA40AEC1FF7EC6CF4F39A15CFD3AEEAC1672364AE50BE5A417A10A6C50E4546F1947BF323C3FB184802F903455434D6
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	715760
Entropy (8bit):	6.523751448498997
Encrypted:	false
SSDEEP:	12288:Y4tuuLntIMDXw5vde5EFf1Pmbd3lSz3dfp1Swf5M0blmFKuJOJZM30j3:3tFDKMg4iX3djfy0blmFlme303
MD5:	0E537E151DF5C171C213A1F44DC5F0BE
SHA1:	E8EE7F0D91D69DE3FFDB1E91E1DDB404813B39C1
SHA-256:	CF49D45B6A84D77F5E9A722FE7182CEF9325A355D885BEEB4D1DF3D88C1CE212
SHA-512:	4968DF9F4DEA49214638C86D73A03EBF4BB93E3242022B933B20E47B22AE65F77F57667B701A32A2779D63667CFE718ECB67B55E317402B140210757439FA4A3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	619944
Entropy (8bit):	6.639567335107148
Encrypted:	false
SSDEEP:	12288:ZM/Of/Bboj+clWnIKgrP6TFPLNWuX4Pemn3oi8ky9Q8WSe/aSqizuO1qukdQAPnQ:i8JgryFPLNWuX40RulAPn1OcnGVNfffl
MD5:	7B39C44B384E1A5940D5A5E30C8D3E91
SHA1:	26B7AA2EFF58E1D4124AC8C70766A15470FF8BE0
SHA-256:	EE9FA9DF2D9125438C869924D9ADF3FB141F0D4C4F05C84D1833669E15FAED31
SHA-512:	2E8D640CE261BCFDA809A0E896662C3AA5F5792AED0938C75D0EC4B5CB20BCF6895876E44228AD7B448D908EA4544EEA88F7F4B8D379B43B8BE53F849A948054
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	150416
Entropy (8bit):	6.5018296889200915
Encrypted:	false
SSDEEP:	3072:sr85CCQPtLW7twRxI5mc5TNN3AsdVgNwihwT3RqEM6ZOfHXb42:k9CQMzhdV0nh4Hof7
MD5:	3FE6C68EDBC948A6D2775DD2EA56088C
SHA1:	2C03FCE97D064B53F98EE100E5627418514BBBF7
SHA-256:	5681B2A8F44A21E3E1D63B8A99100A453F90EE1E3773240923164922F481B633
SHA-512:	2BFAECFF86EEA49F3B79215CAAFE401FCB65D74B4A0757AA79E439A7AD90C52E1E43285B438368676D5A08E20B37C349AFFD362F7CDFE7205CFF63E445345819
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	264576
Entropy (8bit):	6.643046809005812
Encrypted:	false
SSDEEP:	6144:k9y872jsLuLnPo2TTHswP2TGz3FUCHySYI:b+2jsLuT3MfTGW5I
MD5:	F85301DABBF0103EF7202407D2DA6489
SHA1:	6BE78DB8650184DF98A1B968177E75BB782063BF
SHA-256:	8098FAFAF941BD5678FB8B72F560E1AE06EE593C2432163A56FBC60D8FA43495
SHA-512:	E5656464BC5030232CA6E0EC58BFB5F2116C6E464CEB1CABDAC941826876ABF3F108B18FF5785779C7B75D153E01857CF37B49D88E2180CE515B02E344583863
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	108448
Entropy (8bit):	6.051786357762204
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJCMweqz1lezmtJwzojsKyyJFGgHZ//rHzb:sr85CwqzXe0wSyyJFD//Hb
MD5:	C4E2228168447160D7F54331ACE1BAAA
SHA1:	7878BAE3585B8F37E389DEF0A2830D0C72121CF3
SHA-256:	99173D535320C612AE308D5AD58FDA6F6B8EE5AD261F1E038421D2FC53767AA2
SHA-512:	ACB3DCA4F6AA6DCA468BA4A42BFA3003F7A4BB0AB18A2C2F99A493C5765FAB5067FB3865C0C02AD6960439AEE89FB2C166BCC90B6A77FC9CE21DC8C1F4B0037A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	662600
Entropy (8bit):	6.001086966772804
Encrypted:	false
SSDEEP:	12288:Vpo/FEVciSJJtH4PoR6moWEBfQLxZPhEx7xgtV2hv4tkYUK2tlIqR7lmNK/IKrtK:QFEWi4JtH4PoRfoFIxZPk0NKbB0R
MD5:	A21FA1DB62F89FAA23E737BD8B609F8C
SHA1:	62E374C2F71DCD922D6058D735C944A66076FBAD
SHA-256:	AC414AF78ED3914B1E6EB7E4598F400CA7631BC3AA4C8088B0DF5617AD04967D
SHA-512:	7485D968298DC04AF7A2297DF77C83EE5A25BEB0AC14932445063EF075FB2CA565AA67E5CE0E4376BFEA7DD31B1B53E66A061E8B8C535887BCA998086132DF94
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	260560
Entropy (8bit):	5.4470915703839395
Encrypted:	false
SSDEEP:	3072:sr85CH4ZAh7ULoQdHBjw8Q2pFj4+W1ISYpksZmRohnonRBfTjzJEthEWV:k9HPfQdhMuj4VM8imPjGthEWV
MD5:	034F80923F37E7A9899DEA48FBADE531
SHA1:	40E144C96F7DBB162F02833B01A7F416D65D4403
SHA-256:	521D052B5B7EBEA5EFF613B52FF7ED2659B4D2A521D6A19A6A146C3CE35118B3
SHA-512:	2275624F5C92C4B4C606D5CEEBF69F072CC1B7ABA2DAFE8AA7FB672F3B81A8BEDD339EDFFB41192C51CB0F48CB9EE76E090D7A43DE9ADA19D0B8BF2D099C7059
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4316200
Entropy (8bit):	3.920672560845374
Encrypted:	false
SSDEEP:	98304:/YN3nsBQ5ghvEyqf/whWovz9hRJ5RbisrbdsPO9jXsw:QN3nsBcghvEyqf/whxz9hRJ5Rbisrbdr
MD5:	47939C01C26C95ADA390474944E9F9A6
SHA1:	9CFD7A3DEF7081BB3C54584E2515C30C7C04AD76
SHA-256:	9B0869B5057FF84777E81C2D0E0A1E97AB5ABDDD7D80C8D4C94B1C83A53485FC
SHA-512:	0F342D003CAC4046AD71858225DACF6A42AADBB4F28F0F022C1F6C5D37D37355341B9F6DF8941AC310324CF853AA141195BFFFC4A1C9935558FDBE387BC25E26
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	124056
Entropy (8bit):	5.727061682781764
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJCMwu7mzj9zNtP9zNps8Q:sr85CMLmzj9P95psb
MD5:	9A2455DBF03A4E060F7BCCA43DD3D64E
SHA1:	D4FEB7DEF1FEB03CB7E86EB57D43BD69E8596EAE
SHA-256:	0102394DCA78E8B630B3C9613E0C9C620944218FDA84E1E129415E6F972495C3
SHA-512:	DEE619AC553F0DE06058BD118164D4A8E4B93A7F20D4B098E5D5AF9338CBD12F5CE94F054B92FDF435BE87596FD154904968FA96970887993418A3B41EAEAFD5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	358336
Entropy (8bit):	4.514937306069578
Encrypted:	false
SSDEEP:	6144:k9eyUkKOEEIK128d2VKjw0EYsfZJnPmTuJjac2a51lHpLszc/kzY56Y:5x/B/kib
MD5:	C3A4840C5D7823C978C55DA5DA54DF16
SHA1:	BF3045BA5D19667D7B3CF1E9CDF52C7CD7CF1101
SHA-256:	9EC2D985D3ABDCD53FEAFD25DCA72990C37718FBAA59BC4879B941561870B369
SHA-512:	4E76AFB30D33518576E53057C04B8321BF3F209EAB57389C548D3C67DDF968831DAFC74264DD573D9331D74CBB31FE2B09F6149E7786A4CEFC6ABFFAB42F7084
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	763032
Entropy (8bit):	4.116647791553155
Encrypted:	false
SSDEEP:	3072:sr85CSwRnjnzhCiXXXXXX1AzZwAazTwdOLxN1IHO:k9SwRnj7XXXXXXSzuz8OZ
MD5:	5F6E2215C14D1B014007317077502103
SHA1:	B60E82B3994D4612280E92F8A904EFE995209D61
SHA-256:	0F15CBFD62C0BEE02B273A9205A780C7440B70E99391E8155D05930DAAE487E5
SHA-512:	5E77C8AD2B79A4C5F153B90316CB22D1C09E5E5B5F7DD888EF931B1C2CAAE396B1D09A3874A173ABACF19705979C54FFEB77411E580F91258CF1D9A5B3F8D6AF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	895120
Entropy (8bit):	2.966305885964938
Encrypted:	false
SSDEEP:	3072:sr85C+fCEq7tOxIfMFzCEpAm/4rx7z1arf+9:k97z8w
MD5:	379B19683AE0BA12E72D1E6CA8CB1612
SHA1:	4B48C8899121137D5637838E9610608245975078
SHA-256:	3C6082AC7C3AB5EF4F0A7DF17497760B96C77BDDCC8A753881006E74C39044E6
SHA-512:	CC8F80347BA3E0BF5EB5E4B90E28FFE23FF1F5B18FA1E0AE9DAEB27CBAC51E52053C9173332C2688FFCAAF2CC84EBBBAD31386F6F6BF7DFE2668EFB7D1F2E9E8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.7745537489281356
Encrypted:	false
SSDEEP:	3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
MD5:	3257CDD51A6A354CEE4BA01A54D63EAE
SHA1:	5C1A13555616FC7AD988E3A5A847D9173FB70513
SHA-256:	80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
SHA-512:	CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	105440
Entropy (8bit):	6.087841458302814
Encrypted:	false
SSDEEP:	768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJrrZ1jL9zxwKeL9zgt5tjTh7D9:JxqjQ+P04wsmJCIjhzxwKehzgt5t1D
MD5:	22753C1C6A88FFB01068FF391B0C3926
SHA1:	FBC83E06E31A9EE5A827D90481BEFC36EBF085F7
SHA-256:	E727CB8EF6D54A511C18E4FC92AA94841AAFDC284942398D35D1B091CB97D8B1
SHA-512:	CAB6DB0DD9EA2260979130415158FFAA22B6DA8E281138D2CB1F569F09384A3E5A5C3935B8B8DC76935F82D9CEA7172904A35ED23678CDD670152E065F20D64D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	537536
Entropy (8bit):	4.968722692341351
Encrypted:	false
SSDEEP:	3072:sr85C9PMMRMMMmMMMvMMMwMMMNMMMWMMM3MMsewVOOMzMMvMMOMMMJMM2MMQM6ku:k9EwVR6V7byjUWAZyVVdz8eEdGo
MD5:	A72A576B968347739046BEEF59A3B97A
SHA1:	545247805365655FF64D1A70F672A43D2B4E682E
SHA-256:	A1313CE60D736ADFE281422421401E327979DDD34945A4194C66E9235DAA884C
SHA-512:	9850A6A6B5310C2437964C199FBDD860CA202A7C78766A0F710B29FEED4541CF09307B9AEB74BD7455CDD7A1D7B990C78285B7A79C699B9BF65FC4426649927E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1271952
Entropy (8bit):	4.084096712356835
Encrypted:	false
SSDEEP:	3072:sr85C93ppPpNpDpspp/pCp0pmppdpspppRppMpLp0ppppbpQp2pphpSpXpQppapG:k9eKQSNdhnSzv
MD5:	892E75C95404B2DD9A4753F53B530F5E
SHA1:	6B9A7C5827A767520B61E3192BC3951466CACB35
SHA-256:	8EE17679C7E631E0A80CE70778CB3A7BBD044E5C57BDC65526973B421EED3AFA
SHA-512:	E7509867E5D3AE99368882A008921086A38F8B890058DCE61EF4C95CE20B7F9B5B1E88F4F038BC792F70888349B27E978F559DE287D7E89C979777086FA1D286
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4099760
Entropy (8bit):	3.7180860871313963
Encrypted:	false
SSDEEP:	12288:uBKs7fvZIFpCYVIVN2mGsb8HtVLaHw3j4cLbUBRjLFP29DyZbT9gb/m06aCzE6h9:uBKszX0FjOeblHiled/k
MD5:	C192144B8943B415548AF24878815096
SHA1:	4DADFF2BCB636AE059DFD73067DC938EEF5CC725
SHA-256:	45AF4FF535E765EB6973B13C76A80D6A9F4FA4D0B3660FB5D5831718DAC21C38
SHA-512:	C50A756D3288E1F779E118892C21C3908503D6D10FB8DDFAAB4F34C5D13A71DCE97933B6977B3AB83E344B0741305532BBBB5C9AF1B6B7F6CB1E1526F51330FA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1273488
Entropy (8bit):	4.319301892791611
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJC4qYvbZthqyEATS583ONoTqzaezuC8zFtxzzqO9uF:sr85Cf6bZt+ATS583ONo4aezJ8ZfqiA
MD5:	025B19077CDB23D9DC885FEBF629CDC5
SHA1:	B7930EDF5AF2089834CFA6DC190AF5EDAE20831D
SHA-256:	78CFA64C50350F824AA2C627FB54D8F06E444810669198074A06CC5AE743D62F
SHA-512:	C1134FFEE3CE07CB19BD9AFED8986C98588A27EFDB6E8BE72B1571FFF7B18F4014BACE244074FE2846921EDBEAB308058FE93DFE7E17CCB46C225035E4513F68
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	124056
Entropy (8bit):	5.727061682781764
Encrypted:	false
SSDEEP:	1536:JxqjQ+P04wsmJCMwu7mzj9zNtP9zNps8Q:sr85CMLmzj9P95psb
MD5:	9A2455DBF03A4E060F7BCCA43DD3D64E
SHA1:	D4FEB7DEF1FEB03CB7E86EB57D43BD69E8596EAE
SHA-256:	0102394DCA78E8B630B3C9613E0C9C620944218FDA84E1E129415E6F972495C3
SHA-512:	DEE619AC553F0DE06058BD118164D4A8E4B93A7F20D4B098E5D5AF9338CBD12F5CE94F054B92FDF435BE87596FD154904968FA96970887993418A3B41EAEAFD5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2970664
Entropy (8bit):	3.8530507327775085
Encrypted:	false
SSDEEP:	3072:sr85C4Nd0qVmvzC1SvXKo3NzbsZ6DdIAZcbEcofUnpfRII8Lp9qgN3WJp0Rf5NGu:k9I/V/CfDhNG5sMXjjzmEPoL
MD5:	AB3E9B8C0565CB076490949DF074D582
SHA1:	F5BEC2D8CCF13A10D82C27B9A14289A009DDDDEB
SHA-256:	1C4DA1D108B71EE639AB846128E5F08D6E5EFA4D5BE02C2862597BD4BDD96DE7
SHA-512:	532493C141AC8E3B5FFD99E0F13AE8A26E4838AFE7B282A02C62B1BD2B7083DD04EE1E39B8A2BFC559DBB7B8CFB6D64D146BB20593A0FAC64E41DB5D81EE7287
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3531712
Entropy (8bit):	3.78009314420001
Encrypted:	false
SSDEEP:	6144:k9msSR7PYKzz38YwZItvsDu7DbDhRAUzHW:ZPYmLWSDBy
MD5:	3AF0E40A55AEE11DC01E0F1943041494
SHA1:	ED8F0489550B78892E6FDF80784CF5D672AB3F2A
SHA-256:	8A8212E9F7615A590E3BD2AF07E650FEA60CAC875388F57F7AD1CBADD65A11E9
SHA-512:	54741EB3ACEADE514E1E305A9D4937C59266DFC20F108F9A87C56EF283519A8CC6DAAE1953706A20860F390520C48C0BB5A4482C751E335B45A0E5858967D765
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4319272
Entropy (8bit):	3.8126753798312922
Encrypted:	false
SSDEEP:	6144:k9GmRfvlTZY/C3ul0ywb/uXMo+YJ7M41zXLWIB:z+6M+595B
MD5:	A914483FA2C2F86E415633657D33D59D
SHA1:	E687C9ADB19340050BB434F1A309290C72D0DBD1
SHA-256:	42B15769C1B7B74FFD9022A9E377783EE59F1F75688E1345D1A09DBADBD3102C
SHA-512:	1784002A4E99F5DC77C4DEE11FB25E413A2840F4FBA5C001F40BADE7A8DBD172B363BF6EBF66883FA2A3FC0B03E3ACDD5FC485EF7DD3DA4493CDF93D8C2EA4DE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.7745537489281356
Encrypted:	false
SSDEEP:	3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
MD5:	3257CDD51A6A354CEE4BA01A54D63EAE
SHA1:	5C1A13555616FC7AD988E3A5A847D9173FB70513
SHA-256:	80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
SHA-512:	CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.7745537489281356
Encrypted:	false
SSDEEP:	3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
MD5:	3257CDD51A6A354CEE4BA01A54D63EAE
SHA1:	5C1A13555616FC7AD988E3A5A847D9173FB70513
SHA-256:	80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
SHA-512:	CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.7745537489281356
Encrypted:	false
SSDEEP:	3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
MD5:	3257CDD51A6A354CEE4BA01A54D63EAE
SHA1:	5C1A13555616FC7AD988E3A5A847D9173FB70513
SHA-256:	80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
SHA-512:	CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1082008
Entropy (8bit):	3.7745537489281356
Encrypted:	false
SSDEEP:	3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
MD5:	3257CDD51A6A354CEE4BA01A54D63EAE
SHA1:	5C1A13555616FC7AD988E3A5A847D9173FB70513
SHA-256:	80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
SHA-512:	CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	582184
Entropy (8bit):	6.400758373600043
Encrypted:	false
SSDEEP:	6144:k9KLWET8DS698nGX2OduCwUJWh/JmmS3DAjqnkrzFoEh+vMKC239YUFgBdQ/:DLxT8DhyiLduCe/lSpn6zOvYUFg4/
MD5:	C0386A35F92FB82637471B03FCA1F0CA
SHA1:	08E07F04682C582336D3531610A20DCD38CD43B9
SHA-256:	77AD987963ACDD9D867BDD33F3778088B9AC461334BC4A1E49A4982D325E702F
SHA-512:	E6449FB51F16A1674365D4CE644DC0148199524E9D9DACDE0FB17B26C0C4652C924BB6CAF284AF125958632B9BCB111069EB6FC9EE1A26D83B15F67EE8DA365B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3837992
Entropy (8bit):	6.4449937551945595
Encrypted:	false
SSDEEP:	49152:tB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EK:5HzorVmr2FkRpdJYolA
MD5:	D7932DE11B8AD54A41413381EAC41AC2
SHA1:	8B383BA02414803CFD515A8384434AD5CBB70231
SHA-256:	DC1F4FD1F3F718C6965F038472EDD640437CBE0BD2B77E21945073AF404CB90B
SHA-512:	48C561E17BD75181D3ADEDB41F1172BB95163E3DC5792DA212C218F80878D45D3C49BEEFE44E76BCECA77EC644A83A16C59316CC2178A976D91347D389B3741D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	161832
Entropy (8bit):	6.154443017106145
Encrypted:	false
SSDEEP:	3072:sr85CX2VSd2ga8KActASiZAkXS1xU5M3XgcoT0cs4qIm6Y6:k9mVSktVjv3Xg5T0FIY6
MD5:	6A0721A64003242C799CF2DD85B0713D
SHA1:	AC7451D1A042B9980D506B43237C5C8A3D218989
SHA-256:	88EB264B7A72C62D8FC399469E7E573BEE906C8939513F3A869656E5B667BBBD
SHA-512:	B3F3E9DB4126A6479E6CB455FE8BCE1F8BB108270C2BA9C422E17932E901A65CDFED66DAF2A11C082BC924EC9EA51484418F4F09990848B91912BD3E1EB63AD7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1827880
Entropy (8bit):	6.540770888228441
Encrypted:	false
SSDEEP:	24576:bhDdVrQwm5ztlU0A7fMAHmpmZ3QXE/0/lVaLpmasGvP0:bhDdVrQ95RW0Y9HyWQXE/09Val0GE
MD5:	624A5B15DE2385F6CA42DDCE0E24D109
SHA1:	13FE13198A9BFA24774EEA44759471B31EA439E7
SHA-256:	A7DF6A45B54B30014DB94309F3BBA50A1EA8EFB8EAD01682BAA6826E533418C5
SHA-512:	CE244B2DAF739BFDC491C28129CA6504966CAEFEA0BBE16871522089A825133F2C1609D51266058A62D767F3624C514421F09D50DAC5A11CE26B5C8B804A641A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297448
Entropy (8bit):	6.514786717345656
Encrypted:	false
SSDEEP:	12288:bdoA0Eh2XptoQZRuefMYR6RrAJU9CsxmMocSipEylqFfouDMA+nkSddSDBDIq:b70E0ZCQZMip6Rrt9RoctGfmdd0
MD5:	C9FE3D4AA1438A059AAE69A5D8FA4269
SHA1:	288D3F38B4A6797E15187C00A24D0AAD1B5BAF60
SHA-256:	913E86233F11A6A269DA1A324D43C9FF737A9AE0DE1D9DE59D0AD961137B9F2A
SHA-512:	0775ECDC44DB15BD92B103F75410BCB4079D7165C6FACB7CD0DBA091DB94E4A6648A85563FE24E33D862E16CBA73993461533D4CE196078FAF6AA9030D39C288
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4251688
Entropy (8bit):	6.5065813007912885
Encrypted:	false
SSDEEP:	49152:vpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:EehFLvTQDpB5oSOmlBl
MD5:	23A855DD7FA34F616F73B392E464E216
SHA1:	EFD849CB22D1D33B16D6FECD54C318B0A6E222EA
SHA-256:	E198D71BC75B0E61DD2F61080062B4E41ACDFC7F7FF148CB11839DE3E0523A27
SHA-512:	8B4AF629B2022F10FF2D3FD4D4C73F9B23CE085B08B70FB29044D03F0FBC498BADF4D62854378FB0A0E6A2DBE2848D0B83550C3F6C3C08CF05C50C81B04B6A5C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1319976
Entropy (8bit):	6.504627467158373
Encrypted:	false
SSDEEP:	12288:gyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:giD2VmA1YXQHwlklb8boUuWPg2gX
MD5:	ADDCC10DC80D3B994800C6B44EC0B5E6
SHA1:	C52E9B1C03747A2B4F350E6CC288851DE64AC113
SHA-256:	03B114F2F97AD84613CAA8E5F964D4C8BDA56DAC8EA9C680A1DFBC43449EA14F
SHA-512:	74E250EA454D878ABF1F9CA3E7AEC66600A5FC785555FDF708E22103D51E939072A0B28FA7AAFD847D370DC03781F723B216117361389A3F87F3F93874D26AA1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2327080
Entropy (8bit):	6.531478857250512
Encrypted:	false
SSDEEP:	24576:+fD3zcv9ZhsSGSQoryOzozU63IqRNhB0kDKPHkkkkkkkBoIeAz:+fD3zO9ZhBGlopzM3HRNr00z
MD5:	DB94AD04A7559F74A92620CB04373946
SHA1:	826B3FCF77456D83544CC451561FC9DE5978DAEF
SHA-256:	8FC9FD66947D8CB6D1BA902B3174924A872176273E4B9545CC05F2486A0AED73
SHA-512:	E5705F611A87C57C2172055A947CE5BBA675605319525FC2678D317625826A9893D1149911640796BAF0305A94FC76BDB79C8F31D7782CF113A8904B3AD41100
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3790800
Entropy (8bit):	6.537921104997593
Encrypted:	false
SSDEEP:	49152:OTaRe7mkn5KLvD5qGVC008Jpb4tgLUgGEsLABD5wTQh07yrLMLl9YPhe:hI72LvkrCpbxJRoIMx
MD5:	5750A055DF2980C145707A60B2CDE7EF
SHA1:	26774B8B7BA30DB32A6AF0A6C7FCCCE981823474
SHA-256:	A954923EC03888AD38B22F135037F62F520988C5A5A87676882A2B972CEB54EA
SHA-512:	229FD22736C66BA9D5836F2D2A747D4B761184BA134C818D91B443E255CDDA32CAFA4419CD19AD49915CE20206D865F4B7F9E0B388C20298857B5BCA5CC4217B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1535528
Entropy (8bit):	6.517840298614509
Encrypted:	false
SSDEEP:	12288:q406WoyJHeFOqDRA7uKk+TjnkgiMnQq+UI7MBImQWkv7yfOYIXbwohMA+nkXZnHC:rW9Jml9mmijZiMnF+ZxmQWcbLw8Vi
MD5:	366FA8E2786C71AA81D106EF9FA15233
SHA1:	B626BA440B5EB37132849B697AF040A7E462E0B9
SHA-256:	1B87E233A5CAEA65CD8D8EBC91AB48A42F18FC9991041599C202EA85995EF24E
SHA-512:	D596450A8A03F6894982DAC3861C4E34339521F70DEB5073343F19565DA47A168025DFA3C1B7178677C9116A22F6A499D1277F28D1E6B829743D949D9592A848
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1273384
Entropy (8bit):	6.516053672496002
Encrypted:	false
SSDEEP:	12288:C5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:CwNHwoYhua6MtERO4qbBJTY6mY1uIgp
MD5:	64A7111DE17E26E2B89E10AE82FED662
SHA1:	911E048F0336C9BBA3DA35E48BEDBBF04B4035A9
SHA-256:	3C470FD7B87FCEC230016076A57F77324766326295D90138E4A780EFF0DD36B9
SHA-512:	65A8D9276DD61A9666323D4A73950D854422B43BFD4D43F83AEB1895DD3338869216A53930B10B753347B6C8DD6338FCEEB3336E41730DCE74CCC01FA7616C5B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4251688
Entropy (8bit):	6.5065813007912885
Encrypted:	false
SSDEEP:	49152:vpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:EehFLvTQDpB5oSOmlBl
MD5:	23A855DD7FA34F616F73B392E464E216
SHA1:	EFD849CB22D1D33B16D6FECD54C318B0A6E222EA
SHA-256:	E198D71BC75B0E61DD2F61080062B4E41ACDFC7F7FF148CB11839DE3E0523A27
SHA-512:	8B4AF629B2022F10FF2D3FD4D4C73F9B23CE085B08B70FB29044D03F0FBC498BADF4D62854378FB0A0E6A2DBE2848D0B83550C3F6C3C08CF05C50C81B04B6A5C
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1319976
Entropy (8bit):	6.504627467158373
Encrypted:	false
SSDEEP:	12288:gyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:giD2VmA1YXQHwlklb8boUuWPg2gX
MD5:	ADDCC10DC80D3B994800C6B44EC0B5E6
SHA1:	C52E9B1C03747A2B4F350E6CC288851DE64AC113
SHA-256:	03B114F2F97AD84613CAA8E5F964D4C8BDA56DAC8EA9C680A1DFBC43449EA14F
SHA-512:	74E250EA454D878ABF1F9CA3E7AEC66600A5FC785555FDF708E22103D51E939072A0B28FA7AAFD847D370DC03781F723B216117361389A3F87F3F93874D26AA1
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1273384
Entropy (8bit):	6.516053672496002
Encrypted:	false
SSDEEP:	12288:C5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:CwNHwoYhua6MtERO4qbBJTY6mY1uIgp
MD5:	64A7111DE17E26E2B89E10AE82FED662
SHA1:	911E048F0336C9BBA3DA35E48BEDBBF04B4035A9
SHA-256:	3C470FD7B87FCEC230016076A57F77324766326295D90138E4A780EFF0DD36B9
SHA-512:	65A8D9276DD61A9666323D4A73950D854422B43BFD4D43F83AEB1895DD3338869216A53930B10B753347B6C8DD6338FCEEB3336E41730DCE74CCC01FA7616C5B
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	225232
Entropy (8bit):	5.921842033117269
Encrypted:	false
SSDEEP:	3072:sr85CPcxiNNpCPPQPg2cluc/Xswbz8cz3quKoNX1gd:k9PcwVz4B8c37KoNX1q
MD5:	C0877D9CC17715787EC3329EB0FAD7C1
SHA1:	E51DA518D764E4982471BE235E096A8D11217A56
SHA-256:	17C75E1739499E52B56470EED4C924379065703E8C665E449882E02856F96205
SHA-512:	EE748102A0C002B25989E073585DD7A611A64E85CB0C57CBD6592733A038BC8EEDBCB8F917BBBED02D7759C5621F5B6B03A587B317FD13A4014CF113C4FC4C57
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	247760
Entropy (8bit):	5.770986149607887
Encrypted:	false
SSDEEP:	3072:sr85CKW4l/DReos0gXf+EvC6C36eCWdMuoB+ISzBqUGxNtvKAbFP3cSEt0phcxAe:k9wl/DRfkTC3dM7B+mCivAT
MD5:	86242784CC98EBA7A0B0A1833901F76A
SHA1:	19178197143972E718023C5EA70F631971A4BC2D
SHA-256:	AB99BD10F6FB73856BAF95E9D4AC0434DF660B74388E53206955B9B512F3350D
SHA-512:	2AFEB5CAF7728E2EBD04D3BF42AD55AAC759CAA453FFDF6BAF0D8E7095782F90E165E3009ED619A7E8A3E62638C12D8C67016092972E193215DF9A3422ECB589
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	142288
Entropy (8bit):	6.426113960826444
Encrypted:	false
SSDEEP:	3072:sr85Cy684ePKoTB+IvoAewtxUff8aohGme+YDfYz8FrR7:k9yrTB+AleYIkifYUF
MD5:	9AD6CF45A4476B8A6AFC310D5E410235
SHA1:	07A614202F584361E48471CB3DBDB3FCD24E47FF
SHA-256:	1655811CC8A1E4BC12127B20600F93AB3DE3CC467CED76ED99C04C83FF15763C
SHA-512:	2737F8675AC768EDEA72CDF6F42579F1FC1ADE43122AFEE8971801ECB2F2E93DD10815DA419328D3BE26FEC7C633F881027BFF088877FF9F80BE96D5C106AABE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	259024
Entropy (8bit):	6.0902993716555995
Encrypted:	false
SSDEEP:	3072:sr85C5XEV0tle+5IbvBCMmNginHy8lZoY46Mu/rLogrlKq9YXI35EvMl:k95UVwleMITTmNv1ohWsqYI354I
MD5:	628F406DFCBB08B84171E530D77B3C9E
SHA1:	0A22B2ECAB9EAD7F1D399773BD1BB1FC359EB708
SHA-256:	482D936CBBF75D3C6248BFCE1B6E5546AB79DE4D4A715490F62CF8674517AF64
SHA-512:	B9A97C76AA2A38273835DEC7C0A9E91C668038C5BC422BD92654C259865680F92B841115C92529A1AFC50E70CC358FDEB2981C8AE43852C6EE090A3AFF92AA6D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305120
Entropy (8bit):	6.414707301174103
Encrypted:	false
SSDEEP:	6144:k98FKucTm3RhMfoSG5dCd7hjAOe9UmXY2Gh++CgBlPMoX:XKucTm3RhMfoSBjA9U2Yxh+Zgb7X
MD5:	9938BDFE29D3CFAC8D713DFD743243B8
SHA1:	68CC77B8F114F34BE1A4A263D7F8736E857BBD12
SHA-256:	9204357B6EB1CB6459E2B0B67FC95E3A80D90781E0C7F97D7294FB6563B20CF1
SHA-512:	4F0C37C0BC405B483D11A80C5A23C1094ACB9E9CA48DDACC662E989AA21E301940018C08B5A861B482A06AFF2EA8AC9AAD0C8ABAB7E15628348764E779D306E4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	142288
Entropy (8bit):	6.426793148875817
Encrypted:	false
SSDEEP:	3072:sr85CtaivqozB+IvcZ4wrZU+l/8xoAm2+YDfYz8GrR/:k9FzB+Aw4CZNr2fYLl
MD5:	2AFBE95A5B1815B2E957E569D2CEF5C4
SHA1:	BD94E512E4EBBFA8D7BA255E66015DB721CA4801
SHA-256:	B5385EBBA1FA3E8E1288780A37ADCFE065EC02C764BC539F60CF0BBC2949BAE6
SHA-512:	0BD007F304E27149CC134004BC51ABD86AD3A701F72DDCD0A121399A73FFAC72061A6B027477DDCD29464C7F50232F7197DF5BA5A8432F051D40FAC225512951
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640416
Entropy (8bit):	7.912831259553018
Encrypted:	false
SSDEEP:	24576:1wy53G70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzUG:6y53w24gQu3TPZ2psFkiSqwozX
MD5:	DCC61986BC0A26675681559C484E15FB
SHA1:	6F413F9D4A2B64A6F9DCA21B9310EBFF186D6E16
SHA-256:	A341E8D1C1BA0A82635135A5A24089C3EA484066B02E28B1CAFCEB1628BF53EB
SHA-512:	2C93519CBBE6B0AFAE36A696EDC6C33A25808D562A286BA278DB0418440BA4DE7B27823F13114581D3F2C830BB3261D634622CDB4053EA28EBD4BCFF3216CFAE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144866
Entropy (8bit):	6.240317481153233
Encrypted:	false
SSDEEP:	3072:sr85CORD5b0qZ7y4jem7y6tkNRCywDw1DiJkuKUY:k9UD5lZ7y4j9KT4DteUY
MD5:	6A1BE74AD1EE28433BF1549DFA813DC9
SHA1:	A4BBC87890CA7463AEC75B963291A69B65390653
SHA-256:	BC21B225F668AE2C3B8439ADB91969D39F711E9D57B557AD79FAD8FD8AEB2085
SHA-512:	8A0033D4D5B82856CE0826B9DD90B792BF9E9641463DAC1DAE83ED6E3F18F384AB6CC5E0998615A8DCE5BD6CD360E17BCE85C1FF8AA45B08A95383D89D228B0B
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	280480
Entropy (8bit):	6.386490869107258
Encrypted:	false
SSDEEP:	6144:k9wPr2vXzrEbslNp/JNsJKQl0GkRAqVNf0O3:/DQXRVTZu0GP+ZR
MD5:	F7B6F7CA5E4D9AD2DD9B1887D57CFF86
SHA1:	2E0494EF5F5603FCBB0F12F593F3F401930C2FDF
SHA-256:	26EB1DC3EBA8950CF5D8663EE94CA6105BE1227DD239B81FF571B4372D49D320
SHA-512:	181262E06BE2C01A7BDFCD4DEA634D71FD39D795339FA6A3FB327FE7E75BBB12C0B5AFC1E8811DDACA14654268D0D26E828BE1AE475B05503626684AF7190009
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4473576
Entropy (8bit):	6.569965325360163
Encrypted:	false
SSDEEP:	98304:pkkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:pkkCqaE68eV+0y8E6L1
MD5:	809D03153D2FCC1C9E1EE574DDF7CD2E
SHA1:	CF1FC95A34AFC5A2FB39504D973BC8380A04BAC1
SHA-256:	C2A715F1396DCDAA9360FB09B89992EE8619362062DFBD6C90CFF751C5272032
SHA-512:	094FE1BC30027336DFE6A32520DB39D8D27AD1A69716E7E00D6B66D44CFB4EAADBD8D48B6D80BC0D00C60EF0E3483437C82D2185BD704137CB544B11063820DA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	501656
Entropy (8bit):	6.318829677338838
Encrypted:	false
SSDEEP:	12288:yLH18t6x1hjaNHBlfBVDZS82JninSFVlDW:yLOwxyNHBVEHRiSFVlDW
MD5:	9FB296CF47C4D3E0FEF4974685EBE922
SHA1:	201293BEEB98FB83D118323C4803590E8C88E060
SHA-256:	5E21FE2FE640F209EB75B696C3334E577D2035436206C88C1F2E676CF560B75F
SHA-512:	CA9999251A1905BCA32D46857BD1213D37F2D33689E4D818FC006B88B84AA49AD9DB07B0C4D33361EFC0BFC697F705AEAF90D762C6CFAB3C9A9644BA73D750E3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1637776
Entropy (8bit):	6.316717941409346
Encrypted:	false
SSDEEP:	24576:P7Z1jyzcKSmKsvwMZJ1XBsn/gu2bRC6dulyyn2WdXM6cWlLIJ:zZ1tKTwMZJ1XBsn/UC6dugWA
MD5:	987399D498F6C2C7196A60504DCBA1F6
SHA1:	7A48D6492B9BB936EABAA4C979BD25F87AB3F9B7
SHA-256:	9F924F7B9B84FBB73E29C707D1C1D61AC00A3AB295BF1BA9754E2189D6E4BC24
SHA-512:	DE1F5790664A48EE5001541BAE7727431467A65B54EFB43412B1EB474DF6477110E98B8DA1168478B0CED1FA8DDBF69FE7BA209F69FDF9BB58F964A514B12E36
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	224632
Entropy (8bit):	5.625757771676373
Encrypted:	false
SSDEEP:	3072:sr85CBFtCsHjgU7HOg6KTe/+EypudsD22QnSUEhydebz41:k9Ttx0SA+EySaQKeUz41
MD5:	0FD839CB7D94AF1C672BA149E6C580A8
SHA1:	12CB0350EC3AEFBC189A117621DBFDCE5DBB6E86
SHA-256:	E033F780C0F8E58FD81724A1B5B02CCFFF788553B2F5308E4EB46DB37E30F9F4
SHA-512:	F54057339522E8B1C30550BCCB56B420894FEF6B51F53709A88105362AD09F5A83FC1478BF8D7CD7A0B48D56BE5DCEB8597B71B989743133B2954DEA0E364A41
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	431336
Entropy (8bit):	5.904107554819713
Encrypted:	false
SSDEEP:	6144:k9GzBRUKCBTwZVr2miTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVV+:/zBRnCBOrsBOBf
MD5:	641CC24F3AFB9E381161F17600323269
SHA1:	0A390D9A57B534A9A1C0CC441D9CBD9998608140
SHA-256:	8B5A689B0DB4EFE44C0601A89E97BA126F1E4EA943621B8EE444ED85EEA50CAA
SHA-512:	67BDB822FE0F484E60B7FA0944A4123D68C1F8B94E70D51F5F336C312F409CF7098EEB828D1A7A13138C7833A3689A7D226D909B1AAA3800EF491D88C39CBB03
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175160
Entropy (8bit):	5.997921392487593
Encrypted:	false
SSDEEP:	3072:sr85CE/VpSIcnsHKTe8LnZCA5OfkQAm95kQOJeqx6u:k9EtkIpdA5OfzDUeqx6u
MD5:	707EB4DC866F98B2701F57899DC19D51
SHA1:	59F9AA5CCB0EE3276F74C23ADD327342EF5B10AE
SHA-256:	F7DE47E26A16EB2459CD7FDC979BD30D0B50089D39433399EDA465023A0BD0BD
SHA-512:	C95D902254391B0D3ABD3A07930701E173808413E1F32BA1084F04EB5678EBC87ACAC2EA4BB6B26FE0550D78525EA3F54683FB9567A995B1318B5D9340E514FD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3162480
Entropy (8bit):	6.46880916383348
Encrypted:	false
SSDEEP:	49152:znW4jqFRZega3xejvY7GQOx4K1fm15FKqO7t78Ity6fod76lmlW8U:ys3OBj4UmOH
MD5:	EAB4618E120B951B8FADB9965EF352D7
SHA1:	C706F3479276CE840541862BBBD2C1530362BA03
SHA-256:	7D252BE50728CA3389124956E16D41F0AD14BB8C6F08D768F8A6555E25EA0F47
SHA-512:	8F69D95D0D39C8566F3EB1D456AE98285D36852278F474CAC382BF37FCB70714B4747F1984874A16B4850678C93C5170CF37E3A19E2EB89FC5881F00B9E527F2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1309408
Entropy (8bit):	6.496342895106016
Encrypted:	false
SSDEEP:	24576:5+sGOL9NLM3r4Viwj6KLqGua43loEeUFmwv:54AA4eGua43lgUFrv
MD5:	B39DF380C20D63215708AA6263BE495F
SHA1:	4CE3BE7169E222E787A3E8238D53C32324981894
SHA-256:	36728B9A21D2A5927D9B4F5C02C0F5899DFB80ABD01F371342510DBBACFE2BCA
SHA-512:	42B087413B27B741EB2470A6C7F64571542B20AA43C5B29A43C290A3E83960DAEA82974F6C187DA70655B175D5FFBA3FF04608CF54F8832DB7ED2DA715DCACD6
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	922944
Entropy (8bit):	6.462019359288523
Encrypted:	false
SSDEEP:	12288:V9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+poPCcqyt4:L/BrnYuqFcL3pQ+pDX
MD5:	A4A4D70FB8EFBD8702F5F5CA3F2225B7
SHA1:	3AB16972E6ECEE5162F4264AAB2B78AE5A6D9AFA
SHA-256:	C8D5E992C3F31B60874957E81FC5C419F569CBC8FC3EF57F84F42F7E742C9EEF
SHA-512:	92E72BCB8526AA833D6A8E5E77994C15ADABC50F8742C5075532FE281DD4F309827584868F0F19E659E90B4EAEB520F80EAB3116A14D6546DCC85973A638CEA8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	501544
Entropy (8bit):	6.318210992294509
Encrypted:	false
SSDEEP:	12288:yLH18t6x1hjaNHBlfBVDZS82Jn8YSFVhwDW:yLOwxyNHBVEHR8xFVhwDW
MD5:	AED258F1B9A23FDB9CC5E4485138E644
SHA1:	EAE5C3DB91C7DDF0B773CA86D0596D05687E0C93
SHA-256:	615D5E9AF84BA2817673B9CF42EC923DDAA24EB351AF72C8F0521CCFBC823F99
SHA-512:	65B31506659AEF8E650E19EAB25EC0772901650D0376A76EE259FB045F4FE943D583EB70FA9F844A9792968A4902B3D1E65426333B5DEB8AC7E625C822C74E99
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1637776
Entropy (8bit):	6.3167820027975505
Encrypted:	false
SSDEEP:	24576:PzZzKrsdCmasrf9Xr5wzW27+w3E4nZ1jDkCZTunfmrd/Mq8pqiV+yeci+HMJ:7Z5d3f9Xr5wzW2x3E4vDkCZTEJ+3
MD5:	7001415B4FEAD5C33EC776F878BEFC14
SHA1:	9D27556E97A7CAE67486D6F3FD57530274227E84
SHA-256:	3C65FA71938F8F8AAEF99B20567427A50E2081B52B01799E6DE0922E577A4F09
SHA-512:	83A26C44B7E7F2E2F28F57D39EC624F9F56C19EB38121A8AEF6B279852746831466D76CA16B93EB0979B8FB4EF5FD93A74F411F25EB9EF2127EDC376365895E9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	224632
Entropy (8bit):	5.625443062700148
Encrypted:	false
SSDEEP:	3072:sr85CJNzQsUdR7ROPHKTeA+EyBEBsLj6mCv0MC+8w+l+jDYgb:k9jzrUdH7+Ey6yxCyncDYgb
MD5:	6E3952F20879578A8938CDACB7536183
SHA1:	983C0C98D8E38CB7D3E461370320B3B31258439E
SHA-256:	2689FF014A00F6110EACAF335538BC57AE4DB0681C9C0B3E5B0F3DAD33EF0011
SHA-512:	98B18D03FC15933A1FB4E9EB6965E5BAEE9BD2376D3F3A30D5900CD309DAB041FBE1D99716C086D3ABC3F8277D7E12DC8E6B5378E3C92B7633982672EDF2CDD3
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1922888
Entropy (8bit):	6.54227144741344
Encrypted:	false
SSDEEP:	49152:txzduwxBjJMXDUlxqK/PDLWf+kfilcOk+4AgAQx:JuADax
MD5:	6EAF653BEC36CC61FFAAA74C2461CAE2
SHA1:	FBDDB56574DE87B9BC9D2A23BF4FFAC80020C313
SHA-256:	80056A156E3C10D8B335E1AA5D0B9F3B426CF7698B120A7CB593A745C40B0D78
SHA-512:	A6121E79CC254EC625590C81AF2281A2C1C591AD751690D8F2A68055B77E3ED0866E1166126453F218F5C45423F5059379BC0487A756E5299D72E87EEF7C2B53
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	431256
Entropy (8bit):	5.903632333497157
Encrypted:	false
SSDEEP:	6144:k9mDBRMKC2DARcy85smiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVL3:/DBRPC23DWqOhf
MD5:	05E8468F3C11C655FA5C0393FC91B745
SHA1:	3C41A0398A82AC6C949DFE0F5A444C47AE05B9E5
SHA-256:	659B9F92E7340FA757458CF6E4C4EED5EF8680C5C203D1BC9C7C5BF44CAE2BE2
SHA-512:	C762C38321BC4B12EF0CDD9BC51B2B8D2C3B817B62D5F27ADF0A5CFC26A3AC846A2CACD27668AD9997F30BA795668820CA948D54037DD2918B27A6584BB4B8CA
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175056
Entropy (8bit):	6.000125322491865
Encrypted:	false
SSDEEP:	3072:sr85CLBGrjhgGcKTeA4yJjAYykykBdg+FoQOJb/B1a:k9LgfhFAYykySfUb/B1a
MD5:	122C5EEF72C8E9945312BCC27CDFA1C2
SHA1:	073B5DBC1755095FE4A2037B9B3B63D153113156
SHA-256:	8A8EC674356DABE752037E162860B7A4FAB54635DAF6A1E112FC1894B72BABBE
SHA-512:	64F0B2AA151D83E51D754345EB149B209AD3741699E7272351D6711D4419ECEB14A2A9667479735F082D167373B9DF154460E92B7870FD2F9F6A0CA180F20BBD
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3158376
Entropy (8bit):	6.464089113147873
Encrypted:	false
SSDEEP:	49152:Y7Inw/bT9uzlAndnpufoDbRwU/xv3lNOsWReEQZeEO1QOiPQOo4r+U:8/VmUAYrj
MD5:	90F78071E0C92AADC17864CB0C11ED36
SHA1:	406DBDF1785C49037A1729432A30FE2753EF3662
SHA-256:	16CDB9A6B078E8F3655310B3DF161BB481DFD041BE65B3F302C823F699925431
SHA-512:	869AE6FA1F7A167A21A21277423A054CF1995377A7B4FA6C5E7C58DFA9D07EC46DEC7C9B8B74515CB0C6FE392449DCA836A05F2541F5844E0E2754D4A9C9FD07
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1309536
Entropy (8bit):	6.495307594774125
Encrypted:	false
SSDEEP:	24576:zvbIUnHtg+i54V0tqDNbu5kDIPQy+NTD4XnFzr:zzXzdMkDIPQy+Nv4Vr
MD5:	56C6D475B98686A5C3C848B232662383
SHA1:	23C37E7B08D8B644CA18688643A3867CFAB64B64
SHA-256:	561F20A7B1FD4E51894C8DEF981DADA325A54C0AB355CE28E858BE06FE6C0526
SHA-512:	92DCD39C7D6ADB080714547D8E80CC0D6B7269B86457617999FEB06A7C8B2D6FD62F4D461CCA991298FA4EC66D2E85F41E31A2E748AD98E5841F79A64F00E03A
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	922960
Entropy (8bit):	6.4621080170674
Encrypted:	false
SSDEEP:	12288:V9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+pouCcqC7D4:L/BrnYuqFcL3pQ+pYmE
MD5:	A7CD28CC20BCFBF2AB1B81FE970DFABF
SHA1:	3C0D0B85304CA47F87480DD8AB0C42838A438509
SHA-256:	CFDBEC3C2769A41631B4B1310C46A1CE5BBDE097592E52266F94425DFDE52EE2
SHA-512:	AAEA29865EE94F5AEB7D013DE499B7813FBC31D9501AEEE6A16CDF60D1BD8DD2F59C9D650302F79CB85C9DDE721A776EB189759A1F3B4ABEAEFA78E261E59790
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	692064
Entropy (8bit):	7.195091714831986
Encrypted:	false
SSDEEP:	12288:kskY7gjcjhVIEhqgM7bWvcsi6aVUfIy+U40vy3W/ceKSHMsiFyY6XNmnMwJ:ksZgjS1hqgSC/izkfFjymk4HM5yJwMK
MD5:	2BBCB1E61E3B17B7F89D97FA21A3881D
SHA1:	C90D9A55FFB5BD4FC7318B542DDE1F72A2341334
SHA-256:	A2606AED76695606C291929D55A32A5CE51A9981A1471E24A2F33FCC5B97037F
SHA-512:	657172F611FD934DA6DC59544043EF046948DC6052CFDA142008CB342E7264FC0701D7160B3D2774DA63B4354E9B967480FF0007A30DF9D83088842222C0A8B3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2282014
Entropy (8bit):	6.496053701702415
Encrypted:	false
SSDEEP:	24576:ZFbkIsaPiXSVnC7Yp9zkNmZG8RRlnZyz/Iila8CJn0BgtscdTtOOa9pfthIDdsRQ:ZREXSVMDi350aFJqciOa925sRtMZ
MD5:	B01A11449DD83A10497833B23FB0887D
SHA1:	8F5276EE02A5B4B23CB7E9D500DD0DF71382E211
SHA-256:	9B165F6672E74ED5DC437040829BD602AFC411CE8C948C41B6D739BF1FBFB09A
SHA-512:	CF3634A8253C439D54233162DB10B9668F080E184E4E1B52AAE60DB303E89D2CA9FEAD16097937A871D54685592B1B58E389D481B94F6C261D5CAEC98223EC81
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, Author: Joe Security Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	917504
Entropy (8bit):	6.351569926148067
Encrypted:	false
SSDEEP:	12288:hu6sfBgtsGvd2StQYeO0B9pPtaRh2E8jVX3HoDdsogttZ:hn0BgtscdTtOOa9pfthIDdsRttZ
MD5:	8BACAD1C57463F2E403CA5656FFA129E
SHA1:	7CD8041FB1BD703D31F778700813531ED43882DA
SHA-256:	BDEC97EE615088549771300BD65D6114A74DD0A4C1ECC6BB4FFC8AC484F19FAC
SHA-512:	40A5A0CABD2561B2D32EC14E91172DB6F812D0E2DCC6CFDA3A2F458E0994FC387324212BD47F21ACB6D05BED151A96AD444A0A5A7F7BB35AE6FD0DCD57D25D64
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W...W...W.......\|...,...T.......{...5...B...W.......a...?...a................N...W...s......V...RichW...........................PE..L.....nd.....................`......1.............@.......................... ...........................................................[...........................................................................................................text.............................. ..`.rdata...s..........................@..@.data........ ....... ..............@....rsrc....[.......`..................@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HD_X.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1323008
Entropy (8bit):	6.563657414663098
Encrypted:	false
SSDEEP:	24576:8YFbkIsaPiXSVnC7Yp9zkNmZG8RRlnZyz/Iila8Cy:8YREXSVMDi350aFy
MD5:	EBEA7267D953CF95A2DC1C6B0A57738E
SHA1:	6B03B9BF837A7FB61B4164B03C611335DB5C56AB
SHA-256:	291D8260378AC894D10B140C053985907B53D0593B2CDA19028CC3F0C132F514
SHA-512:	335EDEFF6CC79633382BA83105497EF6A4EBA5B5696164BC0703DF6546A7E5C1C994262063E0EAF28F909CB4DD7F242B6209862DE4E05E6FF82853BB2149D899
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: C:\Users\user\AppData\Local\Temp\HD_X.dat, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........H..u...u...u...~...u.......u.......u.C.{...u...y...u...f...u...f...u...t.`.u.C.(...u...~...u.(.~...u.(.....u...u...u...s...u.Rich..u.........PE..L.....Da.....................0......U.............@..........................`...............................................U.......................................................................................................................text............................... ..`.rdata...y..........................@..@.data....@....... ..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\chrome.exe

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	182272
Entropy (8bit):	6.784375621590053
Encrypted:	false
SSDEEP:	3072:sr85C/sWLuzeHpl18fCtnRPF9EVnb43jaI5gr/uHqZLWfp2KkvL5kdnQB:k9/9mCtnRPF9cCGr/uH0gkSdQB
MD5:	73F73E565BCCA28C58B8CD91DC1056AD
SHA1:	AB7B58E90994D016DFD7937556FDEA6FE13ABA22
SHA-256:	A0AC3CF26C12A9727FE6986DB32F255CBBCD6E45B063022E79C74DBD3787546C
SHA-512:	460230C3F943A4626BFF45040B26D0C542140DD7EED6F58FF0D9412125359219DAE252080ACF27A2DAC15AC6C9FE4A32277D185D727841D0B719DF4D3356225E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Temp\chrome.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\chrome.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\look2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	387072
Entropy (8bit):	6.35762425937126
Encrypted:	false
SSDEEP:	6144:k9kcHnNmZEvB7csAPRZyfQjCfA3lMXm4Y+5bFnWBFopJOUAkIXw5:iNmZEvJcscRZzjCI1O5WyIXw5
MD5:	A52E0CA23BB3A960797A301B894A5812
SHA1:	D7505B002EEB3893B4D118213422697D6EC2C18F
SHA-256:	09D437A03B35F51F39AB5FF847FAB1E8213E444E6C2E3547B58424FECD96E1C9
SHA-512:	FE109648CEBDB1909CBDF87A118C170BF7907E1172F43D02F75535F02443D8C979869505AF99EF26DF52CA1EE841FE2BFA4E7BC053CA889F156E0653C4927D04
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: Joe Security Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5023.tmp

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	data
Category:	modified
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:np:p
MD5:	14819095717D683F52E51B45151C3C4B
SHA1:	B430209213A82B0FDA4FD8F7992B36DC20290C2F
SHA-256:	CB70D0AC754939D2F77EC6118941432CD242BE2BDB7333A2F27A1717CABB108D
SHA-512:	F757B394970CF9C5967B03D4D7869077B1CE921CD3131E2EF054601E5984558134D0F3E2391B52E35D13E6A94DBD13A21DA8885320112E7B475E56973387211C
Malicious:	false
Preview:	.N..&A

C:\Windows\SysWOW64\5718562.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\look2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	6.275160102765287
Encrypted:	false
SSDEEP:	1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoL4JYH5:1dWubF3n9S91BF3fbokJYH5
MD5:	3C55841A9576388E4103A34F8232929C
SHA1:	25191E4F5631032779C2235C18A1D102786F8863
SHA-256:	F5C00D46F8F94EF467E57FFEC059A0085D013CC578C55712F5A3EB985F77041C
SHA-512:	568AA9779A771C8ECD3F3D47E44DB62AB691C750114EB0933093DD531635F36D03902BF49D51371CAA0A7A89436079955123DAC2B423F9AA1FE937FCB00B7576
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: C:\Windows\SysWOW64\5718562.bat, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5.>.Tom.Tom.Tom.Hcm.Tom3[0m.Tom.Kdm.TomsHam.Tom.Kem.Tom.Kkm.Tom.rdm.Tom.rkm.Tom.Tom.Tom.Tnm.Tom3[2m.Tom.Kdm.Tom7Rim.Tom.Kkm.TomRich.Tom........PE..L.....i`...........!.........J......(...............................................................................P.......`...........@.......................(....................................................... ............................text............................... ..`.rdata..............................@..@.data....!..........................@....rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\ini.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\look2.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.558518613048907
Encrypted:	false
SSDEEP:	3:oVXR6vclvibAFv:o9eclv/v
MD5:	A8029E227D4D16C9E01471E27CCBEF38
SHA1:	3842B1434BD3281C9CAA53379C7E123745F6A75E
SHA-256:	29CD6175628206697C057115DDA45DB24F6B12BF18023105CE44350B2849B1B6
SHA-512:	67C1FE3E9F652561129CAD8DADAB59C3B5DA2A809895DE65A7A80EF5E455AFDD7DEBB1CB2B4C2E6B9B0B49BD884505361206B986DB86EC6CD94BE137489460B2
Malicious:	false
Preview:	[2024-11-21 03:40]..Group=...1..Remark=..

C:\Windows\SysWOW64\svchcst.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	6.199746098562656
Encrypted:	false
SSDEEP:	1536:H9ykYCTdiHQKrFXmw2RQln5IUmDjoX6+:HlMHprF2nRQln5I
MD5:	889B99C52A60DD49227C5E485A016679
SHA1:	8FA889E456AA646A4D0A4349977430CE5FA5E2D7
SHA-256:	6CBE0E1F046B13B29BFA26F8B368281D2DDA7EB9B718651D5856F22CC3E02910
SHA-512:	08933106EAF338DD119C45CBF1F83E723AFF77CC0F8D3FC84E36253B1EB31557A54211D1D5D1CB58958188E32064D451F6C66A24B3963CCCD3DE07299AB90641
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.....^...^...^.pb^...^.c._...^.c._...^...^c..^.c._...^.c._...^.c._...^.c.^...^.c._...^Rich...^........PE..L...9..j.................b...........a............@..........................@............@.............................................hg...................0..........T........................... ........................m..`....................text...La.......b.................. ..`.data................f..............@....idata...............h..............@..@.didat...............~..............@....rsrc...hg.......h..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\svchost.com

Download File

Process:	C:\Users\user\Desktop\#U4ee3#U7406.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	6.1374402996536555
Encrypted:	false
SSDEEP:	768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ:JxqjQ+P04wsmJC
MD5:	5AE0C6CEB2EBF358A71AD2EE2A001A28
SHA1:	31C8CF0A508B59E7D5D8E48B78824BE3144661F4
SHA-256:	A85EBC1ED67C7A366EC7913883C3D635AFB76291B2D6A73AD0F7C72F0E401F3D
SHA-512:	837036D43E89393910B2B27D8167B509E94543BDB18E89C35C2A6104E8472A1F777CB01FD9628A6E3111BA5E9F22E0570F4E47A6987884DCB48804F87452221C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Windows\svchost.com, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Windows\svchost.com, Author: ditekSHen
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.496053701702415
TrID:	Win32 Executable (generic) a (10002005/4) 95.64% Win32 Executable Borland Delphi 6 (262906/60) 2.51% Windows ActiveX control (116523/4) 1.11% InstallShield setup (43055/19) 0.41% Win32 Executable Delphi generic (14689/80) 0.14%
File name:	#U4ee3#U7406.exe
File size:	2'282'014 bytes
MD5:	b01a11449dd83a10497833b23fb0887d
SHA1:	8f5276ee02a5b4b23cb7e9d500dd0df71382e211
SHA256:	9b165f6672e74ed5dc437040829bd602afc411ce8c948c41b6d739bf1fbfb09a
SHA512:	cf3634a8253c439d54233162db10b9668f080e184e4e1b52aae60db303e89d2ca9fead16097937a871d54685592b1b58e389d481b94f6c261d5caec98223ec81
SSDEEP:	24576:ZFbkIsaPiXSVnC7Yp9zkNmZG8RRlnZyz/Iila8CJn0BgtscdTtOOa9pfthIDdsRQ:ZREXSVMDi350aFJqciOa925sRtMZ
TLSH:	53B5AF52B9D180F2CA052931896B7B3AD9359F454F21CBD3A3A8FF3DAD321419E36127
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	9eb3c18c2ceea99a

Static PE Info

General

Entrypoint:	0x4080e4
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9f4693fc0c511135129493f2161d1e86

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFE0h
xor eax, eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-1Ch], eax
mov dword ptr [ebp-14h], eax
mov eax, 00408054h
call 00007F5EF88F40F7h
xor eax, eax
push ebp
push 00408220h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov eax, 004091A8h
mov ecx, 0000000Bh
mov edx, 0000000Bh
call 00007F5EF88F7241h
mov eax, 004091B4h
mov ecx, 00000009h
mov edx, 00000009h
call 00007F5EF88F722Dh
mov eax, 004091C0h
mov ecx, 00000003h
mov edx, 00000003h
call 00007F5EF88F7219h
mov eax, 004091DCh
mov ecx, 00000003h
mov edx, 00000003h
call 00007F5EF88F7205h
mov eax, dword ptr [00409210h]
mov ecx, 0000000Bh
mov edx, 0000000Bh
call 00007F5EF88F71F1h
call 00007F5EF88F7248h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F5EF88F4B32h
mov eax, dword ptr [ebp-14h]
call 00007F5EF88F50C6h
cmp eax, 0000A200h
jle 00007F5EF88F82E7h
call 00007F5EF88F77C6h
call 00007F5EF88F7FD9h
mov eax, 004091C4h
mov ecx, 00000003h
mov edx, 00000003h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15000	0x864	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x1400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18000	0x5cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x17000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x722c	0x7400	ca3464d4f08c9010e7ffa2fe3e890344	False	0.6173558728448276	data	6.511672174892103	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x9000	0x218	0x400	7ffc3168a7f3103634abdf3a768ed128	False	0.3623046875	data	3.1516983405583385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xa000	0xa899	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x15000	0x864	0xa00	6e7a45521bfca94f1e506361f70e7261	False	0.37421875	data	4.173859768945439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x16000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x17000	0x18	0x200	7e6c0f4f4435abc870eb550d5072bad6	False	0.05078125	data	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x18000	0x5cc	0x600	16968c66d220638496d6b095f21de777	False	0.8483072916666666	data	6.443093465893509	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x19000	0x1400	0x1400	cf8ac20d0caf1ac9b46b5a13c4432065	False	0.1875	data	2.89092998060675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x19150	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4264	Russian	Russia	0.06941838649155722
RT_RCDATA	0x1a1f8	0x10	data			1.5
RT_RCDATA	0x1a208	0xac	data			1.063953488372093
RT_GROUP_ICON	0x1a2b4	0x14	data	Russian	Russia	1.1

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, MessageBoxA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	WriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
gdi32.dll	StretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
user32.dll	ReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
shell32.dll	ShellExecuteA, ExtractIconA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 09:40:13.424290895 CET	65484	53	192.168.2.7	1.1.1.1
Nov 21, 2024 09:40:16.693641901 CET	55625	53	192.168.2.7	1.1.1.1
Nov 21, 2024 09:40:17.690422058 CET	55625	53	192.168.2.7	1.1.1.1
Nov 21, 2024 09:40:18.563910961 CET	53	55625	1.1.1.1	192.168.2.7
Nov 21, 2024 09:40:18.563957930 CET	53	55625	1.1.1.1	192.168.2.7
Nov 21, 2024 09:41:16.969147921 CET	62498	53	192.168.2.7	1.1.1.1
Nov 21, 2024 09:41:17.968803883 CET	62498	53	192.168.2.7	1.1.1.1
Nov 21, 2024 09:41:18.936347008 CET	53	62498	1.1.1.1	192.168.2.7
Nov 21, 2024 09:41:18.936368942 CET	53	62498	1.1.1.1	192.168.2.7
Nov 21, 2024 09:42:17.501007080 CET	58528	53	192.168.2.7	1.1.1.1
Nov 21, 2024 09:42:18.516313076 CET	58528	53	192.168.2.7	1.1.1.1
Nov 21, 2024 09:42:19.517081976 CET	58528	53	192.168.2.7	1.1.1.1
Nov 21, 2024 09:42:19.538846016 CET	53	58528	1.1.1.1	192.168.2.7
Nov 21, 2024 09:42:19.538855076 CET	53	58528	1.1.1.1	192.168.2.7
Nov 21, 2024 09:42:19.743124008 CET	53	58528	1.1.1.1	192.168.2.7
Nov 21, 2024 09:43:19.394932032 CET	57402	53	192.168.2.7	1.1.1.1
Nov 21, 2024 09:43:20.407918930 CET	57402	53	192.168.2.7	1.1.1.1
Nov 21, 2024 09:43:20.908884048 CET	53	57402	1.1.1.1	192.168.2.7
Nov 21, 2024 09:43:20.908925056 CET	53	57402	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 09:40:13.424290895 CET	192.168.2.7	1.1.1.1	0x8e24	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:40:16.693641901 CET	192.168.2.7	1.1.1.1	0x710c	Standard query (0)	kinh.xmcxmr.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:40:17.690422058 CET	192.168.2.7	1.1.1.1	0x710c	Standard query (0)	kinh.xmcxmr.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:41:16.969147921 CET	192.168.2.7	1.1.1.1	0x77c	Standard query (0)	kinh.xmcxmr.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:41:17.968803883 CET	192.168.2.7	1.1.1.1	0x77c	Standard query (0)	kinh.xmcxmr.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:42:17.501007080 CET	192.168.2.7	1.1.1.1	0x8d66	Standard query (0)	kinh.xmcxmr.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:42:18.516313076 CET	192.168.2.7	1.1.1.1	0x8d66	Standard query (0)	kinh.xmcxmr.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:42:19.517081976 CET	192.168.2.7	1.1.1.1	0x8d66	Standard query (0)	kinh.xmcxmr.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:43:19.394932032 CET	192.168.2.7	1.1.1.1	0x27ec	Standard query (0)	kinh.xmcxmr.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:43:20.407918930 CET	192.168.2.7	1.1.1.1	0x27ec	Standard query (0)	kinh.xmcxmr.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 09:40:13.650387049 CET	1.1.1.1	192.168.2.7	0x8e24	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 09:40:18.563910961 CET	1.1.1.1	192.168.2.7	0x710c	No error (0)	kinh.xmcxmr.com		127.0.0.1	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:40:18.563957930 CET	1.1.1.1	192.168.2.7	0x710c	No error (0)	kinh.xmcxmr.com		127.0.0.1	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:41:18.936347008 CET	1.1.1.1	192.168.2.7	0x77c	No error (0)	kinh.xmcxmr.com		127.0.0.1	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:41:18.936368942 CET	1.1.1.1	192.168.2.7	0x77c	No error (0)	kinh.xmcxmr.com		127.0.0.1	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:42:19.538846016 CET	1.1.1.1	192.168.2.7	0x8d66	No error (0)	kinh.xmcxmr.com		127.0.0.1	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:42:19.538855076 CET	1.1.1.1	192.168.2.7	0x8d66	No error (0)	kinh.xmcxmr.com		127.0.0.1	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:42:19.743124008 CET	1.1.1.1	192.168.2.7	0x8d66	No error (0)	kinh.xmcxmr.com		127.0.0.1	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:43:20.908884048 CET	1.1.1.1	192.168.2.7	0x27ec	No error (0)	kinh.xmcxmr.com		127.0.0.1	A (IP address)	IN (0x0001)	false
Nov 21, 2024 09:43:20.908925056 CET	1.1.1.1	192.168.2.7	0x27ec	No error (0)	kinh.xmcxmr.com		127.0.0.1	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:40:10
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\#U4ee3#U7406.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U4ee3#U7406.exe"
Imagebase:	0x400000
File size:	2'282'014 bytes
MD5 hash:	B01A11449DD83A10497833B23FB0887D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.1844064757.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000000.00000003.1295645600.0000000002084000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:40:11
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe"
Imagebase:	0x400000
File size:	2'240'542 bytes
MD5 hash:	3E1B9039148D196063AB784E4548E798
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000002.00000003.1317502950.0000000002589000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000002.00000003.1311372996.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000002.00000000.1297884455.0000000000480000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000002.00000003.1417823392.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000002.00000003.1305813174.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000002.00000003.1305160853.0000000003169000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000002.00000003.1301202980.0000000002582000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, Author: Joe Security Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, Author: ditekSHen Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\3582-490\#U4ee3#U7406.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:40:11
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\look2.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\\look2.exe
Imagebase:	0x400000
File size:	345'600 bytes
MD5 hash:	2F3B6F16E33E28AD75F3FDAEF2567807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000003.00000000.1298861576.0000000000441000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: Joe Security Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\look2.exe, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:40:11
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe -k "svchcst"
Imagebase:	0xa10000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:40:11
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe -k "svchcst"
Imagebase:	0xa10000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000005.00000002.3756117605.000000001000C000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Gh0stCringe, Description: Yara detected Gh0stCringe, Source: 00000005.00000002.3756117605.000000001000C000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	03:40:11
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\3582-490\HD_#U4ee3#U7406.exe
Imagebase:	0x400000
File size:	917'504 bytes
MD5 hash:	8BACAD1C57463F2E403CA5656FFA129E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	03:40:12
Start date:	21/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:40:15
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\svchcst.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\svchcst.exe "c:\windows\system32\5718562.bat",MainThread
Imagebase:	0xf00000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000008.00000002.3755940840.000000001000C000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Gh0stCringe, Description: Yara detected Gh0stCringe, Source: 00000008.00000002.3755940840.000000001000C000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.5%
Total number of Nodes:	826
Total number of Limit Nodes:	56

Executed Functions

Function 004368B0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370
commemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 004368D9
OleInitialize.OLE32(00000000), ref: 00436915
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00436933
SetCurrentDirectoryA.KERNELBASE(022D5B70,?), ref: 0043698D
LoadCursorA.USER32(00000000,00007F00), ref: 004369E8
GetStockObject.GDI32(00000005), ref: 00436A09
GetCurrentThreadId.KERNEL32 ref: 00436A31

Strings

_EL_HideOwner, xrefs: 00436A13
H, xrefs: 00436B25, 00436B50

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Current$CursorDirectoryFileHeapInitializeLoadModuleNameObjectProcessStockThread
String ID: _EL_HideOwner$H
API String ID: 3783217854-2140555221
Opcode ID: d79f3ec82efd9eebe0b2e66ddaa75544693db9cf740bc9bd72d0af303867b13d
Instruction ID: 8804ab0bc15efdc6dfd84aaac6fe857ae88efd8b79df5c953382c4619605bb5e
Opcode Fuzzy Hash: d79f3ec82efd9eebe0b2e66ddaa75544693db9cf740bc9bd72d0af303867b13d
Instruction Fuzzy Hash: ADE1C370A00215AFCB54DF55CC81BEEB7B4FF48304F15816EE909A7292DB786945CFA8

Function 00471E54 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00471E59
GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?), ref: 00471E77
lstrcpynA.KERNEL32(?,?,00000104), ref: 00471E86
GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00471EBA
CharUpperA.USER32(?), ref: 00471ECB
FindFirstFileA.KERNEL32(?,?), ref: 00471EE1
FindClose.KERNEL32(00000000), ref: 00471EED
lstrcpyA.KERNEL32(?,?), ref: 00471EFD

Strings

\VO, xrefs: 00471E93

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID: \VO
API String ID: 304730633-2422581269
Opcode ID: 250a0445023347aa0dfd9e5b24a9585397951416ed4b89414bf21412460573f5
Instruction ID: e2d836120a05c0c4c6c4e345ef4b6637e263a4b4f97f833c06cf321b42ac82b3
Opcode Fuzzy Hash: 250a0445023347aa0dfd9e5b24a9585397951416ed4b89414bf21412460573f5
Instruction Fuzzy Hash: 56218B71500118BBCB50AF69DC48EEF7FBCEF05765F00852AF919E61A0D7748A49CBA8

Function 00411DA0 Relevance: 15.3, APIs: 10, Instructions: 287
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,004F565C), ref: 00411E07
LoadLibraryA.KERNEL32(?,?,005059A0), ref: 00411EF9
LoadLibraryA.KERNELBASE(?,?), ref: 00411F3F
LoadLibraryA.KERNELBASE(?,?,005058A8,00000001), ref: 00411F87
LoadLibraryA.KERNEL32(00000001), ref: 00411F9D
GetProcAddress.KERNEL32(00000000,?), ref: 00411FAF
FreeLibrary.KERNEL32(00000000), ref: 00412042

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressProc$Free
String ID:
API String ID: 3120990465-0
Opcode ID: 513afeef5074f3d166d04eaed78ac9274e8bce46a1b8fdbab1b97387d589b2ab
Instruction ID: 34074fbb2955a925b5db9b3ed9c0f686751b5b5fe198d3a3d7c9af2530035692
Opcode Fuzzy Hash: 513afeef5074f3d166d04eaed78ac9274e8bce46a1b8fdbab1b97387d589b2ab
Instruction Fuzzy Hash: 8CA1E2B1600701ABC710DF69C880FABB3A9FF98314F044A2EF91597351EB78E955CB99

Function 0045ED20 Relevance: 10.6, APIs: 7, Instructions: 87
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowA.USER32(00000000,?), ref: 0045ED8D
GetWindowThreadProcessId.USER32(00000000,?), ref: 0045ED9D
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0045EE1B
TerminateProcess.KERNEL32(00000000,00000000), ref: 0045EE24

Part of subcall function 00471416: InterlockedDecrement.KERNEL32(-000000F4), ref: 0047142A

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Process$Window$DecrementFindInterlockedOpenTerminateThread
String ID:
API String ID: 2770076521-0
Opcode ID: b1d7bdde570c5135b6aad571a470c1712ceb129d7d0b370a0e7798c8997489b3
Instruction ID: f49d09bf38843ed6246ea1e21e793bb2f2bce097083d858625da7e8073b3aaa8
Opcode Fuzzy Hash: b1d7bdde570c5135b6aad571a470c1712ceb129d7d0b370a0e7798c8997489b3
Instruction Fuzzy Hash: 0931C431108342ABD364DB26CD45BAB73E4AB84751F04891EFC69832D1E778D908CB66

Function 00412510 Relevance: 6.1, APIs: 4, Instructions: 94
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileA.KERNELBASE(?,?), ref: 00412562
FindClose.KERNEL32 ref: 00412571
FindFirstFileA.KERNELBASE(?,?), ref: 0041257D
FindClose.KERNELBASE(00000000), ref: 004125DB

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: fead08fa7fcad5e510c5e9c07e2c2a528163319dd370dc3fdd8feaadafd0c43f
Instruction ID: a328d943cb3dc5d6d1cd15c412af6cf9dadb71c57160ef6a78d3c1b32ede5832
Opcode Fuzzy Hash: fead08fa7fcad5e510c5e9c07e2c2a528163319dd370dc3fdd8feaadafd0c43f
Instruction Fuzzy Hash: 12213B32504710BBD7219B24DEA47FBB396AB94324F15062AEC25C7380E7BDDCA5434A

Function 0047B8B2 Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,?,?,0047B8AD), ref: 0047B929
GetProcessVersion.KERNELBASE(00000000,?,?,?,0047B8AD), ref: 0047B966
LoadCursorA.USER32(00000000,00007F02), ref: 0047B994
LoadCursorA.USER32(00000000,00007F00), ref: 0047B99F

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 5e5b1153eeb0fdd7f57a8ef4763f55774ae725b07277aabe53bbb24c3734d48a
Instruction ID: 6c39a0846d3fef1b3143a56e2f5ac529bf7189dfd17a8d9ba47eacf88b8ac09b
Opcode Fuzzy Hash: 5e5b1153eeb0fdd7f57a8ef4763f55774ae725b07277aabe53bbb24c3734d48a
Instruction Fuzzy Hash: E8118CB1A04B508FD7649F3A888466ABBE5FB487047404D3FE28BC6B80D778E444CB54

Function 0045E790 Relevance: 4.6, APIs: 3, Instructions: 102
comstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000800), ref: 0045E7BE
CoCreateInstance.OLE32(004DC438,00000000,00000001,004DC470,?,?,00000000,?,00000160,00000800), ref: 0045E7EE
lstrlenA.KERNEL32(00000000), ref: 0045E82E

Part of subcall function 0045EA60: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000001,0045E84E,?,00000000,00000001), ref: 0045EA7B

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ByteCharCreateFileInfoInstanceMultiWidelstrlen
String ID:
API String ID: 2402691419-0
Opcode ID: 6e0f59bcccfe3c1d85bd4932181a0363ec131db948f6d26c2c9fcdf5607f69bf
Instruction ID: 5620cbf48cb17b40dd8cae7d2b224757cffdd96f215d6c6e82d6708c6755a5e4
Opcode Fuzzy Hash: 6e0f59bcccfe3c1d85bd4932181a0363ec131db948f6d26c2c9fcdf5607f69bf
Instruction Fuzzy Hash: 0431B071600205ABDB24DF61CC89FAA77ACEF84705F004499FD04DB281D775EA88CBA4

Function 00405240 Relevance: 3.0, APIs: 2, Instructions: 20fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE ref: 00405252
FindClose.KERNELBASE(00000000), ref: 0040525E

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 2243885805e20c05c0951e1674011a8819d3cf3125c8b63991e5cade23049c79
Instruction ID: c22556dae8547d578c9d19c7116c7680a516cc90ea8213259f358050acbc3e9d
Opcode Fuzzy Hash: 2243885805e20c05c0951e1674011a8819d3cf3125c8b63991e5cade23049c79
Instruction Fuzzy Hash: E1E0E5785043409FD321DB24D8889AA77A5BB89320F944B68E8AC873E0D73998198A52

Function 004730C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0047ADA8: TlsGetValue.KERNEL32(00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2,?,00000000,?,0046EFFB,00000000,00000000,00000000,00000000), ref: 0047ADE7

CallNextHookEx.USER32(?,00000003,?,?), ref: 004730EA
GetClassLongA.USER32(?,000000E6), ref: 00473131
GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,Function_0007A12E), ref: 0047315D
lstrcmpiA.KERNEL32(?,ime), ref: 0047316C
GetWindowLongA.USER32(?,000000FC), ref: 004731DF
SetWindowLongA.USER32(?,000000FC,00000000), ref: 00473200

Strings

ime, xrefs: 00473166
AfxOldWndProc423, xrefs: 00473241, 00473246, 00473251, 00473259, 00473262

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: 2e983d77c2a03f10d8cb725a24ab419e24c313823d404b9e3c25b7802a51bef5
Instruction ID: 6880a93f6bd5ed6240d2831a439a11e96adb5b859c02c6a42a55166419180949
Opcode Fuzzy Hash: 2e983d77c2a03f10d8cb725a24ab419e24c313823d404b9e3c25b7802a51bef5
Instruction Fuzzy Hash: E551AF31500215AFCB619F64DC48BEF7B78FF04362F108A6AF919A6291D738DA449B98

Function 00472EE5 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00472EEA
GetPropA.USER32(?,AfxOldWndProc423), ref: 00472F02
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 00472F60

Part of subcall function 00472ACD: GetWindowRect.USER32(?,?), ref: 00472AF2
Part of subcall function 00472ACD: GetWindow.USER32(?,00000004), ref: 00472B0F

SetWindowLongA.USER32(?,000000FC,?), ref: 00472F90
RemovePropA.USER32(?,AfxOldWndProc423), ref: 00472F98
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 00472F9F
GlobalDeleteAtom.KERNEL32(00000000), ref: 00472FA6

Part of subcall function 00472AAA: GetWindowRect.USER32(?,?), ref: 00472AB6

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 00472FFA

Strings

AfxOldWndProc423, xrefs: 00472EF8, 00472F00, 00472F96, 00472F9E

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: f22f113e3dde3307ab3ca09679022cab68260f7e4203eb20a34b604b1cc95a19
Instruction ID: 491336db4d836909bdc583da2acb2e32ad713a9b87e3151a749543183b637f12
Opcode Fuzzy Hash: f22f113e3dde3307ab3ca09679022cab68260f7e4203eb20a34b604b1cc95a19
Instruction Fuzzy Hash: F6316E3280014ABBCB519FA5DE49EFF7B78EF45311F00852BF905B1160CBB98915ABA9

Function 0047AA41 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(0000001C,0051A4BC,00000000,?,00000000,00000000,0047ADDC,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2,?,00000000), ref: 0047AA50
GlobalAlloc.KERNELBASE(00002002,?,?,?,00000000,00000000,0047ADDC,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2,?,00000000), ref: 0047AAA5
GlobalHandle.KERNEL32(?), ref: 0047AAAE
GlobalUnlock.KERNEL32(00000000), ref: 0047AAB7
GlobalReAlloc.KERNEL32(00000000,?,00002002), ref: 0047AAC9
GlobalHandle.KERNEL32(?), ref: 0047AAE0
GlobalLock.KERNEL32(00000000), ref: 0047AAE7
LeaveCriticalSection.KERNEL32(00460E35,?,?,00000000,00000000,0047ADDC,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2,?,00000000), ref: 0047AAED
GlobalLock.KERNEL32(00000000), ref: 0047AAFC
LeaveCriticalSection.KERNEL32(?), ref: 0047AB45

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: d2da1497d1eb3a8d51fa8c30149ae54d21f31adcd1d206f2434826fa0c3674a3
Instruction ID: e02098a53a8d224c5ce4e9feec46aa09f55cd2b02725fb867840a00eca976d61
Opcode Fuzzy Hash: d2da1497d1eb3a8d51fa8c30149ae54d21f31adcd1d206f2434826fa0c3674a3
Instruction Fuzzy Hash: A2318F712103069FD7649F28DD89A6EB7E9FF84305B004A2EE866C3661E7B5EC18CB15

Function 0045E8C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,00000000,?,00000000), ref: 0045E94B
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 0045E96A
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 0045E981
GetTempPathA.KERNEL32(00000104,00000000), ref: 0045E998

Strings

\, xrefs: 0045E9BE
\, xrefs: 0045E9C5

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: DirectoryPath$FolderSpecialSystemTempWindows
String ID: \$\
API String ID: 2721284240-164819647
Opcode ID: 4834cc78adc3c5f241aa8d25f5626aa0534c6b1b8ffe713f2601123c209684c9
Instruction ID: cc2a492bb6cc8eb54aa467ae7779567ffecaea68c8a07cf7c82251ffb48b28dc
Opcode Fuzzy Hash: 4834cc78adc3c5f241aa8d25f5626aa0534c6b1b8ffe713f2601123c209684c9
Instruction Fuzzy Hash: 0B3105F15183019BEBAC8627C84577F7690EB51712F144C2FE986C6282D2BCCA8C975B

Function 00404B00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00404BB7
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404BCF
WaitForInputIdle.USER32(?,000003E8), ref: 00404BE1
CloseHandle.KERNEL32(?), ref: 00404BF2
CloseHandle.KERNEL32(?), ref: 00404BF9

Strings

D, xrefs: 00404B19

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CloseHandleWait$CreateIdleInputObjectProcessSingle
String ID: D
API String ID: 2811420030-2746444292
Opcode ID: 8c36289742db271d9597d0151303ee485bae3b94c8a109f5ad2841c7005251b6
Instruction ID: 4800e99da33befc981ce3e61ea2ee6a938ed7aef0e2fa5e2553b35add5d39a6c
Opcode Fuzzy Hash: 8c36289742db271d9597d0151303ee485bae3b94c8a109f5ad2841c7005251b6
Instruction Fuzzy Hash: CD317AB56183009BD720CB58C880B6BB7F9EFD5710F20492EE742E7390E679E885874A

Function 0047735F Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0047736C
GetSystemMetrics.USER32(0000000C), ref: 00477373
GetDC.USER32(00000000), ref: 0047738C
GetDeviceCaps.GDI32(00000000,00000058), ref: 0047739D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004773A5
ReleaseDC.USER32(00000000,00000000), ref: 004773AD

Part of subcall function 0047B8D2: GetSystemMetrics.USER32(00000002), ref: 0047B8E4
Part of subcall function 0047B8D2: GetSystemMetrics.USER32(00000003), ref: 0047B8EE

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 1fc35bbbae7d875fac6e2ada646fa520c7d48b04296a918ee672234aa0e3743b
Instruction ID: 16558e80cbd38ea90b8fd558514f22ed0b711af765a49fb7a85cdb4b0af4c51f
Opcode Fuzzy Hash: 1fc35bbbae7d875fac6e2ada646fa520c7d48b04296a918ee672234aa0e3743b
Instruction Fuzzy Hash: 4CF09071640700AEE3206B729C49F5B77A8EB80B55F10882EF705462D0CA789804CFA5

Function 0047A9EA Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsFree.KERNELBASE(00000000,?,?,0047AEF7,00000000,00000001), ref: 0047A9F6
GlobalHandle.KERNEL32(?), ref: 0047AA1E
GlobalUnlock.KERNEL32(00000000), ref: 0047AA27
GlobalFree.KERNEL32(00000000), ref: 0047AA2E
DeleteCriticalSection.KERNEL32(-0000001C,?,?,0047AEF7,00000000,00000001), ref: 0047AA38

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: 4a13c486143662dd6b767ee1eb0da0e1f6837a005705944876f0ed88e43ba506
Instruction ID: dcd1059b747a0afa85221aac36c627a8f5c927b0762f100974e2db4ea426ce27
Opcode Fuzzy Hash: 4a13c486143662dd6b767ee1eb0da0e1f6837a005705944876f0ed88e43ba506
Instruction Fuzzy Hash: B5F05E362102005BC761AB28AD4CA6F77ADAFC4721B19892EF849D3251DB78DC19876A

Function 0046490A Relevance: 4.6, APIs: 3, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,004648F5,?,00000000,00000000,00460E3E,00000000,00000000), ref: 0046491F
TerminateProcess.KERNEL32(00000000,?,004648F5,?,00000000,00000000,00460E3E,00000000,00000000), ref: 00464926
ExitProcess.KERNEL32 ref: 004649A7

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 54bbf2e7f443ae49808b0db6eef1b284b95be4c7f44daac54fc168cb6809af08
Instruction ID: e07052747d2a2fcd890ff4c6b92e3c4d5fc3665f7edb3651b17f7257a16e99fc
Opcode Fuzzy Hash: 54bbf2e7f443ae49808b0db6eef1b284b95be4c7f44daac54fc168cb6809af08
Instruction Fuzzy Hash: EF0148B2284201DAEE11AB39FC8969FBBE4ABD0310B10841FF08452151EB39588E9B1F

Function 00471B28 Relevance: 3.1, APIs: 2, Instructions: 107fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00471E54: __EH_prolog.LIBCMT ref: 00471E59
Part of subcall function 00471E54: GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?), ref: 00471E77
Part of subcall function 00471E54: lstrcpynA.KERNEL32(?,?,00000104), ref: 00471E86

CreateFileA.KERNELBASE(00000000,80000000,00000000,0000000C,00000003,00000080,00000000,?,?,?,?), ref: 00471C03
GetLastError.KERNEL32 ref: 00471C15

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CreateErrorFileFullH_prologLastNamePathlstrcpyn
String ID:
API String ID: 1034715445-0
Opcode ID: 6fa5f04832118b8d0058f5745fb5a2e3a087eded9343143799d8be26ee14c8a7
Instruction ID: 04cdd2512b919a501d7875c97b78a3369284baafbbdf1a4f9a9cab85a5f3480d
Opcode Fuzzy Hash: 6fa5f04832118b8d0058f5745fb5a2e3a087eded9343143799d8be26ee14c8a7
Instruction Fuzzy Hash: 9D31FB31A002099BDB344E2DCC45FEB7365AB80354F24C96FE41ED66A0E67CED458744

Function 00405740 Relevance: 3.1, APIs: 2, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b28427417ff03d2573b4c058145b6af1366d7066ebcf8175a5ddb3e3bc9359
Instruction ID: 22ac3336681de452aa47deba384a46f421215bb2ed3712aa9660124a3a49033f
Opcode Fuzzy Hash: c5b28427417ff03d2573b4c058145b6af1366d7066ebcf8175a5ddb3e3bc9359
Instruction Fuzzy Hash: BB2126B6600B00CFE720DF6AD884A47B7E8EBA0765F10C83FE155D7250E374A8149B54

Function 00405940 Relevance: 3.0, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,0040592C,?,?,00405C7B,?,00000020,00000000), ref: 00405989
RtlFreeHeap.NTDLL(005A0000,00000000,?,?,?,0040592C,?,?,00405C7B,?,00000020,00000000), ref: 00405998

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: b7f2aea61bcc2a098485cac52cdf21d8a630c37473c526697e69fffb6ed3e23b
Instruction ID: 2786b8d6c7b7994e99f8ef1187de3e417ac0f914684e4603051d915074dbaa0a
Opcode Fuzzy Hash: b7f2aea61bcc2a098485cac52cdf21d8a630c37473c526697e69fffb6ed3e23b
Instruction Fuzzy Hash: 91F06276200601DFC7108B29D908B5FB76AEBE1725F15C47AE4449B294E271E805CFA4

Function 0047B604 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000,00000000,004773E1,00000000,00000000,00000000,00000000,?,00000000,?,0046EFFB,00000000,00000000,00000000,00000000,00460E35), ref: 0047B60D
SetErrorMode.KERNELBASE(00000000,?,00000000,?,0046EFFB,00000000,00000000,00000000,00000000,00460E35,00000000), ref: 0047B614

Part of subcall function 0047B667: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0047B698
Part of subcall function 0047B667: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0047B739
Part of subcall function 0047B667: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0047B766

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: 5b14771f580f11cfaa7e58d3d1439a043137e5be7d797193ad66c22d773f1a6c
Instruction ID: 2320fb4fd96b6d00a6cf76dd4050b610bf7e593baadde4c3a9f6d72b4a54eb2f
Opcode Fuzzy Hash: 5b14771f580f11cfaa7e58d3d1439a043137e5be7d797193ad66c22d773f1a6c
Instruction Fuzzy Hash: A4F014719142148FD714BF259544B9A7BA4AF84714F06C48FB4589B3A2CB78D841CBDA

Function 00471C7F Relevance: 3.0, APIs: 2, Instructions: 31fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000001,?,0040538F,-00000010,?,?,00001011,00000000), ref: 00471C9A
GetLastError.KERNEL32(?,?,0040538F,-00000010,?,?,00001011,00000000), ref: 00471CA7

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 47dceefd5245bc25ced4496cbfdac00697379506926715628ac434943bcfb0b1
Instruction ID: c000a47c79c8a0b6e56d224ec5ab748d5e53ffaac236b6e6883e22b220ef0a59
Opcode Fuzzy Hash: 47dceefd5245bc25ced4496cbfdac00697379506926715628ac434943bcfb0b1
Instruction Fuzzy Hash: A3F08236140604BECB211F9ADC04EDBBBADEB40770F10C22FB92C862A0C6759D048B54

Function 00465E36 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00460DB3,00000001), ref: 00465E47

Part of subcall function 00465CEE: GetVersionExA.KERNEL32 ref: 00465D0D

HeapDestroy.KERNEL32 ref: 00465E86

Part of subcall function 00469735: HeapAlloc.KERNEL32(00000000,00000140,00465E6F,000003F8), ref: 00469742

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 65a65d2f0146af5c590d5e2659ee1c5cdf0d23c73ed019bc772435702c46db11
Instruction ID: a0a07d5f6ef47e9a31fb5ba0a86ad274b885f3dddbf848ce5fadc29b5feac161
Opcode Fuzzy Hash: 65a65d2f0146af5c590d5e2659ee1c5cdf0d23c73ed019bc772435702c46db11
Instruction Fuzzy Hash: 24F02B30610B019FDF511B70EC4277F36949BA8742F10443BF414C81A0FB7A8A80EA0B

Function 00476136 Relevance: 3.0, APIs: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00476149
SetWindowsHookExA.USER32(000000FF,0047648B,00000000,00000000), ref: 00476159

Part of subcall function 0047AE3D: __EH_prolog.LIBCMT ref: 0047AE42

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: 6ed524ea6b626c4bf913e27a216419fa15f6b26b4eef44a1b3932e5cb487c9f5
Instruction ID: 04d794927e159a9c77c18dc1f4b87309b5d25260c7b9e6771a5c100da6152ee7
Opcode Fuzzy Hash: 6ed524ea6b626c4bf913e27a216419fa15f6b26b4eef44a1b3932e5cb487c9f5
Instruction Fuzzy Hash: F9F0A7318416106ED7313BB0A90DBDD3691AF80329F468A6EF01E561D2CA7C9C95879F

Function 00473680 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 004736A7
CallWindowProcA.USER32(?,?,?,?,?), ref: 004736BC

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: 04255d8f0689b27ad34f9315ce48b136e3f363a0b11fafc09143a0432f032855
Instruction ID: 7c0467fbb08ad2cf0e332a6adcaeea09075dcd2878342973343fab0fca15c555
Opcode Fuzzy Hash: 04255d8f0689b27ad34f9315ce48b136e3f363a0b11fafc09143a0432f032855
Instruction Fuzzy Hash: C9F0AC36100209FFDF619F95DC04DDA7BBAFF08351B04842AF94986630D732D924AF58

Function 004732B6 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0047ADA8: TlsGetValue.KERNEL32(00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2,?,00000000,?,0046EFFB,00000000,00000000,00000000,00000000), ref: 0047ADE7

GetCurrentThreadId.KERNEL32 ref: 004732D8
SetWindowsHookExA.USER32(00000005,004730C0,00000000,00000000), ref: 004732E8

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CurrentHookThreadValueWindows
String ID:
API String ID: 933525246-0
Opcode ID: 48e2ee42c925738d53d30427ce92e4bdf6030603648785bb5e67bd1e7ea298a1
Instruction ID: 8e9cffbd0a64c4f9a0841eb6c3453586b692654789145f2ad359f041e18820ed
Opcode Fuzzy Hash: 48e2ee42c925738d53d30427ce92e4bdf6030603648785bb5e67bd1e7ea298a1
Instruction Fuzzy Hash: 07E065312407009FD3705F11A805B9B77E4EBC5B12F10852FF14E91581D2789949CF6F

Function 00471C45 Relevance: 3.0, APIs: 2, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,?,00405BDC,00000000,?,?,?,00000020,00000000), ref: 00471C61
GetLastError.KERNEL32(00000000,?,00405BDC,00000000,?,?,?,00000020,00000000), ref: 00471C6C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: db8aba3207218030cfe10faf18aac98454dcc6773de3e7153485178c60010af0
Instruction ID: cde6cd80389db1ff695e46d94cb178a5bd06d8fae6ee96b5f78b3fabf4a5c83d
Opcode Fuzzy Hash: db8aba3207218030cfe10faf18aac98454dcc6773de3e7153485178c60010af0
Instruction Fuzzy Hash: FEE01A35140108BECB419FA4CC09BAA37ACAB14364F50C429FA0D89121D379DA149B58

Function 00471CCA Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,00000000,?), ref: 00471CD8
GetLastError.KERNEL32(00000000), ref: 00471CE7

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: f7a5aac452f92fd95c2d74539cc431d932561d1bc4f051168de2df114fd2c7cb
Instruction ID: a04f4869bda53a3118dedb80bb732d0e95e74d589545e1f2bd94533fe4d0ef89
Opcode Fuzzy Hash: f7a5aac452f92fd95c2d74539cc431d932561d1bc4f051168de2df114fd2c7cb
Instruction Fuzzy Hash: F1D02E325002207BC6402BB4AC0CB8EBA58BB08370F008E2DFA68921E0C2318C008B88

Function 00471D43 Relevance: 2.5, APIs: 2, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000001,?,?,00471A9A,?,?,004053AF,?,00001011,00000000), ref: 00471D52
GetLastError.KERNEL32(00000000,00471A9A,?,?,004053AF,?,00001011,00000000), ref: 00471D77

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 49e209c4838e752c1f3ffcc021e22d6e438bd5d28509f11fa13fcf0b190be5c7
Instruction ID: bbea7f99e76b3f8be1789acf1449d3c4bfd1672b9e7af03307286c4fd815d9f6
Opcode Fuzzy Hash: 49e209c4838e752c1f3ffcc021e22d6e438bd5d28509f11fa13fcf0b190be5c7
Instruction Fuzzy Hash: B0E092325006004BC324673ADC09A9A7399AFC0735F15CB1EE57EC71F08F74A8094614

Function 00462645 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0046272C

Part of subcall function 004684F4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 00468531
Part of subcall function 004684F4: EnterCriticalSection.KERNEL32(?,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 0046854C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 29931c076774e1051b49fffcf52d0de2c459819f239985ebd23dc097d5d039ef
Instruction ID: 23e391cb68311790ba82c6ec2bfbf30b62cd7d727e348196dacd33d14ba1cee1
Opcode Fuzzy Hash: 29931c076774e1051b49fffcf52d0de2c459819f239985ebd23dc097d5d039ef
Instruction Fuzzy Hash: 5321D671A00A04BBDB10EB65DD42B9E77A4EB00725F14411BF410EB2D1F7B8A9419A5E

Function 0046251E Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074), ref: 004625F2

Part of subcall function 004684F4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 00468531
Part of subcall function 004684F4: EnterCriticalSection.KERNEL32(?,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 0046854C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapInitialize
String ID:
API String ID: 641406236-0
Opcode ID: d7687083481b949a20775ded8b06956d8403e74c28273142179fd976021ff8ee
Instruction ID: 6ac38fba090b8e0cd552bd39414728c59123c440f9a6d7b6dee87d9099c5520c
Opcode Fuzzy Hash: d7687083481b949a20775ded8b06956d8403e74c28273142179fd976021ff8ee
Instruction Fuzzy Hash: 3821D672801A09BBCB219B959D16BDE7B78EB04765F14411FF411B12C1FBBC9A40CA6F

Function 00472C1D Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00472C22

Part of subcall function 0047ADA8: TlsGetValue.KERNEL32(00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2,?,00000000,?,0046EFFB,00000000,00000000,00000000,00000000), ref: 0047ADE7

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: H_prologValue
String ID:
API String ID: 3700342317-0
Opcode ID: 1609befb9682f1c82eb61212d8494f4b71046ac20ab3e4e2159076e01b54864a
Instruction ID: acf6e54c6f860bb7f285176997f3012398af55e9b9376b82e9629a1b00d9251d
Opcode Fuzzy Hash: 1609befb9682f1c82eb61212d8494f4b71046ac20ab3e4e2159076e01b54864a
Instruction Fuzzy Hash: F3218D72900209EFDF11CF54C581AEE7BB9FF48314F00806AF809AB240C3B4AE44CB95

Function 00473344 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,00000080,00436A31,?,?,?,?,?,?,?,?,?), ref: 004733E2

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dbb498c7f2cda6e05cb8b18bcbaef13a66bcf5f98d8d4e22bcced86f57a59be5
Instruction ID: d5f74644314c22127cae4e594a18229e83d1b6e9cd0116ab85e2aa41e9bda49e
Opcode Fuzzy Hash: dbb498c7f2cda6e05cb8b18bcbaef13a66bcf5f98d8d4e22bcced86f57a59be5
Instruction Fuzzy Hash: CB31BD75A00219AFCF41DFA8C8449DEBBF1BF4C304B01846AF918E7310E7359A519FA4

Function 00473633 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00000000,?,?,?,004734BC,005057D0,?,0040F18C), ref: 00473660

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: 9eca134ab74619115f9ca23434351dda13293752390c36d59f71f4c06805ec52
Instruction ID: be17318105b56644934a59114b318ebccbd214ca98b6745033fb055823d4eae7
Opcode Fuzzy Hash: 9eca134ab74619115f9ca23434351dda13293752390c36d59f71f4c06805ec52
Instruction Fuzzy Hash: 38F0E231200600EFCB746E29E814A9A73A4EF8071AB00C02EF00687320DB68ED069B44

Function 00472E94 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3106807c18d85ff37cd54ce47c6d9b205ce7d64f6c9daab54c8cd37cb984e2a
Instruction ID: c26a12b5e2435f20ac75bb848588befddb52d10d35f68917465814fffd23c4df
Opcode Fuzzy Hash: b3106807c18d85ff37cd54ce47c6d9b205ce7d64f6c9daab54c8cd37cb984e2a
Instruction Fuzzy Hash: 69F01C32000519FBCF225E919E01EEF3B29BF14361F00C816FA1955250C7BAD6A1EFA9

Function 004154B0 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(005A0000,00000000,?,?,005057D0,00413B8A,0000001C), ref: 004154C1

Part of subcall function 00412140: wsprintfA.USER32 ref: 00412152

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: AllocateHeapwsprintf
String ID:
API String ID: 1352872168-0
Opcode ID: cc5f1e285d0f94177d62f8280bba7342526e083d8ec1dc1d24f10bc4fa1d1e77
Instruction ID: bc1ff48080c5b3ab07b00576f7c42162bc1a55f12a5e65cb5b192bd639d7b226
Opcode Fuzzy Hash: cc5f1e285d0f94177d62f8280bba7342526e083d8ec1dc1d24f10bc4fa1d1e77
Instruction Fuzzy Hash: 30E08CB590020CFFCB00DF90E845BAE77B8EB48300F108198FD098B340E675AE80DB98

Function 004155B0 Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(005A0000,00000000,00000000,00000000,?,0040FE13,?), ref: 004155D8

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 19fcb79f2ab09abbea95f4cb6ce32339569eb282d51ca7caf42afc6b4b6b4bb8
Instruction ID: f380979d4a87415a4f1c58838160ae3526f7132bda81363000a9092ec25b248f
Opcode Fuzzy Hash: 19fcb79f2ab09abbea95f4cb6ce32339569eb282d51ca7caf42afc6b4b6b4bb8
Instruction Fuzzy Hash: 13D01276200A08EFD7149B54D849BEF3BAAE784744F108019F60D4A694EA74EC80DBA4

Function 00476C9D Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

LoadStringA.USER32(?,?,?,?), ref: 00476CB4

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 349b10221325f4b53d0d7f13d6fe59a97de8253698001c2c41ec700c4d2c1ecc
Instruction ID: 375bc89285cfe0dbd38e3b98a1bf77c15d19e7fb26e740974e8835e54aa146f6
Opcode Fuzzy Hash: 349b10221325f4b53d0d7f13d6fe59a97de8253698001c2c41ec700c4d2c1ecc
Instruction Fuzzy Hash: F1D0A7721083619FC741DF608C08D8FBBA4FF54320B094C0EF4D443211C324D858C766

Function 00405220 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE ref: 00405227

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 92494f2dfa983a51ea3f5746b546b502c8131b8e55f0f249a3cc59208806e18d
Instruction ID: 8c46d87d19bdcb2ea60895c8f95ecd697b4d949fc1a208d575b5d7b8e96b347c
Opcode Fuzzy Hash: 92494f2dfa983a51ea3f5746b546b502c8131b8e55f0f249a3cc59208806e18d
Instruction Fuzzy Hash: 14C048B8214200EFC304CF20C58480AB7E1EBC9201B0089ACB84587314CB30E800DB22

Non-executed Functions

Function 00427FA0 Relevance: 85.5, APIs: 47, Strings: 1, Instructions: 1494windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12

Part of subcall function 00477A95: GetClipBox.GDI32(?,?), ref: 00477A9C

DPtoLP.GDI32 ref: 004280BB
GetClientRect.USER32(?,?), ref: 004280C9
DPtoLP.GDI32(?,?,00000002), ref: 004280E1
IntersectRect.USER32(?,?,?), ref: 00428180
LPtoDP.GDI32(?,?,00000002), ref: 004281C1
IntersectRect.USER32(?,?,?), ref: 0042821E
LPtoDP.GDI32(?,?,00000002), ref: 0042825F
CreateRectRgnIndirect.GDI32(?), ref: 0042828A
IntersectRect.USER32(?,?,?), ref: 004282BE
LPtoDP.GDI32(?,?,00000002), ref: 004282FF
CreateRectRgnIndirect.GDI32(?), ref: 00428325
CreateRectRgnIndirect.GDI32(?), ref: 00428354
GetCurrentObject.GDI32(?,00000006), ref: 00428370
GetCurrentObject.GDI32(?,00000001), ref: 00428389
GetCurrentObject.GDI32(?,00000002), ref: 004283A2

Part of subcall function 00477754: SetBkMode.GDI32(?,?), ref: 0047776D
Part of subcall function 00477754: SetBkMode.GDI32(?,?), ref: 0047777B

Part of subcall function 00474577: GetScrollPos.USER32(00000000,0040D3C3), ref: 00474595

Part of subcall function 00427BD0: CreateFontIndirectA.GDI32(00000000), ref: 00427C22

FillRgn.GDI32(?,?,?), ref: 00428582
IntersectRect.USER32(?,?,?), ref: 00428667
IsRectEmpty.USER32(?), ref: 00428672
LPtoDP.GDI32(?,?,00000002), ref: 0042868F
CreateRectRgnIndirect.GDI32(?), ref: 0042869A
CombineRgn.GDI32(?,?,?,00000004), ref: 004286CB
DPtoLP.GDI32(?,?,00000002), ref: 004286E9

Part of subcall function 0047783B: SetMapMode.GDI32(?,?), ref: 00477854
Part of subcall function 0047783B: SetMapMode.GDI32(?,?), ref: 00477862

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00428728
IntersectRect.USER32(?,?,?), ref: 004287BB
IsRectEmpty.USER32(?), ref: 00428801
SelectObject.GDI32(?,?), ref: 0042883C
DPtoLP.GDI32(?,?,00000001), ref: 004288C8
LPtoDP.GDI32(?,?,00000001), ref: 004289E7
DPtoLP.GDI32(?,?,00000001), ref: 00428A05

Part of subcall function 00477B69: MoveToEx.GDI32(?,?,?,?), ref: 00477B8B
Part of subcall function 00477B69: MoveToEx.GDI32(?,?,?,?), ref: 00477B9F

Part of subcall function 00477BB5: MoveToEx.GDI32(?,?,?,00000000), ref: 00477BCF
Part of subcall function 00477BB5: LineTo.GDI32(?,?,?), ref: 00477BE0

Part of subcall function 00477678: SelectObject.GDI32(?,00000000), ref: 0047769A
Part of subcall function 00477678: SelectObject.GDI32(?,?), ref: 004776B0

Part of subcall function 0042B290: GetCurrentObject.GDI32(?), ref: 0042B35B
Part of subcall function 0042B290: LPtoDP.GDI32(?,00000000,00000001), ref: 0042B3A8

IntersectRect.USER32(?,00000000,?), ref: 00428B52
IsRectEmpty.USER32(00000000), ref: 00428B5D
PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 00428BA4
LPtoDP.GDI32(?,00000000,00000002), ref: 00428BB9
CreateRectRgnIndirect.GDI32(00000000), ref: 00428BC4
CombineRgn.GDI32(?,?,?,00000004), ref: 00428BF5
LPtoDP.GDI32(?,?,00000001), ref: 00428C24
DPtoLP.GDI32(?,?,00000001), ref: 00428C42
wsprintfA.USER32 ref: 00428CE0
SelectObject.GDI32(?,?), ref: 00428D08
IntersectRect.USER32(?,?,?), ref: 00429278
IsRectEmpty.USER32(?), ref: 00429283
LPtoDP.GDI32(?,?,00000002), ref: 004292A0
CreateRectRgnIndirect.GDI32(?), ref: 004292AB
CombineRgn.GDI32(?,?,?,00000004), ref: 004292DC

Part of subcall function 0042A950: SetRectEmpty.USER32(?), ref: 0042A9CA

Part of subcall function 0042A950: GetSysColor.USER32(0000000F), ref: 0042AAFB
Part of subcall function 0042A950: IntersectRect.USER32(?,?,?), ref: 0042AB53

GetSysColor.USER32(0000000F), ref: 00428466

Part of subcall function 004780E1: __EH_prolog.LIBCMT ref: 004780E6
Part of subcall function 004780E1: CreateSolidBrush.GDI32(?), ref: 00478103

Part of subcall function 00478091: __EH_prolog.LIBCMT ref: 00478096
Part of subcall function 00478091: CreatePen.GDI32(?,?,?), ref: 004780B9

CreateRectRgnIndirect.GDI32(?), ref: 004281E6

Part of subcall function 004297A0: CopyRect.USER32(?,00000000), ref: 00429817
Part of subcall function 004297A0: IsRectEmpty.USER32(?), ref: 00429822
Part of subcall function 004297A0: GetClientRect.USER32(00000000,?), ref: 00429861
Part of subcall function 004297A0: DPtoLP.GDI32(?,?,00000002), ref: 00429873
Part of subcall function 004297A0: LPtoDP.GDI32(?,?,00000002), ref: 004298B0

FillRect.USER32(?,?,?), ref: 004295D9

Strings

\VO, xrefs: 00428517

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$Create$IndirectIntersectObject$Empty$CurrentModeSelect$CombineH_prologMove$ClientColorFill$BeginBrushClipCopyFontLinePaintScrollSolidwsprintf
String ID: \VO
API String ID: 3726329589-2422581269
Opcode ID: b8a72699f2da2b8c3a2f7b45e353d9b5dbcfcc67d76d6dddffb7fd63c94fdbf1
Instruction ID: 447a59548c99cffc072d8d781cdf8ef875bb27a00297907e9253bc30787621f7
Opcode Fuzzy Hash: b8a72699f2da2b8c3a2f7b45e353d9b5dbcfcc67d76d6dddffb7fd63c94fdbf1
Instruction Fuzzy Hash: 66D236712083819FD724DF25D894BAFB7E9BFC8704F40891EF58A83251DB74A909CB66

Function 004107B0 Relevance: 55.2, APIs: 29, Strings: 2, Instructions: 979windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00410822
IsIconic.USER32(?), ref: 0041085A
SetActiveWindow.USER32(?), ref: 00410883
IsWindow.USER32(?), ref: 004108AD
IsWindow.USER32(?), ref: 00410B7E
DestroyAcceleratorTable.USER32(?), ref: 00410CCE
DestroyMenu.USER32(?), ref: 00410CD9
DestroyAcceleratorTable.USER32(?), ref: 00410CF3
DestroyMenu.USER32(?), ref: 00410D02
DestroyAcceleratorTable.USER32(?), ref: 00410D62
DestroyMenu.USER32(?,000003EA,00000000,00000000,?,?,00000000,?,?,?,000007D9,00000000,00000000), ref: 00410D71
SetParent.USER32(?,?), ref: 00410DF3
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00410F0B
IsWindow.USER32(?), ref: 0041103C
SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 00411051
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 0041106E
DestroyAcceleratorTable.USER32(?), ref: 004110BC
IsWindow.USER32(?), ref: 00411131
IsWindow.USER32(?), ref: 00411181
IsWindow.USER32(?), ref: 004111D1
IsWindow.USER32(?), ref: 0041120E
IsWindow.USER32(?), ref: 00411291
GetParent.USER32(?), ref: 0041129F
GetFocus.USER32 ref: 004112E0

Part of subcall function 004106A0: IsWindow.USER32(?), ref: 0041071B
Part of subcall function 004106A0: GetFocus.USER32 ref: 00410725
Part of subcall function 004106A0: IsChild.USER32(?,00000000), ref: 00410737

IsWindow.USER32(?), ref: 0041133F
SendMessageA.USER32(?,00008076,00000000,00000000), ref: 00411354
IsWindow.USER32(00000000), ref: 00411367
GetFocus.USER32 ref: 00411371
SetFocus.USER32(00000000), ref: 0041137C

Strings

`\A, xrefs: 00410D11, 00411390
d, xrefs: 004107C3

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$Destroy$AcceleratorFocusTable$MenuMessageSend$Parent$ActiveChildIconic
String ID: `\A$d
API String ID: 3681805233-346329946
Opcode ID: 3f9d721796771d9d0a5f5788a6daa458acafc3d838b9f36e7d11632188ce6160
Instruction ID: 656883530a809c1052ca07e2a604158577a8150e27dc577a50c57d9adcaecc6e
Opcode Fuzzy Hash: 3f9d721796771d9d0a5f5788a6daa458acafc3d838b9f36e7d11632188ce6160
Instruction Fuzzy Hash: F27271716043059BD320DF65C881FAFB7E9AF84704F14492EF94997381DB78E885CBAA

Function 00418030 Relevance: 51.7, APIs: 23, Strings: 6, Instructions: 986windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 00418069
TranslateAcceleratorA.USER32(?,?,?,?), ref: 004180C3
IsChild.USER32(?,?), ref: 004180F4
GetFocus.USER32 ref: 0041824F
PostMessageA.USER32(?,000000A1,00000002,00000000), ref: 004182D9
PostMessageA.USER32(?,000000A1,00000002,00000000), ref: 00418348
IsChild.USER32(?,00000000), ref: 004183F1
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 004183C2

Part of subcall function 0040E6D0: IsChild.USER32(?,?), ref: 0040E74D
Part of subcall function 0040E6D0: GetParent.USER32(?), ref: 0040E767

IsWindow.USER32(?), ref: 00418CC9

Strings

0, xrefs: 004185B9
Z, xrefs: 004185CC
A, xrefs: 004185C3
hlp, xrefs: 0041896D
9, xrefs: 004185BE
\VO, xrefs: 0041860E

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ChildMessage$PostWindow$AcceleratorEnabledFocusParentSendTranslate
String ID: 0$9$A$Z$\VO$hlp
API String ID: 3372979518-2341453987
Opcode ID: cf644107aa7e61a539d9613fe9f2bfaaa112d89a671fb253dc494d7e60dbf5ba
Instruction ID: 819082ef1b272f0051aef52bf47e16b5137a522189c5edd2943b4a8575f28bfd
Opcode Fuzzy Hash: cf644107aa7e61a539d9613fe9f2bfaaa112d89a671fb253dc494d7e60dbf5ba
Instruction Fuzzy Hash: 35729F706043469BDB24DF25C881BEBB3A5AF94704F10492FF94597381EF78DC858BAA

Function 0043B150 Relevance: 32.8, Strings: 26, Instructions: 305COMMON

Download Yara Rule

Strings

PCS illuminant is not D50, xrefs: 0043B2A4
psca, xrefs: 0043B278
knil, xrefs: 0043B380
lcmn, xrefs: 0043B370
rncs, xrefs: 0043B3DD
invalid ICC profile color space, xrefs: 0043B2F0
unexpected ICC PCS encoding, xrefs: 0043B42E
intent outside defined range, xrefs: 0043B23F
Gray color space not permitted on RGB PNG, xrefs: 0043B334
tsba, xrefs: 0043B379
baL, xrefs: 0043B420
unexpected NamedColor ICC profile class, xrefs: 0043B3CA
invalid embedded Abstract ICC profile, xrefs: 0043B3B1
invalid rendering intent, xrefs: 0043B21D
RGB color space not permitted on grayscale PNG, xrefs: 0043B310
rtrp, xrefs: 0043B3D6
invalid signature, xrefs: 0043B27F
ZYX, xrefs: 0043B427
BGR, xrefs: 0043B2E5
YARG, xrefs: 0043B2DE
rtnm, xrefs: 0043B387
unexpected DeviceLink ICC profile class, xrefs: 0043B394
unrecognized ICC profile class, xrefs: 0043B3EB
length does not match profile, xrefs: 0043B189
caps, xrefs: 0043B3E4
tag count too large, xrefs: 0043B454

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: BGR$ ZYX$ baL$Gray color space not permitted on RGB PNG$PCS illuminant is not D50$RGB color space not permitted on grayscale PNG$YARG$caps$intent outside defined range$invalid ICC profile color space$invalid embedded Abstract ICC profile$invalid rendering intent$invalid signature$knil$lcmn$length does not match profile$psca$rncs$rtnm$rtrp$tag count too large$tsba$unexpected DeviceLink ICC profile class$unexpected ICC PCS encoding$unexpected NamedColor ICC profile class$unrecognized ICC profile class
API String ID: 0-319498373
Opcode ID: aed33545beffabc9f7e1b222ac90f2c9e68c313df82e5e4790da6ecf606e86a2
Instruction ID: 45dc4eb57cef8c4a097652602be6a7ba71b1a41909d61ed10de66dd52f908b6e
Opcode Fuzzy Hash: aed33545beffabc9f7e1b222ac90f2c9e68c313df82e5e4790da6ecf606e86a2
Instruction Fuzzy Hash: 75917BE360415017DB08DE2C9C92B7B7B95DBDD301F1E90ABFA84CA303D619D90586BA

Function 00419220 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 93libraryloaderwindowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0041922C
IsZoomed.USER32(?), ref: 0041923A
LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 00419264
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00419277
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00419285
FreeLibrary.KERNEL32(00000000), ref: 004192BB
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004192D1
IsWindow.USER32(?), ref: 004192FE
ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 0041930B

Strings

MonitorFromWindow, xrefs: 00419271
GetMonitorInfoA, xrefs: 0041927D
H, xrefs: 004192A8
User32.dll, xrefs: 00419259

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
API String ID: 447426925-661446951
Opcode ID: 10b1d5f23937af8889a11d4c56849cccd6d6c48e1813f748d429240911c07fc1
Instruction ID: ccd86734c1a7b36a176dddf9090c87c6b3c5cf4ea1fa71912d9001001beb8ff4
Opcode Fuzzy Hash: 10b1d5f23937af8889a11d4c56849cccd6d6c48e1813f748d429240911c07fc1
Instruction Fuzzy Hash: 26317C71740301AFD7509F65CC59F6F77A8AF84B01F00892DFA05A7280DBB8EC498B69

Function 00412B20 Relevance: 18.3, APIs: 12, Instructions: 273windowthreadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00412B45
IsWindow.USER32(00000000), ref: 00412B61
SendMessageA.USER32(00000000,000083E7,00412451,00000000), ref: 00412B7A
ExitProcess.KERNEL32 ref: 00412B8F
FreeLibrary.KERNEL32(?), ref: 00412C73
FreeLibrary.KERNEL32 ref: 00412CC7
DestroyIcon.USER32(00000000), ref: 00412D17
DestroyIcon.USER32(00000000), ref: 00412D2E
IsWindow.USER32(00000000), ref: 00412D45
DestroyIcon.USER32(?,00000001,00000000,000000FF), ref: 00412DF4
WSACleanup.WS2_32 ref: 00412E3F

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: DestroyIcon$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
String ID:
API String ID: 3816745216-0
Opcode ID: fc41dee945cba4ad6fcca4ca756a7c5a508226ca7758bda3985d190047640c18
Instruction ID: ed209e40a7f129c8e06348e0a1b8d639cb71a344ac6e59fa71ce80ba406a64ea
Opcode Fuzzy Hash: fc41dee945cba4ad6fcca4ca756a7c5a508226ca7758bda3985d190047640c18
Instruction Fuzzy Hash: F1B189B02007029BC724DF69DAC5BEBB3E4BF48314F40492EE59AD7291DB74B991CB58

Function 00414010 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 865COMMON

Download Yara Rule

Strings

`\A, xrefs: 00414C88

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: `\A
API String ID: 2111968516-2688774508
Opcode ID: 5678c2a4a20a7fa8b0e4d1cfe981d0b06ec37b358d166c8be3b2b784a78857bf
Instruction ID: abfd95d1892acde99ab23f64cb29f8d84933245bf0280da0cb06a989c2d54543
Opcode Fuzzy Hash: 5678c2a4a20a7fa8b0e4d1cfe981d0b06ec37b358d166c8be3b2b784a78857bf
Instruction Fuzzy Hash: B562D6716083019FD724DF25C880BAB73E5AFC5314F15492EF98A97381DB38ED858B9A

Function 004724DC Relevance: 13.6, APIs: 9, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004724E1
FindResourceA.KERNEL32(?,00000000,00000005), ref: 00472519
LoadResource.KERNEL32(?,00000000,?,?,?,00000000), ref: 00472521

Part of subcall function 00473302: UnhookWindowsHookEx.USER32(?), ref: 00473327

LockResource.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 0047252E
IsWindowEnabled.USER32(?), ref: 00472561
EnableWindow.USER32(?,00000000), ref: 0047256F
EnableWindow.USER32(?,00000001), ref: 004725FD
GetActiveWindow.USER32 ref: 00472608
SetActiveWindow.USER32(?,?,?,00000000,?,?,?,00000000), ref: 00472616

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: d5df313de6341444ada72bf56ef0985310c795a9377ae0fa353b0e96e108062c
Instruction ID: c9af801f63e3d989ec84e20cad10c17d049c810dd30404c2b860ceca7c001f2e
Opcode Fuzzy Hash: d5df313de6341444ada72bf56ef0985310c795a9377ae0fa353b0e96e108062c
Instruction Fuzzy Hash: C741BF70900604EFCB21AF64CE49AEFBBB5BF44715F10861FF506A2291CBB94E41CB59

Function 0042D340 Relevance: 12.1, APIs: 8, Instructions: 88clipboardmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000042,?), ref: 0042D3B7
GlobalLock.KERNEL32(00000000), ref: 0042D3D3
GlobalUnlock.KERNEL32(00000000), ref: 0042D3F5
OpenClipboard.USER32(00000000), ref: 0042D3FD
GlobalFree.KERNEL32(00000000), ref: 0042D409
EmptyClipboard.USER32 ref: 0042D411
SetClipboardData.USER32(?,00000000), ref: 0042D423
CloseClipboard.USER32 ref: 0042D429

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: 2d71a64ab5d2e3c04057ac3b91058153c8ce73bec7e523cb26e67aeca362ec28
Instruction ID: a3bd699323cbd7b0c9b74682f334725013566dc8c7ad3d9250605c19bb40b547
Opcode Fuzzy Hash: 2d71a64ab5d2e3c04057ac3b91058153c8ce73bec7e523cb26e67aeca362ec28
Instruction Fuzzy Hash: 2131B471304311AFC354EF65EC59B2F77A8EB88724F844A2EF95683291DB78D808CB65

Function 00409630 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047118B: InterlockedIncrement.KERNEL32(-000000F4), ref: 004711A0

FindFirstFileA.KERNEL32(?,?,*.*), ref: 004096CA

Part of subcall function 0046F09D: __EH_prolog.LIBCMT ref: 0046F0A2

Part of subcall function 00471416: InterlockedDecrement.KERNEL32(-000000F4), ref: 0047142A

SendMessageA.USER32 ref: 00409770
FindNextFileA.KERNEL32(?,00000010), ref: 0040977C
FindClose.KERNEL32(?), ref: 0040978F
SendMessageA.USER32(?,00001102,00000002,?), ref: 004097A1

Strings

*.*, xrefs: 004096B2

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Find$FileInterlockedMessageSend$CloseDecrementFirstH_prologIncrementNext
String ID: *.*
API String ID: 2486832813-438819550
Opcode ID: 5ea15a55dd57a1d99f5bae3c71447f95ff7bbabfce1429e307446fb011ce6320
Instruction ID: 28c4050b80a552ab67fed60250f9b34c5aac997868025109a84abfcf9187bc32
Opcode Fuzzy Hash: 5ea15a55dd57a1d99f5bae3c71447f95ff7bbabfce1429e307446fb011ce6320
Instruction Fuzzy Hash: DE41A171508341ABC720DF65C885F9BB3E8AF84704F108D2EF6A5832D1EB79D808CB56

Function 0042D4A0 Relevance: 10.6, APIs: 7, Instructions: 89clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0042D4CD
GetClipboardData.USER32(?), ref: 0042D4E6
CloseClipboard.USER32 ref: 0042D4F2
GlobalSize.KERNEL32(00000000), ref: 0042D528
GlobalLock.KERNEL32(00000000), ref: 0042D530
GlobalUnlock.KERNEL32(00000000), ref: 0042D548
CloseClipboard.USER32 ref: 0042D54E

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$Close$DataLockOpenSizeUnlock
String ID:
API String ID: 2237123812-0
Opcode ID: 3894c1f87a7673fcb8de9b5e449a0971ef47b35abdc98688db25e873320816c0
Instruction ID: 40e3c6a20f0c50c64a57dcf9de3fa568f310f0b050d37c55a1df2675b60f19b8
Opcode Fuzzy Hash: 3894c1f87a7673fcb8de9b5e449a0971ef47b35abdc98688db25e873320816c0
Instruction Fuzzy Hash: 9021A271700211ABD604EB64E848E7F77A9EF88359F440A3EF905C3240EB68E844CBA5

Function 0045FB20 Relevance: 10.6, APIs: 7, Instructions: 51clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0045FB23
EmptyClipboard.USER32 ref: 0045FB2D
GlobalAlloc.KERNEL32(00002002,?,?,?,00000000,?,?,?,?,?,00000003), ref: 0045FB4B
GlobalLock.KERNEL32(00000000), ref: 0045FB54
GlobalUnlock.KERNEL32(00000000), ref: 0045FB7E
SetClipboardData.USER32(00000008,00000000), ref: 0045FB87
CloseClipboard.USER32 ref: 0045FB8D

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlock
String ID:
API String ID: 1677084743-0
Opcode ID: 36619d86ec7c82d70297eac3395f100500b159639cfb1b587099d91f3781412f
Instruction ID: bf98da97ee86203ed11fcb3c5b4258c81f836b723dc71a92d02f4b3df2033443
Opcode Fuzzy Hash: 36619d86ec7c82d70297eac3395f100500b159639cfb1b587099d91f3781412f
Instruction Fuzzy Hash: F1015271210205ABD7A09B79EC48A6B7BA8EB44361F054839BD06C3691DA60EC48CB64

Function 0043DBAD Relevance: 10.5, Strings: 8, Instructions: 498COMMON

Download Yara Rule

Strings

rgb+alpha color-map: too few entries, xrefs: 0043DDF7
rgb[ga] color-map: too few entries, xrefs: 0043DBF4
bad data option (internal error), xrefs: 0043E348
rgb-alpha color-map: too few entries, xrefs: 0043DEB2
rgb color-map: too few entries, xrefs: 0043DDBC
bad background index (internal error), xrefs: 0043E43F
color map overflow (BAD internal error), xrefs: 0043E399
rgb[gray] color-map: too few entries, xrefs: 0043DC2F

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: bad background index (internal error)$bad data option (internal error)$color map overflow (BAD internal error)$rgb color-map: too few entries$rgb+alpha color-map: too few entries$rgb-alpha color-map: too few entries$rgb[ga] color-map: too few entries$rgb[gray] color-map: too few entries
API String ID: 0-1509944728
Opcode ID: b45e461b345ee6a9e3254dac66a95f621ce58d16a3b9f3af862d599851174262
Instruction ID: 73337e3f525105bddf81b7fa7b65f5abc1a1da63ee984cecd69e08e29e48619e
Opcode Fuzzy Hash: b45e461b345ee6a9e3254dac66a95f621ce58d16a3b9f3af862d599851174262
Instruction Fuzzy Hash: D7020171A043409BE314DF19D882BABB7E5EB98308F14152EF8889B381D7B9D945C79A

Function 0043FA80 Relevance: 8.0, Strings: 6, Instructions: 536COMMON

Download Yara Rule

Strings

unknown interlace type, xrefs: 0043FB17
lost/gained channels, xrefs: 0043FAE0
unexpected 8-bit transformation, xrefs: 0043FAF9
lost rgb to gray, xrefs: 0043FAB0
unexpected compose, xrefs: 0043FAC4
unexpected bit depth, xrefs: 0043FB53

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: lost rgb to gray$lost/gained channels$unexpected 8-bit transformation$unexpected bit depth$unexpected compose$unknown interlace type
API String ID: 0-3614292578
Opcode ID: e781195313795264846d03d4fd6f3a56b1e23b28523fcd42cb2b2963b4569044
Instruction ID: 13ea295626f252c8f22d4c1fff83e58819febcb4af3aa98b9109c357c91e5814
Opcode Fuzzy Hash: e781195313795264846d03d4fd6f3a56b1e23b28523fcd42cb2b2963b4569044
Instruction Fuzzy Hash: 1B12C272A083458FD714CF28D89066AB7E2BBCC314F58553EF98987381D639ED49CB4A

Function 0043D87B Relevance: 7.8, Strings: 6, Instructions: 309COMMON

Download Yara Rule

Strings

bad data option (internal error), xrefs: 0043E348
ga-alpha color-map: too few entries, xrefs: 0043D8E7
bad background index (internal error), xrefs: 0043E43F
gray-alpha color-map: too few entries, xrefs: 0043DB05
gray+alpha color-map: too few entries, xrefs: 0043D894
color map overflow (BAD internal error), xrefs: 0043E399

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: bad background index (internal error)$bad data option (internal error)$color map overflow (BAD internal error)$ga-alpha color-map: too few entries$gray+alpha color-map: too few entries$gray-alpha color-map: too few entries
API String ID: 0-942498654
Opcode ID: 3368bcf66ba0b5ceb981709d60cd1a865caf7f422a50736681b3f247b3b1fabf
Instruction ID: 2c3bcdc879239cccb4f0d107ba20d0c3a0312f21372d03e89977249776c13810
Opcode Fuzzy Hash: 3368bcf66ba0b5ceb981709d60cd1a865caf7f422a50736681b3f247b3b1fabf
Instruction Fuzzy Hash: 13B1DFB2A083018BE304DF18D88176FB7E5EBD8708F54192EF88597391D3B8D945C79A

Function 004749ED Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00475650: GetWindowLongA.USER32(?,000000F0), ref: 0047565C

GetKeyState.USER32(00000010), ref: 00474A11
GetKeyState.USER32(00000011), ref: 00474A1A
GetKeyState.USER32(00000012), ref: 00474A23
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 00474A39

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 1b0535f0a9c8415aa92e85365fe35f948d1acc37d3d62c36d02c473a2ccdd33c
Instruction ID: b3156a5983b14c630b06f5b8f6760337faa6ecdcc41c60f56d53e5cb81c28338
Opcode Fuzzy Hash: 1b0535f0a9c8415aa92e85365fe35f948d1acc37d3d62c36d02c473a2ccdd33c
Instruction Fuzzy Hash: 88F082366C07462AE920769D5C42FFE46144B80B98F00842ABB05AF5D18BF9880256FD

Function 0041B780 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 638COMMON

Download Yara Rule

Strings

`\A, xrefs: 0041BB26, 0041BE9D, 0041BF34
\VO, xrefs: 0041B80E

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: \VO$`\A
API String ID: 0-155183320
Opcode ID: e844103f446766fc35584294eaef92873f18139b9ad25662a6f4017e262608bb
Instruction ID: 629594b37262e5027b1f59305ceb3c51de4a35f630ddb8f9b77e69ec2a0415d4
Opcode Fuzzy Hash: e844103f446766fc35584294eaef92873f18139b9ad25662a6f4017e262608bb
Instruction Fuzzy Hash: 41329270E002059BCB18DFA9C891BEEB7B5FF48314F24426AE516A7381D739AD81CBD5

Function 004480A0 Relevance: 5.5, Strings: 4, Instructions: 485COMMON

Download Yara Rule

Strings

internal row logic error, xrefs: 004480E5
internal row size calculation error, xrefs: 0044811B
invalid user transform pixel depth, xrefs: 00448319
internal row width error, xrefs: 0044812D

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: internal row logic error$internal row size calculation error$internal row width error$invalid user transform pixel depth
API String ID: 0-64619857
Opcode ID: bcd66d50e71db87356d0f11fde1a86c63171a3856adab2116fb54cdbb391918f
Instruction ID: c27b3d115cbf7c723ed793584aae2169ff5f580da7758065cd7ccfcfb4576ca6
Opcode Fuzzy Hash: bcd66d50e71db87356d0f11fde1a86c63171a3856adab2116fb54cdbb391918f
Instruction Fuzzy Hash: 14F159316087554FEB24DE3898902BFBBD1ABD6700F5845AFD885C7701EA799C09C786

Function 004242A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,4004667F,?), ref: 004242D2
recvfrom.WS2_32(00000000,00000000,?,00000000,00000000,00000000), ref: 00424320

Strings

`\A, xrefs: 00424358

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ioctlsocketrecvfrom
String ID: `\A
API String ID: 217199969-2688774508
Opcode ID: 5a759f330a9e4485f618e1fa8743e241d537eae143ea15af6ce666c212b3cc8b
Instruction ID: 82a3ff7578813c2f3d9c99e5fbe201fa336e34f530358fa8595c650f7c1c0f6b
Opcode Fuzzy Hash: 5a759f330a9e4485f618e1fa8743e241d537eae143ea15af6ce666c212b3cc8b
Instruction Fuzzy Hash: D4218171204601AFC314EF28D845B6BB7E4EFD4714F508B2EF59A972D0DB389844CB59

Function 0043E112 Relevance: 5.2, Strings: 4, Instructions: 245COMMON

Download Yara Rule

Strings

palette color-map: too few entries, xrefs: 0043E190
bad data option (internal error), xrefs: 0043E348
bad background index (internal error), xrefs: 0043E43F
color map overflow (BAD internal error), xrefs: 0043E399

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: bad background index (internal error)$bad data option (internal error)$color map overflow (BAD internal error)$palette color-map: too few entries
API String ID: 0-3263629853
Opcode ID: e8d8d242db0671e6bf093987dc5d1722e8a0acfa1faa061d42fc71c0e2b1fb4f
Instruction ID: b41f00be8f00b4d14985c0b22ab2d37386ac7cd8e836731d644b128bb19062da
Opcode Fuzzy Hash: e8d8d242db0671e6bf093987dc5d1722e8a0acfa1faa061d42fc71c0e2b1fb4f
Instruction Fuzzy Hash: B681F2B16082409FD718CF19C880B6FBBE5AFDC344F54192EF58987391D279EC42875A

Function 0042BBA0 Relevance: 4.8, APIs: 3, Instructions: 308keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 0042BBC0
GetKeyState.USER32(00000011), ref: 0042BBD0
CopyRect.USER32(00000000,00000000), ref: 0042BCA5

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: State$CopyRect
String ID:
API String ID: 4142901696-0
Opcode ID: ad55cd782f98de18f8da96bbe10f8ef5a458e32b7130b33de27dd74eaa1843fb
Instruction ID: ed02e38eeb3e6698ade74f05057c6ec1f1e1f249258d0e9a1d1efec63f128426
Opcode Fuzzy Hash: ad55cd782f98de18f8da96bbe10f8ef5a458e32b7130b33de27dd74eaa1843fb
Instruction Fuzzy Hash: E2A1E2703043209BD628DA15E881FBBB3E5EBC4704F91491FF68297380DBA9ED4587DA

Function 0046CC1C Relevance: 4.7, APIs: 3, Instructions: 207timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004684F4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 00468531
Part of subcall function 004684F4: EnterCriticalSection.KERNEL32(?,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 0046854C

Part of subcall function 00468555: LeaveCriticalSection.KERNEL32(?,00462712,00000009,004626FE,00000000,?,00000000,00000000,00000000), ref: 00468562

GetTimeZoneInformation.KERNEL32(0000000C,?,?,?,0000000B,0000000B,?,0046CC0D,0046C8DE,?,?,?,?,004637FE,?,?), ref: 0046CC6A
WideCharToMultiByte.KERNEL32(00000220,0051AAC4,000000FF,0000003F,00000000,?,?,0046CC0D,0046C8DE,?,?,?,?,004637FE,?,?), ref: 0046CD00
WideCharToMultiByte.KERNEL32(00000220,0051AB18,000000FF,0000003F,00000000,?,?,0046CC0D,0046C8DE,?,?,?,?,004637FE,?,?), ref: 0046CD39

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID:
API String ID: 3442286286-0
Opcode ID: af890ae95df1edb42a2abb2014629cdc0472b3d0f91bc77f5721656311349f2b
Instruction ID: c1aa2ec93cea7cc46418a8479d1fc68bc02f20b5f76c3543ef3e1db22ce66598
Opcode Fuzzy Hash: af890ae95df1edb42a2abb2014629cdc0472b3d0f91bc77f5721656311349f2b
Instruction Fuzzy Hash: E6612071608241AAD7229F28ECC1B7A3FA9AB05314F24443FE0D5832E1E7794C52DB9F

Function 00463730 Relevance: 4.6, APIs: 3, Instructions: 75timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0046373D
GetSystemTime.KERNEL32(?), ref: 00463747
GetTimeZoneInformation.KERNEL32(?), ref: 0046379C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Time$InformationLocalSystemZone
String ID:
API String ID: 2475273158-0
Opcode ID: 41f6fe186c5cf0a50621abcb11419ab0151f3728c907bd3747c898918094e503
Instruction ID: 002e9a191b731f223631f3c6d9fb3d98a4c822238cf54092e62b9e0af67317aa
Opcode Fuzzy Hash: 41f6fe186c5cf0a50621abcb11419ab0151f3728c907bd3747c898918094e503
Instruction Fuzzy Hash: CA2165E9800019A5CF22AF99E8049FF77B9EB04727F408556F915D6290F3384E8BD72A

Function 004194D0 Relevance: 4.5, APIs: 3, Instructions: 49keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00419501
GetKeyState.USER32(00000010), ref: 00419516
GetKeyState.USER32(00000012), ref: 0041952B

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: f854ff5a8a4a0637ceff0a47e203db9ad724a059229bc976ecba1a21a0df92f0
Instruction ID: 4389f8478fe95adf4f13b392be0fae3b2e92c0597256a27a03b697ca344631da
Opcode Fuzzy Hash: f854ff5a8a4a0637ceff0a47e203db9ad724a059229bc976ecba1a21a0df92f0
Instruction Fuzzy Hash: 7201D63FC4816667EF691A68A5387F656430750F50FA90077DA4C37381C54C5DCB239B

Function 00460970 Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a9264c043ca07ebfb136a857964bf27f59fe67a6cd810047c211f5aaf780d7
Instruction ID: 12bc4534baffc8fdb7c2bc3ec4c6448d0121ccdd54a3aa412a2eb4a36b7ef8fe
Opcode Fuzzy Hash: b0a9264c043ca07ebfb136a857964bf27f59fe67a6cd810047c211f5aaf780d7
Instruction Fuzzy Hash: EEF01DB1500109AAEF019F61CC089AF7BAAAF00354B048427F915D5162FB38DA59DB5B

Function 004764E3 Relevance: 4.5, APIs: 3, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 0047650A
GetKeyState.USER32(00000011), ref: 00476513
GetKeyState.USER32(00000012), ref: 0047651C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 475b7dcb2aa62a22ae3d84416d0d3f954cf3a7f4e6abab3349943c82eb429efd
Instruction ID: 8e522b567b79a2b8b78154af51e28460a197d8f36fa87ef8e79c4ce9b481945e
Opcode Fuzzy Hash: 475b7dcb2aa62a22ae3d84416d0d3f954cf3a7f4e6abab3349943c82eb429efd
Instruction Fuzzy Hash: D2E02BB5540649BDEA005280BB00FD52ED18B14791F42C857EA4CFB09CC6B8C946B769

Function 0043B610 Relevance: 4.0, Strings: 3, Instructions: 200COMMON

Download Yara Rule

Strings

copyright violation: edited ICC profile ignored, xrefs: 0043B7A7
known incorrect sRGB profile, xrefs: 0043B7EE
out-of-date sRGB profile with no signature, xrefs: 0043B806

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: copyright violation: edited ICC profile ignored$known incorrect sRGB profile$out-of-date sRGB profile with no signature
API String ID: 0-1307623137
Opcode ID: 9ad8d4c637540b7d9420b0b0a950ea0329340b28058caa13d374285fbc6198ec
Instruction ID: 35f939293fc70427ec01ccf643ebce3bc372b4401fa3df284c29350aef9f268f
Opcode Fuzzy Hash: 9ad8d4c637540b7d9420b0b0a950ea0329340b28058caa13d374285fbc6198ec
Instruction Fuzzy Hash: DE5138B2B0839107DB28CE395C6176BBBD2DBC9344F09986EE5D9C7341E224D805CBA8

Function 00473C8E Relevance: 3.4, APIs: 2, Instructions: 422COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00473C93
GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 00473E46

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: H_prologVersion
String ID:
API String ID: 1836448879-0
Opcode ID: 703d672c61e14fcf0305b3548ea9e873e6a916ddb187bf16b2bda84f0c6c2ba7
Instruction ID: 808c60f812ac455b240542d5f7d6df7710135657404d3231c51ecc2e68f67fc5
Opcode Fuzzy Hash: 703d672c61e14fcf0305b3548ea9e873e6a916ddb187bf16b2bda84f0c6c2ba7
Instruction Fuzzy Hash: 0CE18970600209AFDB14DF65CC84AFE7BA9EF44305F20C51AF80DEA291D739DA11EB69

Function 00449890 Relevance: 3.3, Strings: 2, Instructions: 788COMMON

Download Yara Rule

Strings

invalid background gamma type, xrefs: 0044A09C
libpng does not support gamma+background+rgb_to_gray, xrefs: 00449D1C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: invalid background gamma type$libpng does not support gamma+background+rgb_to_gray
API String ID: 0-3995106164
Opcode ID: 2a74513b1f6afa9362d01490931df320767b4df392c45676b72efb9511f6b5f9
Instruction ID: 09a6d876f2896ce5cf0d8632dc3cac787348f359958f462bfded1ba86fb1058b
Opcode Fuzzy Hash: 2a74513b1f6afa9362d01490931df320767b4df392c45676b72efb9511f6b5f9
Instruction Fuzzy Hash: 61623B75508B814AE331DF39C8417F3BBE5EF5A304F08496ED9EA87342E639A805C75A

Function 00404D12 Relevance: 3.1, APIs: 2, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52243bfa87c23f829145434f136685e52a75f4fa571f7f71f83a5adca4fb4145
Instruction ID: 7fc1f7eee357d701b8d930fb91bc91de21247487db069b1d204a26aa06b96449
Opcode Fuzzy Hash: 52243bfa87c23f829145434f136685e52a75f4fa571f7f71f83a5adca4fb4145
Instruction Fuzzy Hash: 8331B0B45502028BD718EF18C45159BB3E4AFC9314FA848AFE88597362D27DD885CBDA

Function 00419320 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 00419330
FindClose.KERNEL32(00000000), ref: 0041933C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a44a59ff2fbb1b439b465b7238aca37b643cbdcef72f8d62d4079e3eb1ef1dde
Instruction ID: 889418547be0fe6b02e3e2b71d01fe94ce105856d8aa224dcdf0167fc9b75706
Opcode Fuzzy Hash: a44a59ff2fbb1b439b465b7238aca37b643cbdcef72f8d62d4079e3eb1ef1dde
Instruction Fuzzy Hash: 0FD05E744242005BD321AB74DC086AA3298AB48310FC40A28BD2CC12E0E63EC8588611

Function 0043E670 Relevance: 2.9, Strings: 2, Instructions: 445COMMON

Download Yara Rule

Strings

bad encoding (internal error), xrefs: 0043E81D
color-map index out of range, xrefs: 0043E6BF

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: bad encoding (internal error)$color-map index out of range
API String ID: 0-7351992
Opcode ID: e1b656c30331eb770405b823e2a4b685e162c84c10ef77c16d0a58e4dc216a7b
Instruction ID: 40ad883501eaaf81b82749b2c206c59b84eb71b1fbeaa02cc0e8729620f4a309
Opcode Fuzzy Hash: e1b656c30331eb770405b823e2a4b685e162c84c10ef77c16d0a58e4dc216a7b
Instruction Fuzzy Hash: 70F1F572A093128BC718DF29D88126AB7D1FFDC308F05467EE959D7390D638E905CB95

Function 004490A0 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Row has too many bytes to allocate in memory, xrefs: 0044936C
VUUU, xrefs: 004491B8

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: Row has too many bytes to allocate in memory$VUUU
API String ID: 0-4092465491
Opcode ID: 57d9c8bfe10be56b2e141fb50425815332441f6122d94bcdd30c283ce2ceb76c
Instruction ID: 9db43fd25d0288067ae047725bd23c59a48b07bccd5c18224b00749e6d3510a8
Opcode Fuzzy Hash: 57d9c8bfe10be56b2e141fb50425815332441f6122d94bcdd30c283ce2ceb76c
Instruction Fuzzy Hash: CA913871A04E414BF7298A38DC5A3F777D2AB99304F184A2ED5ABC7382D63CAD40D308

Function 00422730 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 00422974
MTrk, xrefs: 004228AC

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: MTrk$d
API String ID: 0-4044675371
Opcode ID: bba396254cf0c26579988c787e60e21f9dee8d7754c73f768d9b982935010523
Instruction ID: a71e2fc876b123896a5b1ce884a56a933e9ba1753dd39bb154f3e5cee9748656
Opcode Fuzzy Hash: bba396254cf0c26579988c787e60e21f9dee8d7754c73f768d9b982935010523
Instruction Fuzzy Hash: D691D471B00315AFD718DF29D98096AB7E2EFC8304B54893EE84ACB345EA78ED45C758

Function 0043B480 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

ICC profile tag start not a multiple of 4, xrefs: 0043B549
ICC profile tag outside profile, xrefs: 0043B598

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: ICC profile tag outside profile$ICC profile tag start not a multiple of 4
API String ID: 0-2051163487
Opcode ID: f8ce826aaa34cac058739c94919c7f735e4a3bcb3b214c06b145b988ade39a99
Instruction ID: 9f13ec085852bb27f8ef16713afaf4879d4d96f3a37757edde0ab6a9b7e005fe
Opcode Fuzzy Hash: f8ce826aaa34cac058739c94919c7f735e4a3bcb3b214c06b145b988ade39a99
Instruction Fuzzy Hash: ED31F2F370879107E72CCA2D9C606A7BBD3ABC8244F1DD96DE5DAC3301E96495058758

Function 00435A50 Relevance: 2.5, APIs: 1, Instructions: 1006COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1065c828f216a2ae14280212c46fcc1b701a9e8e8f703c936a336a82bd71dacd
Instruction ID: 92517e287a8285cbf046feda64aa5298e92c969c090dc93180dbcdb70b8dc990
Opcode Fuzzy Hash: 1065c828f216a2ae14280212c46fcc1b701a9e8e8f703c936a336a82bd71dacd
Instruction Fuzzy Hash: FC926471604B428FD329CF29C0906A7FBE2AF99304F24992ED5DB87B61D634B849CB45

Function 0046DCFF Relevance: 1.7, Strings: 1, Instructions: 417COMMON

Download Yara Rule

Strings

nnO, xrefs: 0046DE55, 0046DEC6, 0046DF27, 0046E010, 0046E05A

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: nnO
API String ID: 0-2685740304
Opcode ID: 616067c32363522f5884028b8f27182fd050d11c4a111e3715224d289a5ffb8c
Instruction ID: 266c6162279d433c159f46e307ec0cf1ee763236fefae2347cf68843363adb3f
Opcode Fuzzy Hash: 616067c32363522f5884028b8f27182fd050d11c4a111e3715224d289a5ffb8c
Instruction Fuzzy Hash: C3E1F175F542199EEF248F65C8057FE7BB1AB14304F284027E402AA291F7BD8982CB1F

Function 004449E0 Relevance: 1.6, Strings: 1, Instructions: 373COMMON

Download Yara Rule

Strings

$4O, xrefs: 00444C7F

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: $4O
API String ID: 0-2639042776
Opcode ID: d4c9c7b7208055db5e9538f1826c8c8b80299e0f968ec6c5d0c5471e8a0b5277
Instruction ID: 3bce0de723903d059faae65b7460d62c53030286498b0bfba23d56c7df93e035
Opcode Fuzzy Hash: d4c9c7b7208055db5e9538f1826c8c8b80299e0f968ec6c5d0c5471e8a0b5277
Instruction Fuzzy Hash: D4E1D1B5600A018FD324CF19D490B22FBE2FF89311B29C96ED59ACBB61D735E846CB54

Function 0045E340 Relevance: 1.6, Strings: 1, Instructions: 334COMMON

Download Yara Rule

Strings

lUO, xrefs: 0045E686

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: lUO
API String ID: 0-2669878854
Opcode ID: f3b3751be0055bb4ae5f0245cf300741e1b064cb018afa51338a5cde09ca4f7b
Instruction ID: 62122e994f52faa7fec58b945fc50fcb59b7067eb59bc2aa8ffcfcec314b4b5d
Opcode Fuzzy Hash: f3b3751be0055bb4ae5f0245cf300741e1b064cb018afa51338a5cde09ca4f7b
Instruction Fuzzy Hash: 0BC1D0716087518FCB1CCF2DD59012AFBE2FB89310F594A6EE8DA93741C734A919CB89

Function 0046C9A2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0006C95C), ref: 0046C9A7

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7351295a068a2a674d2fbcf8cfabc30a9d23c1b6e446c181643ee7482e3cca65
Instruction ID: 4772fbd28958ed26f988b2fbf7875af8be785f98c40269da5ca9222171bd0688
Opcode Fuzzy Hash: 7351295a068a2a674d2fbcf8cfabc30a9d23c1b6e446c181643ee7482e3cca65
Instruction Fuzzy Hash: 4BA022F00822008B8B002F20AE882083EB0BA08302B0000AEE80280B20FB30000CFB0B

Function 0046C9B4 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0046C9B9

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 77b585073a9b7accdd9b39f69d7b04196205c75061b7384bd0c80148480e9cd8
Instruction ID: 7064464f4d6d4493fe47b8670a229b8a1196c2241c9dd26eeb6842ea37adf680
Opcode Fuzzy Hash: 77b585073a9b7accdd9b39f69d7b04196205c75061b7384bd0c80148480e9cd8
Instruction Fuzzy Hash:

Function 00437BD0 Relevance: .9, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7588268db9ad160e2392b48f534035be178d540a008719f74208fe9ed0531eb1
Instruction ID: bb4cb55bed9c7f65586114ec74d72ffdc89ad9183218b1c6113a6cae7b54d54a
Opcode Fuzzy Hash: 7588268db9ad160e2392b48f534035be178d540a008719f74208fe9ed0531eb1
Instruction Fuzzy Hash: 8652D8367447095FD308CE9ACC9159AF3E3ABC8304F488A3CF955C3346EEB8E90A8655

Function 0045266E Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8ed2d12b6e8c1720ee0e4d0af523c059fe1b70a8e53d0bedfbf9a91d4ef398
Instruction ID: 491698ae7c974ca5ece61e90dfd83972b97e6af6a943994957b1d4d8f5fb083a
Opcode Fuzzy Hash: ad8ed2d12b6e8c1720ee0e4d0af523c059fe1b70a8e53d0bedfbf9a91d4ef398
Instruction Fuzzy Hash: 581241716043018FCB18CF18DA9062BB7E6EFDA301F14896EE8958B346E774DD49CB96

Function 004528BE Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9648cf96e6f9b057b1de6f949947576630b144a32bc2f8a14042e53e753f63
Instruction ID: 474761f6f8604a86ea195d3e8c5eeee0167f8f9e8fccb97f8bb33cf26723445d
Opcode Fuzzy Hash: 2a9648cf96e6f9b057b1de6f949947576630b144a32bc2f8a14042e53e753f63
Instruction Fuzzy Hash: 391241716043018FCB18CF18DA9062BB7E6EFDA301F14896EE8958B346E774DD49CB96

Function 0045A500 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54be51170c7ebf40899926739cc0b9ca4d0c7ad027b9f18e3df2b9bb17991689
Instruction ID: 50a35c34cdf17d2ee2ece7ef271cdfbd403eeedc8db4278977af11f5fd45dd91
Opcode Fuzzy Hash: 54be51170c7ebf40899926739cc0b9ca4d0c7ad027b9f18e3df2b9bb17991689
Instruction Fuzzy Hash: EE1260B46087018FC708CF29D590A2ABBE1FF88315F148A6EE48AC7752D734E959CF56

Function 0044CA70 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6fa3fc8b26c1bfb4997a38f264383a909aafdeafa3d6e9bebe394ed9f90c19
Instruction ID: fa09c47f830dc262a1b3c163033b3f169158abd5c392fc698e2b68a7648fcc90
Opcode Fuzzy Hash: 5d6fa3fc8b26c1bfb4997a38f264383a909aafdeafa3d6e9bebe394ed9f90c19
Instruction Fuzzy Hash: E6C1122560E6824FEB198B6C94EA2BBFFD1DB5A310B1C81FEC9D5CB323D5258409C358

Function 0044D170 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7d6e5bdf9180fc249a7cdffd82ac3d4432134ef2b1545fd9ebd85a9bab015f
Instruction ID: 5276101f09bd79b997ce6e2b738887fa7a79c73fb3aaeb7b768c0e4e319954d2
Opcode Fuzzy Hash: bd7d6e5bdf9180fc249a7cdffd82ac3d4432134ef2b1545fd9ebd85a9bab015f
Instruction Fuzzy Hash: C9D1EA3190D7D24BE726CE2884A03ABFFD1AFA6304F18CADED8D44F346D6659809C756

Function 0045C1F0 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
Instruction ID: b39db98b78c4aa666287f3b58ad044742b28a01d40ebd81fd4f26415345360d3
Opcode Fuzzy Hash: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
Instruction Fuzzy Hash: 02F1CE7250C2418FC3098F18D5989E27BE2FFA8710B1F42FAD8499B363D7329845CB96

Function 0044B550 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdb0e9a48f9cc5b8454a5ea312c92bd26660b050e477f45892fe8a81102f325
Instruction ID: d57293a380447c92d5669869ff204c0406c59f74deae3854e101474b2ec9b16d
Opcode Fuzzy Hash: dcdb0e9a48f9cc5b8454a5ea312c92bd26660b050e477f45892fe8a81102f325
Instruction Fuzzy Hash: 21D1A1356087828FD725CF29C4902A6FBE1EF9A304F48856EE5D99B352D334D806CB96

Function 0044BA69 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ecd282e73b2467a48991c463d1e9c07e58f1649b5672709a3756896c45422b
Instruction ID: 69bba44bb4984adc4bd1123f48c00c17fb4dc7fe67754c73df0062da00b917a7
Opcode Fuzzy Hash: 89ecd282e73b2467a48991c463d1e9c07e58f1649b5672709a3756896c45422b
Instruction Fuzzy Hash: 82B1BE2674A2828BFB165A3CA0A03F77F91DB96321F5C14BED9DAC7742D21ED909C344

Function 004485E0 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be4b89135e0a3f0cdb95423d9478719c7e0af1eeda217c86243391791b7a110
Instruction ID: 5dfe138b03515ac77cedb9a3fb835149a871263376863e044eb433203da6c36e
Opcode Fuzzy Hash: 3be4b89135e0a3f0cdb95423d9478719c7e0af1eeda217c86243391791b7a110
Instruction Fuzzy Hash: 02D1AD72A097468FE744CF18C49436FBBE1FBD8314F544A2EE89597350D738A909CB86

Function 00453870 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8156b7e14d89a7d224035f81393d472818c2f077ec22923174eaec27d35881de
Instruction ID: f89ddafc904106e0ee116a46b35191a079f18173e272a307c469f733652713b6
Opcode Fuzzy Hash: 8156b7e14d89a7d224035f81393d472818c2f077ec22923174eaec27d35881de
Instruction Fuzzy Hash: 28D14675200B418FD324CF29C980AA7B3E5FF89309B14892EE8D687B52D775F945CB44

Function 00419B90 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7011376bd6569ac57b9a2031832cb8ebc498f7d2afdd4ff6cc4da6f68edafe3d
Instruction ID: 7b7cad279ae2540c519f1bda0421b63dc84f408f5d71e0b42f1a53743e8e3bb8
Opcode Fuzzy Hash: 7011376bd6569ac57b9a2031832cb8ebc498f7d2afdd4ff6cc4da6f68edafe3d
Instruction Fuzzy Hash: 32C1BE716086844FD725CE19C4753EBBBE2AB81744F98881FE4C147392E33D9D85CB8A

Function 0044C63E Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209fc5673e656db3213c2d2fbf9a8a4af23a33bfddf6ddf1f62eb543b428bd05
Instruction ID: 420ea4d1272e99c073685b946ca0cd8be6654fd9f2f3a12630d89501f91201ec
Opcode Fuzzy Hash: 209fc5673e656db3213c2d2fbf9a8a4af23a33bfddf6ddf1f62eb543b428bd05
Instruction Fuzzy Hash: 05C1C03520D7824BD72DDB2C94A45FBBFE2AFAA300B1DD5BDC48A8B3A3D9255409C740

Function 0045C770 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e82ae8077d92804d45aae61b5307cef857210f2a8bd08bce4e49092261f6f0
Instruction ID: 18c75194336f7867a048b95b9f2b1c6511e4ecfd60c327deee96aeed050018d1
Opcode Fuzzy Hash: b9e82ae8077d92804d45aae61b5307cef857210f2a8bd08bce4e49092261f6f0
Instruction Fuzzy Hash: C8D18C756082518FC719CF18E5D88E27BE1BFA8740F0E42F9C98A9B323D7359845CB95

Function 004533D0 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c8d435e4a79cdf99dd996a5b040aa612b6b459332a9350c378e94c1eec9c45
Instruction ID: 751ab050db226a69439953155c04e5038a1823b3952f37c6d575ec406e6c2adb
Opcode Fuzzy Hash: 27c8d435e4a79cdf99dd996a5b040aa612b6b459332a9350c378e94c1eec9c45
Instruction Fuzzy Hash: 69B14775214B418FC328CF29C9909A7B7E6BF89305B18892ED8CBC7B52DA35F945CB44

Function 00469F86 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 33d159a73d5e1e4c86e1430dae1324b046b92695069ad3b481f67ce88c1f495d
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 0AB17A75A0060ADFDB15CF04C5D0AA9BBA1BF59318F24C19EC81A6B382D735EE52CF91

Function 00458D80 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
Instruction ID: 6c8faa732245c68148f7891670942391785d58a362ac2baabac4a65c5dee21e1
Opcode Fuzzy Hash: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
Instruction Fuzzy Hash: 0CA10775A087418FC314CF29C49085AFBF2BFC8714F198A6DE99997325EB70E945CB42

Function 0044CF40 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4664e54bd8655df0b62760be2564d86677a0bae60cff444b8354291ceb51d8c8
Instruction ID: e4f0f453c8f5c6ec25a4be9f4fc6fbf9498c9eb67940c22529241f532b89b071
Opcode Fuzzy Hash: 4664e54bd8655df0b62760be2564d86677a0bae60cff444b8354291ceb51d8c8
Instruction Fuzzy Hash: 6071D93590C6828AD711CF28C494666FFE2ABE6304F0CC69EC8C99F357D626E909C795

Function 0044C3C4 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09e427cc0f5c48326d696f622ddb13854d7e20a58c35d846649955e18978596
Instruction ID: b6cdbc46c4482459e77ebf2ea74d2c41ac1956ee6f422189b9ec2367b2e44703
Opcode Fuzzy Hash: e09e427cc0f5c48326d696f622ddb13854d7e20a58c35d846649955e18978596
Instruction Fuzzy Hash: CB71222120E7C24BD7299B2898E12F6BFD1AFA7300F5C96EED8D64F392C4166008C725

Function 004582E0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction ID: 8c46f0283c44d304220ea441bc15bfc10fc2b9a9855178f0db146e42c02de5d8
Opcode Fuzzy Hash: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction Fuzzy Hash: 3581173954A7819FC711CF29C0D04A6FBE2BF9E204F5C999DE9C50B317C231A91ACB92

Function 0044AD10 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25581fa8c29664ef31c6b0bc6892395970b077ba26f1786f29026da07f686d88
Instruction ID: 6bc452672c88cfac60f17ea711add31793e27ca6da985a0d4d699741de046f54
Opcode Fuzzy Hash: 25581fa8c29664ef31c6b0bc6892395970b077ba26f1786f29026da07f686d88
Instruction Fuzzy Hash: CD5127317887514FE305CF2D989016AFBD2DBCA311F2C8AAEC5E9C7712D635D8198786

Function 0044C211 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4d2dea2c165661568dc7cef3cf9871e53b13df2d48047b3dc5f70df1b2c506
Instruction ID: 750ec6070cbaab19e8781fe5f17769e69adccab96261856f7ee2c05bb3e34a6a
Opcode Fuzzy Hash: 4d4d2dea2c165661568dc7cef3cf9871e53b13df2d48047b3dc5f70df1b2c506
Instruction Fuzzy Hash: D641483A31A2838BD758DE3CC4902F6FBA1AF9A300B5C47BEC8D5C7742D629950AC754

Function 0044BF26 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c27889d51f487b201adba72a386df83b8ac4b76ef92a9fc20cd27d85f323ea
Instruction ID: 0c1ed26399ea3e21ae079f13424a59f588bb3851bff2d0a288a2afd2f96504e3
Opcode Fuzzy Hash: a8c27889d51f487b201adba72a386df83b8ac4b76ef92a9fc20cd27d85f323ea
Instruction Fuzzy Hash: 0F51A12920EBD14AD72A973C54A96F7FFE29F6B301B4E90EDC4DA8B323C5165009C764

Function 0044DBB0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bedd6ca5bc77a1056673b4a4266d6f976d583123bb71e411220f4351b9410f3b
Instruction ID: 9ed024e68d0d04c6341f81b8a674266924af7a4239ed0667e1f9682f282eab09
Opcode Fuzzy Hash: bedd6ca5bc77a1056673b4a4266d6f976d583123bb71e411220f4351b9410f3b
Instruction Fuzzy Hash: E0419072F01A414BE768DE2AD8E01FBB793DBC6301B28C86BC19ECB725D5355445CB84

Function 00444E10 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction ID: ea1e5c8d211806c427640bf56be3e088e2f1e4d97c0b9ceb2fc26a0d47ec8864
Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction Fuzzy Hash: 68310B3374558203F71DCA2F9CA13BAEAD34FC522872DD57E99C98B356ECBA841A4144

Function 004446D0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1778abe5a1b3fff073265e14ea222d11f9b129b0360753afdbbe3f3dd67d1781
Instruction ID: 70aa2957ecf41215c7ed1a7fc1fa7cbb2d09a23c66a90d7fe751a265447f4756
Opcode Fuzzy Hash: 1778abe5a1b3fff073265e14ea222d11f9b129b0360753afdbbe3f3dd67d1781
Instruction Fuzzy Hash: 3B31B5227B609207D354CEBD9CC0277B7939BCB346B6DC679D584C7A0AC43DD8174255

Function 00462E30 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction ID: e2d1f6ffeb15776577e0f9265b551d4cc5424ae6fa157740d34b3d4def2fa01f
Opcode Fuzzy Hash: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction Fuzzy Hash: D1113AA7200C4263D714CA29D7B02FBE396EBC532172D827BD0928B354F6EF9945C50B

Function 00434EB0 Relevance: 80.0, APIs: 53, Instructions: 459windowsleepCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00434ED2

Part of subcall function 0041A890: EnumDisplaySettingsA.USER32(00000000,000000FF,?), ref: 0041A89F

SetStretchBltMode.GDI32(00000000,00000000), ref: 00434EE5
CreateCompatibleDC.GDI32(00000000), ref: 00434EF2
CreateCompatibleDC.GDI32(00000000), ref: 00434EF7
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434F48
SelectObject.GDI32(00000000,00000000), ref: 00434F5C
SelectObject.GDI32(?,?), ref: 00434F86
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 00434FA8
SelectObject.GDI32(?,?), ref: 00434FB8
SelectObject.GDI32(?,?), ref: 00434FC4
GetTickCount.KERNEL32 ref: 00435012
SelectObject.GDI32(?,?), ref: 0043504A
SelectObject.GDI32(00000000,00000000), ref: 00435066
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0043508B
SelectObject.GDI32(00000000,?), ref: 00435097
DeleteObject.GDI32(00000000), ref: 0043509E
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004350E2
SelectObject.GDI32(00000000,00000000), ref: 004350EE
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,00000000,00CC0020), ref: 00435113
SelectObject.GDI32(00000000,?), ref: 0043511F
SelectObject.GDI32(00000000,?), ref: 00435127
CreateCompatibleDC.GDI32(00000000), ref: 0043513C
CreateCompatibleDC.GDI32(00000000), ref: 00435145
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0043515B
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00435173
SelectObject.GDI32(00000000,?), ref: 00435183
SelectObject.GDI32(00000000,?), ref: 00435193
SetBkColor.GDI32(00000000,?), ref: 004351A5
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 004351C6
SetBkColor.GDI32(00000000,?), ref: 004351D2
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00330008), ref: 004351EF
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 00435214
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 00435231
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00EE0086), ref: 00435256
SelectObject.GDI32(00000000,?), ref: 00435262
DeleteObject.GDI32(00000000), ref: 00435269
SelectObject.GDI32(00000000,?), ref: 00435275
DeleteObject.GDI32(00000000), ref: 0043527C
DeleteDC.GDI32(00000000), ref: 00435289
DeleteDC.GDI32(00000000), ref: 0043528C
SelectObject.GDI32(00000000,?), ref: 004352C5
DeleteObject.GDI32(?), ref: 004352CC
IsWindow.USER32(?), ref: 004352D6
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0043533A
BitBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00435364
SelectObject.GDI32(?,?), ref: 00435374
Sleep.KERNEL32(0000000A), ref: 004353C0
GetTickCount.KERNEL32 ref: 004353C6
DeleteObject.GDI32(00000000), ref: 004353F3
DeleteDC.GDI32(00000000), ref: 00435400
DeleteDC.GDI32(?), ref: 00435407
ReleaseDC.USER32(?,00000000), ref: 0043540E

Part of subcall function 004349F0: GetClientRect.USER32(?,?), ref: 00434A17
Part of subcall function 004349F0: __ftol.LIBCMT ref: 00434AEE
Part of subcall function 004349F0: __ftol.LIBCMT ref: 00434B01

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$Create$Compatible$Bitmap$ColorCountStretchTick__ftol$ClientDisplayEnumModeRectReleaseSettingsSleepWindow
String ID:
API String ID: 1975044605-0
Opcode ID: b9153c0c49b3b05573ed07e31508fdaf77b349cd4dda8dc8ee5560d61bc07a52
Instruction ID: ef5862c8c39f674d743705185f4918cb703b55ebe8a31f2f51258a9ccbf0833d
Opcode Fuzzy Hash: b9153c0c49b3b05573ed07e31508fdaf77b349cd4dda8dc8ee5560d61bc07a52
Instruction Fuzzy Hash: 6202F6B1214700AFD364DF65DC85F6BB7E9FB89B04F10491DFA9697290C7B4E8048B29

Function 00433860 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 356windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A0A0: SendMessageA.USER32(?,00000143,00000000,?), ref: 0041A0C3

GetProfileStringA.KERNEL32(windows,device,,,,,?,000001F4), ref: 004338B9
GetProfileStringA.KERNEL32(devices,00000000,0050626C,?,00001000), ref: 004338F8
GetProfileStringA.KERNEL32(devices,?,,,,,?,000000C8), ref: 0043393A
SendMessageA.USER32(?,00000143,00000000), ref: 004339FB
SendMessageA.USER32(?,0000014E,?,00000000), ref: 00433A38
SendMessageA.USER32(?,0000014E,?,00000000), ref: 00433ADB
wsprintfA.USER32 ref: 00433AF4
wsprintfA.USER32 ref: 00433B1A
wsprintfA.USER32 ref: 00433B40
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00433B73
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00433B9E
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00433BB4
SendMessageA.USER32(?,0000014E,?,00000000), ref: 00433BCB
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00433C0F
wsprintfA.USER32 ref: 00433C22
wsprintfA.USER32 ref: 00433C4C
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00433C72
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00433CB3
wsprintfA.USER32 ref: 00433CC4

Strings

devices, xrefs: 004338F3, 00433935
,,,, xrefs: 004338AA, 0043392F
windows, xrefs: 004338B4
none, xrefs: 00433978
device, xrefs: 004338AF

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend$wsprintf$ProfileString
String ID: ,,,$device$devices$none$windows
API String ID: 2373861888-528626633
Opcode ID: 55527e2ca8cdc86dd2883f5a78c5811f979820292297cd78726d904f36f5e9e4
Instruction ID: e228d98b62916281cfa8e8f3500e2cef2db2a610d57d996b1c7a1740866e4d18
Opcode Fuzzy Hash: 55527e2ca8cdc86dd2883f5a78c5811f979820292297cd78726d904f36f5e9e4
Instruction Fuzzy Hash: 44C1D871244705ABD624DF74CC82FEB73A89F88709F10491EF55A971D0EAB8FA04CB69

Function 004118C0 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 293windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041194F
GetWindowRect.USER32(?,?), ref: 004119A6
GetParent.USER32(?), ref: 004119B6
GetParent.USER32(?), ref: 004119E9
GlobalSize.KERNEL32(00000000), ref: 00411A33
GlobalLock.KERNEL32(00000000), ref: 00411A3B
IsWindow.USER32(?), ref: 00411A54
GetTopWindow.USER32(?), ref: 00411A91
GetWindow.USER32(00000000,00000002), ref: 00411AAA
SetParent.USER32(?,?), ref: 00411AD6
SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 00411B21
SendMessageA.USER32(?,00008076,00000000,00000000), ref: 00411B30
GetParent.USER32(?), ref: 00411B43
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 00411B5C
GetWindowLongA.USER32(?,000000F0), ref: 00411B64
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 00411B94
SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 00411BA2
IsWindow.USER32(?), ref: 00411BEE
GetFocus.USER32 ref: 00411BF8
SetFocus.USER32(?,00000000), ref: 00411C10
GlobalUnlock.KERNEL32(00000000), ref: 00411C1B
GlobalFree.KERNEL32(00000000), ref: 00411C22

Strings

`\A, xrefs: 00411AEB

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
String ID: `\A
API String ID: 300820980-2688774508
Opcode ID: 7c4c2db3cc0834d14bb8f33d35d30d4fa508d3c17fe0bd3ac70432b284f48ba0
Instruction ID: ce06db2c828b12d022af6e7e7f5c2d94a2d4f8533af3ee5ff3078fa7004b9ca1
Opcode Fuzzy Hash: 7c4c2db3cc0834d14bb8f33d35d30d4fa508d3c17fe0bd3ac70432b284f48ba0
Instruction Fuzzy Hash: C1A16CB0654300AFD710DF65CC84F6BB7E8AF88700F108A1EFA5597391DB78E8458B59

Function 00442E40 Relevance: 38.0, APIs: 25, Instructions: 452windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000010), ref: 00442EC8

Part of subcall function 0047A059: SetBkColor.GDI32(?,?), ref: 0047A068
Part of subcall function 0047A059: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0047A09A

GetSysColor.USER32(00000014), ref: 00442F00
InflateRect.USER32(?,000000FF,000000FF), ref: 00442F32
GetSysColor.USER32(00000016), ref: 00442F4B
GetSysColor.USER32(0000000F), ref: 00442F5B
DrawEdge.USER32(?,?,00000002,0000000F), ref: 00442F94
GetDeviceCaps.GDI32(?), ref: 0044319E
RealizePalette.GDI32(?), ref: 004431C1
GetSysColor.USER32(00000014), ref: 004431D9
GetSysColor.USER32(0000000F), ref: 004431EB
GetSysColor.USER32(0000000F), ref: 00442EA1

Part of subcall function 0047A02F: SetBkColor.GDI32(?,?), ref: 0047A039
Part of subcall function 0047A02F: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0047A04F

GetSysColor.USER32(0000000F), ref: 00442FF8
InflateRect.USER32(?,000000FF,000000FF), ref: 00443031
GetSysColor.USER32(00000016), ref: 00443046
GetSysColor.USER32(0000000F), ref: 00443052
InflateRect.USER32(?,?,?), ref: 00443093
GetSysColor.USER32(00000010), ref: 00443097
Rectangle.GDI32(?,?,?,?,?), ref: 004430DE
DrawEdge.USER32(?,?,00000002,0000000F), ref: 00443119
DrawEdge.USER32(?,?,00000002,0000000F), ref: 00443220
GetSysColor.USER32(00000010), ref: 0044327D
CreatePen.GDI32(00000000,00000001,00000000), ref: 00443284
InflateRect.USER32(?,?,?), ref: 004432C3
Rectangle.GDI32(?,?,?,?,?), ref: 004432E1
GetDeviceCaps.GDI32(?,00000026), ref: 00443317

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Color$InflateRect$DrawEdge$CapsDeviceRectangleText$CreatePaletteRealize
String ID:
API String ID: 3119264602-0
Opcode ID: 825153da0f7bd2745c77ee2f56bff59a4d631c38319d1a8b4b9b56fea47474f8
Instruction ID: 90b99e2acd7fb43c83037c1ea4420eeb4a61ce7af061cde955d57faf7924978e
Opcode Fuzzy Hash: 825153da0f7bd2745c77ee2f56bff59a4d631c38319d1a8b4b9b56fea47474f8
Instruction Fuzzy Hash: 2CF15A71204701AFD714DF64C894F6FB3E9BB88B04F108A2EF65687291DBB4E909CB56

Function 0041FE20 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 366windowCOMMON

Download Yara Rule

APIs

CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0041FEAC
CreateCompatibleDC.GDI32(?), ref: 0041FEBE
CreateCompatibleDC.GDI32(?), ref: 0041FEC7
SelectObject.GDI32(00000000,?), ref: 0041FED6
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041FEE9
SelectObject.GDI32(?,00000000), ref: 0041FEF9
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0041FF19
SelectObject.GDI32(00000000,?), ref: 0041FF25
DeleteDC.GDI32(00000000), ref: 0041FF32
SelectObject.GDI32(?,?), ref: 0041FF3A
DeleteDC.GDI32(?), ref: 0041FF41
DeleteObject.GDI32(?), ref: 0041FF47
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0041FF7D

Strings

(, xrefs: 004201DF
`\A, xrefs: 0041FE23
, xrefs: 00420043
(, xrefs: 0042002C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CreateObject$Select$BitmapCompatibleDelete
String ID: $($($`\A
API String ID: 1878064223-4165484200
Opcode ID: fde88790c4bd4287eb998a8e96228f6f002e2934c30f5f56e88345181a72f5d5
Instruction ID: 7bf1a6c9b784577fa5fe9171b8a2588cb6ad9c68c0426469ebcd2ed1cdd438f1
Opcode Fuzzy Hash: fde88790c4bd4287eb998a8e96228f6f002e2934c30f5f56e88345181a72f5d5
Instruction Fuzzy Hash: F9D147B16043019FC710CF29E884A6BBBE9EFC9710F10892EF99697350D775E849CB66

Function 00433EF0 Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 351windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004737B2: GetWindowTextLengthA.USER32(?), ref: 004737BF
Part of subcall function 004737B2: GetWindowTextA.USER32(?,00000000,00000000), ref: 004737D7

__ftol.LIBCMT ref: 00433F66
__ftol.LIBCMT ref: 00433FBC
__ftol.LIBCMT ref: 00434012
__ftol.LIBCMT ref: 00434068
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00434089
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004340A3
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043416B
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043419D
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004341BA
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004341DA
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004341F4
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043420C
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043422B
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00434294
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004342F9
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043433B

Part of subcall function 00475576: GetDlgItem.USER32(?,?), ref: 00475584

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00434367

Strings

\VO, xrefs: 00433F06

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend$__ftol$TextWindow$ItemLength
String ID: \VO
API String ID: 2143175130-2422581269
Opcode ID: 8b053fe137b98379662f247915929c592b4b438fb40e5d5d53e5488ada89c153
Instruction ID: 4ae0d0f80eb20ba3dd2c4126f0a4bd91d2b54c00bc7f6e83f2f1094a9bd88d57
Opcode Fuzzy Hash: 8b053fe137b98379662f247915929c592b4b438fb40e5d5d53e5488ada89c153
Instruction Fuzzy Hash: 28D1C2B5540B01ABD324DB70CC42FEB73A4BB88744F10892FF59A862E1DA38F545CB4A

Function 00437580 Relevance: 31.7, APIs: 21, Instructions: 205COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000022B8), ref: 00437595
EnterCriticalSection.KERNEL32(?), ref: 004375B8
LeaveCriticalSection.KERNEL32(?), ref: 004375C6
waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 004375E8
waveOutPrepareHeader.WINMM(?,?,00000020), ref: 00437631
waveOutWrite.WINMM(?,?,00000020), ref: 0043763E
EnterCriticalSection.KERNEL32(?), ref: 00437648
LeaveCriticalSection.KERNEL32(?), ref: 00437656
EnterCriticalSection.KERNEL32(?), ref: 00437685
ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 004376A3
LeaveCriticalSection.KERNEL32(?), ref: 004376AA
waveOutPause.WINMM(?), ref: 004376B9
waveOutReset.WINMM(?), ref: 004376C3
waveOutUnprepareHeader.WINMM(?,00000000,00000020), ref: 004376E1
waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00437706
EnterCriticalSection.KERNEL32(00506290), ref: 0043771C
LeaveCriticalSection.KERNEL32(00506290), ref: 00437778
CloseHandle.KERNEL32(?), ref: 004377A6
CloseHandle.KERNEL32(?), ref: 004377AC
CloseHandle.KERNEL32(?), ref: 004377B2
DeleteCriticalSection.KERNEL32(?), ref: 004377B8

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CriticalSection$wave$EnterHeaderLeave$CloseHandleUnprepare$DeleteMultipleObjectsPausePrepareReleaseResetSemaphoreWaitWrite
String ID:
API String ID: 361331667-0
Opcode ID: 39454d685e45af71b66388874a06764585216efb490201ad5065550e4a4863f6
Instruction ID: aa08ecfea030826155cf9c27ac2d77838a982f74341053d62e8ba321aad18240
Opcode Fuzzy Hash: 39454d685e45af71b66388874a06764585216efb490201ad5065550e4a4863f6
Instruction Fuzzy Hash: 83719EB5604209AFDB64CF68DC89AAE37A8EF88314F04592AF945D7250C778ED05CB98

Function 0041DA60 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 183windowmemoryCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000F), ref: 0041DAB4
GetObjectA.GDI32(?,00000018,?), ref: 0041DAC7
SelectPalette.GDI32(?,00000000,00000000), ref: 0041DB22
RealizePalette.GDI32(?), ref: 0041DB2C
GlobalAlloc.KERNEL32(00000002,00000028), ref: 0041DB36
SelectPalette.GDI32(?,?,00000000), ref: 0041DB4C
GlobalLock.KERNEL32(00000000), ref: 0041DB54
GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 0041DB83
GlobalUnlock.KERNEL32(00000000), ref: 0041DBD9
GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 0041DBE2
GlobalLock.KERNEL32(00000000), ref: 0041DBEF
GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 0041DC12
SelectPalette.GDI32(?,?,00000000), ref: 0041DC25
GlobalUnlock.KERNEL32(00000000), ref: 0041DC2C
GlobalFree.KERNEL32(00000000), ref: 0041DC33

Part of subcall function 00477DEE: __EH_prolog.LIBCMT ref: 00477DF3
Part of subcall function 00477DEE: ReleaseDC.USER32(?,00000000), ref: 00477E12

Strings

(, xrefs: 0041DADA

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Global$Palette$Select$AllocBitsLockObjectUnlock$FreeH_prologRealizeReleaseStock
String ID: (
API String ID: 3986717603-3887548279
Opcode ID: 435d627b15ea19c00748296ca87b64a47aa6ffee157aa11427daaab41014be5e
Instruction ID: 1634841c967d182e34e89c3dfd087a5bf74f14034bdb3ccddf8362dc591beb1f
Opcode Fuzzy Hash: 435d627b15ea19c00748296ca87b64a47aa6ffee157aa11427daaab41014be5e
Instruction Fuzzy Hash: D1616AB25487409FC320DF54CC49B6FB7E8FB89B10F14892DFA8597290D7B5A805CB96

Function 004085B0 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 384windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12

Part of subcall function 00477A95: GetClipBox.GDI32(?,?), ref: 00477A9C

IsRectEmpty.USER32(?), ref: 004085F5
GetCurrentObject.GDI32(?,00000002), ref: 0040863A
GetCurrentObject.GDI32(?,00000001), ref: 0040864D
GetClientRect.USER32 ref: 004086D2
CreatePen.GDI32(-00000003,00000000,?), ref: 004086EE
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 004087B2

Part of subcall function 00477F56: __EH_prolog.LIBCMT ref: 00477F5B
Part of subcall function 00477F56: EndPaint.USER32(?,?,?,?,00407503), ref: 00477F78

Strings

gfff, xrefs: 00408922

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CurrentH_prologObjectPaintRect$BeginClientClipCreateEmpty
String ID: gfff
API String ID: 3506841274-1553575800
Opcode ID: cb78df8f8efea29207fd0e0e2a4e82aa2ad0717ad72b5891e70ee69f746d4c50
Instruction ID: 84475fed57fc6309bad2faaa26ced605f9c0754e3701d454ad9ce23e8975f978
Opcode Fuzzy Hash: cb78df8f8efea29207fd0e0e2a4e82aa2ad0717ad72b5891e70ee69f746d4c50
Instruction Fuzzy Hash: 3CE18DB11083419FC714DF64C984A6FB7E8FB84714F508A2EF59993290DB39E909CB6A

Function 004163C0 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

SetWindowRgn.USER32(?,00000000,00000001), ref: 004163F1
GetWindowRect.USER32(?,?), ref: 0041641E
BeginPath.GDI32(?), ref: 004164A7
MulDiv.KERNEL32(7FFF0000,?,00007FFF), ref: 004164C0
MulDiv.KERNEL32(00000000,?,00007FFF), ref: 004164CF
MulDiv.KERNEL32(3FFF0000,?,00007FFF), ref: 004164F7
MulDiv.KERNEL32(00000000,?,00007FFF), ref: 00416506
EndPath.GDI32(?), ref: 00416521
PathToRegion.GDI32(?), ref: 0041652C

Strings

gfff, xrefs: 004165EA
gfff, xrefs: 004165FA

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Path$Window$BeginRectRegion
String ID: gfff$gfff
API String ID: 3989698161-3084402119
Opcode ID: 3542b5e7ee9a50fe237b10485d58a1eea6e8a4d88519bd8aaa1bb9eedcedd216
Instruction ID: f7dad664dab1b599b5265a1cc4251b1bcab9878d5f274a0e5e2cb94d2d1e07e8
Opcode Fuzzy Hash: 3542b5e7ee9a50fe237b10485d58a1eea6e8a4d88519bd8aaa1bb9eedcedd216
Instruction Fuzzy Hash: 4B81F5B16047419BC714DF25CC85AABB7E9FB94704F05892EF58A83390DA38E849C766

Function 004326F0 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 255windowCOMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 00432726

Part of subcall function 004780E1: __EH_prolog.LIBCMT ref: 004780E6
Part of subcall function 004780E1: CreateSolidBrush.GDI32(?), ref: 00478103

FillRect.USER32(?,?,00000000), ref: 00432764
GetSystemMetrics.USER32(0000002E), ref: 0043278D
GetSystemMetrics.USER32(0000002D), ref: 00432793
DrawFrameControl.USER32(?,?,00000003,?), ref: 00432806
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00432819
InflateRect.USER32(?,00FFFFFD,00000001), ref: 00432834
GetSysColor.USER32(0000000F), ref: 00432858
Rectangle.GDI32(?,?,?,?,?), ref: 004328AB
OffsetRect.USER32(?,00000001,00000001), ref: 00432915
GetSysColor.USER32(00000014), ref: 0043291B
OffsetRect.USER32(?,000000FF,000000FF), ref: 00432943
GetSysColor.USER32(00000010), ref: 00432949
InflateRect.USER32(?,000000FF,000000FF), ref: 00432992
DrawFocusRect.USER32(?,?), ref: 004329A1

Part of subcall function 004737B2: GetWindowTextLengthA.USER32(?), ref: 004737BF
Part of subcall function 004737B2: GetWindowTextA.USER32(?,00000000,00000000), ref: 004737D7

Strings

\VO, xrefs: 0043272F

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$ColorDraw$InflateMetricsOffsetSystemTextWindow$BrushControlCopyCreateEdgeFillFocusFrameH_prologLengthRectangleSolid
String ID: \VO
API String ID: 4239342997-2422581269
Opcode ID: 1abf5de5de815b56706138afbfcc1de0515ae9c7abca7ff1e9d760a1b38c9eee
Instruction ID: 3cf1ac0d6f2977c022c9e2c05122f9251f9e25d67f3a6ce3f4c396b2b7882b70
Opcode Fuzzy Hash: 1abf5de5de815b56706138afbfcc1de0515ae9c7abca7ff1e9d760a1b38c9eee
Instruction Fuzzy Hash: 97A18970208345AFD704DF68C888A6BBBE8FF88714F004A1DF59587390DBB4E949CB56

Function 00474CEE Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00475650: GetWindowLongA.USER32(?,000000F0), ref: 0047565C

GetParent.USER32(?), ref: 00474D19
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 00474D3C
GetWindowRect.USER32(?,?), ref: 00474D55
GetWindowLongA.USER32(00000000,000000F0), ref: 00474D68
CopyRect.USER32(?,?), ref: 00474DB5
CopyRect.USER32(?,?), ref: 00474DBF
GetWindowRect.USER32(00000000,?), ref: 00474DC8
CopyRect.USER32(?,?), ref: 00474DE4

Strings

@, xrefs: 00474D57
(, xrefs: 00474D80

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: dc271aa11eab96b35872365d5beb9c8ff005cc99d9ee8cee52f3bbad3cab86c8
Instruction ID: 33aaa6eebd9b44d4df325afcfff1a2668f3269a5d66366098d758c5bd0ebcb1e
Opcode Fuzzy Hash: dc271aa11eab96b35872365d5beb9c8ff005cc99d9ee8cee52f3bbad3cab86c8
Instruction Fuzzy Hash: FB518572900219AFDB11DBA8CC85EFE7BBDAF84710F15451AF905F7281D734AD058B68

Function 0045F2E0 Relevance: 25.8, APIs: 17, Instructions: 262fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,00000000,?,0045EF88,?,?,00000003), ref: 0045F304
CloseHandle.KERNEL32(00000000,?,?,0045EF88,?,?,00000003), ref: 0045F329
CloseHandle.KERNEL32(00000000,?,00000000,?,?,0045EF88,?,?,00000003), ref: 0045F34E

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateFile
String ID:
API String ID: 1378612225-0
Opcode ID: e5d64c4776824d1a6600e4c5e7c706abb6d202df391aab16010049e900b5a72c
Instruction ID: 93a5b94ac9923f3a0d88f560276e6fa69721c295438eab342225148944b91d43
Opcode Fuzzy Hash: e5d64c4776824d1a6600e4c5e7c706abb6d202df391aab16010049e900b5a72c
Instruction Fuzzy Hash: 3B71D6B27006047BD350EB64AC49B6F7358EB94325F14053EFD0AE6242FA29E50DC7AB

Function 00425E90 Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 282COMMON

Download Yara Rule

APIs

GetProfileStringA.KERNEL32(windows,device,,,,,?,000001F4), ref: 00425F0F
GetProfileStringA.KERNEL32(devices,00000000,005061F8,?,00001000), ref: 00425F43
GetProfileStringA.KERNEL32(devices,?,,,,,?,000000C8), ref: 00425FCA

Strings

,,,, xrefs: 00425F00, 00425FBF
windows, xrefs: 00425F0A
devices, xrefs: 00425F3E, 00425FC5
\VO, xrefs: 00425F45
none, xrefs: 00426000
device, xrefs: 00425F05

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ProfileString
String ID: ,,,$\VO$device$devices$none$windows
API String ID: 1468043044-979354821
Opcode ID: 462362b1efea64711f958d32f810c43c0a75208805c48dab6a357b303f9df8a3
Instruction ID: 72a3fcc8f70a006dab4db8beaee3707adff94381c471827522dd11c0ade0c22b
Opcode Fuzzy Hash: 462362b1efea64711f958d32f810c43c0a75208805c48dab6a357b303f9df8a3
Instruction Fuzzy Hash: ABB19770218381DFD320DF65C881BEBB7E4AF99358F400A1EF95993291DB78A904CB67

Function 00460842 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,0046097B), ref: 00460864
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0046087C
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0046088D
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0046089E
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 004608AF
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 004608C0
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004608D1

Strings

GetMonitorInfoA, xrefs: 004608CB
GetSystemMetrics, xrefs: 00460876
USER32, xrefs: 0046085F
MonitorFromPoint, xrefs: 004608A9
MonitorFromRect, xrefs: 00460898
MonitorFromWindow, xrefs: 00460887
EnumDisplayMonitors, xrefs: 004608BA

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: d13820b460386aebcabd403ba4983d4676148ab36bbcd71366257b50b4b90d2e
Instruction ID: 5b45710062983dbec34d8486d3dc9b0a2c00a7010c6b970f7802fab2d545ebf1
Opcode Fuzzy Hash: d13820b460386aebcabd403ba4983d4676148ab36bbcd71366257b50b4b90d2e
Instruction Fuzzy Hash: 09119D70E022119FDB13AF25ACC95AFBAE4B65C7A4360843FD009D3251E7F84459AA6B

Function 00440FC0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 372COMMON

Download Yara Rule

APIs

Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12

Part of subcall function 00440510: GetWindowExtEx.GDI32(?,?), ref: 00440533

MulDiv.KERNEL32(?,00000064,?), ref: 0044107B
GetClientRect.USER32(?,?), ref: 00441109
DPtoLP.GDI32(?,?,00000002), ref: 0044111E
OffsetRect.USER32 ref: 0044116D
Rectangle.GDI32(?,?,?,?,?), ref: 004411AB
FillRect.USER32(?,?,?), ref: 00441203
FillRect.USER32(?,00000032,?), ref: 00441246
LPtoDP.GDI32(?,?,00000002), ref: 004412EF
IsRectEmpty.USER32(?), ref: 004412F6
CreateRectRgnIndirect.GDI32(?), ref: 0044133A

Part of subcall function 00477AA5: SelectClipRgn.GDI32(?,00000000), ref: 00477AC7
Part of subcall function 00477AA5: SelectClipRgn.GDI32(?,?), ref: 00477ADD

LPtoDP.GDI32(?,?,00000001), ref: 0044137A
DPtoLP.GDI32(?,?,00000001), ref: 004413A1

Strings

2, xrefs: 00441165

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$ClipFillSelect$BeginClientCreateEmptyH_prologIndirectOffsetPaintRectangleWindow
String ID: 2
API String ID: 2521159323-450215437
Opcode ID: e535424e4969fd1bee50bcc5fd7d5d7d4b1079d50ea380a4ee942e4176eda42f
Instruction ID: b5526800f66695e85caf96ce22d6fcee9c0ff35ef3e05dbb7cc50012dae84c19
Opcode Fuzzy Hash: e535424e4969fd1bee50bcc5fd7d5d7d4b1079d50ea380a4ee942e4176eda42f
Instruction Fuzzy Hash: EBE129716087409FD324DF69C880B6BB7E9BBC8704F408A2EF59A87351DB74E948CB56

Function 00412710 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 310libraryregistryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,005057D0,00000000), ref: 004127F4
LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,004EBC78,?,?,?,?,?,?,00000000,005057D0,00000000), ref: 00412831
GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00412867
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,005057D0,00000000), ref: 00412872
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,005057D0,00000000), ref: 00412880
LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0041298D
RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 004129C2
CLSIDFromString.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,005057D0,00000000), ref: 00412A87
UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 00412AA3

Strings

`\A, xrefs: 004129DC, 00412A1C, 00412AB3
DllRegisterServer, xrefs: 00412859
\VO, xrefs: 004128CE
DllUnregisterServer, xrefs: 00412860, 00412865

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Library$LoadType$FreeRegister$AddressFromProcString
String ID: DllRegisterServer$DllUnregisterServer$\VO$`\A
API String ID: 2476498075-2904461489
Opcode ID: 2c1f902cf2e2e42bd959cb8b9514c15467df9952a7daf8a10a884e138e973be2
Instruction ID: 2a7cd6143d08823eed12b8c27d4c3e0507f0e7245fdf56a52279f6a062aea394
Opcode Fuzzy Hash: 2c1f902cf2e2e42bd959cb8b9514c15467df9952a7daf8a10a884e138e973be2
Instruction Fuzzy Hash: B7B1D2B0900209ABDB14EFA4C945BEF7378EF44318F14861EF815E7281DBB89E45CB65

Function 0046FB8A Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 119registryclipboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047ADA8: TlsGetValue.KERNEL32(00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2,?,00000000,?,0046EFFB,00000000,00000000,00000000,00000000), ref: 0047ADE7

RegisterClipboardFormatA.USER32(commdlg_LBSelChangedNotify), ref: 0046FBE2
RegisterClipboardFormatA.USER32(commdlg_ShareViolation), ref: 0046FBEE
RegisterClipboardFormatA.USER32(commdlg_FileNameOK), ref: 0046FBFA
RegisterClipboardFormatA.USER32(commdlg_ColorOK), ref: 0046FC06
RegisterClipboardFormatA.USER32(commdlg_help), ref: 0046FC12
RegisterClipboardFormatA.USER32(commdlg_SetRGBColor), ref: 0046FC1E

Part of subcall function 0047550D: SetWindowLongA.USER32(?,000000FC,00000000), ref: 0047553C

SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0046FD11

Strings

commdlg_ShareViolation, xrefs: 0046FBE4
commdlg_ColorOK, xrefs: 0046FBFC
commdlg_SetRGBColor, xrefs: 0046FC14
commdlg_help, xrefs: 0046FC08
commdlg_FileNameOK, xrefs: 0046FBF0
commdlg_LBSelChangedNotify, xrefs: 0046FBDD

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ClipboardFormatRegister$LongMessageSendValueWindow
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 3913284445-3888057576
Opcode ID: be2e6bc80918cd9e81a3b6603a6f9dad23a3bf797affcb16a16c028d49ff66a2
Instruction ID: e8cbde16e72be945a173f910a9890911ac1ff162c4cd2530079f0ce0d075924f
Opcode Fuzzy Hash: be2e6bc80918cd9e81a3b6603a6f9dad23a3bf797affcb16a16c028d49ff66a2
Instruction Fuzzy Hash: 3941C870600209EBDB219F25ED54AAE3BE1FB54350F10843BF845573A1E7786889DBAB

Function 00420260 Relevance: 22.8, APIs: 15, Instructions: 305windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A890: EnumDisplaySettingsA.USER32(00000000,000000FF,?), ref: 0041A89F

SetStretchBltMode.GDI32(?,00000000), ref: 00420274
CreateCompatibleDC.GDI32(?), ref: 004202F9
CreateCompatibleDC.GDI32(?), ref: 00420311
GetObjectA.GDI32(?,00000018,?), ref: 00420352
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00420368
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004203C6
StretchBlt.GDI32(?,000000FF,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0042041F
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,008800C6), ref: 00420459
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420493
CreateCompatibleDC.GDI32(?), ref: 0042050B
SelectObject.GDI32(00000000,?), ref: 00420518
StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?), ref: 0042055B
SelectObject.GDI32(00000000,?), ref: 00420567
DeleteDC.GDI32(00000000), ref: 0042056E
DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 004205AD

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Stretch$Create$CompatibleObject$Select$BitmapDeleteDisplayDrawEnumIconModeSettings
String ID:
API String ID: 1298110373-0
Opcode ID: 0537f947b89385689be2f9d7d032549ad8574c3dea090f18741f97c5f748d6fa
Instruction ID: 17619965480f62b14a52ff191b809c7ce4d7e6d4c3db2964fc58394abe64549d
Opcode Fuzzy Hash: 0537f947b89385689be2f9d7d032549ad8574c3dea090f18741f97c5f748d6fa
Instruction Fuzzy Hash: 50B14771204704AFD260DB24DC85F6BB7E9FB88714F508A1DFAA987291DB34EC058B66

Function 00407990 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 430COMMON

Download Yara Rule

APIs

Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12

Part of subcall function 00477A95: GetClipBox.GDI32(?,?), ref: 00477A9C

IsRectEmpty.USER32(?), ref: 004079D7
GetClientRect.USER32(?,?), ref: 004079EF
InflateRect.USER32(?,?,?), ref: 00407AAD
IntersectRect.USER32(?,?,?), ref: 00407B17
CreateRectRgn.GDI32(?,?,?,?), ref: 00407B31
FillRgn.GDI32(?,?,?), ref: 00407CF0
GetCurrentObject.GDI32(?,00000006), ref: 00407D6F

Part of subcall function 0047763C: GetStockObject.GDI32(?), ref: 00477645
Part of subcall function 0047763C: SelectObject.GDI32(?,00000000), ref: 0047765F
Part of subcall function 0047763C: SelectObject.GDI32(?,00000000), ref: 0047766A

OffsetRect.USER32(?,00000001,00000001), ref: 00407E4D
OffsetRect.USER32(?,00000002,00000002), ref: 00407EE1
OffsetRect.USER32(?,00000001,00000001), ref: 00407E94

Part of subcall function 0047780C: SetTextColor.GDI32(?,?), ref: 00477826
Part of subcall function 0047780C: SetTextColor.GDI32(?,?), ref: 00477834

Strings

`\A, xrefs: 004079F8
\VO, xrefs: 00407D0B

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$Object$Offset$ColorSelectText$BeginClientClipCreateCurrentEmptyFillH_prologInflateIntersectPaintStock
String ID: \VO$`\A
API String ID: 4264835570-155183320
Opcode ID: 21ed0e643a88cbe9fce1cc9bc6fe74b20f5628e7b51a1746d9653e32ba41e356
Instruction ID: f1cb8365919adad034e9c0048380ad3851465d879629627dbbddc62b84a7a698
Opcode Fuzzy Hash: 21ed0e643a88cbe9fce1cc9bc6fe74b20f5628e7b51a1746d9653e32ba41e356
Instruction Fuzzy Hash: 970258715083809FC324DF65C884AABB7E9AFD8304F404D2EF19A97391DB78A949CB57

Function 004371A0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 331threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0043730B
CreateSemaphoreA.KERNEL32(00000000,00000014,00000014,00000000), ref: 00437320
InitializeCriticalSection.KERNEL32(?), ref: 0043734B
CreateThread.KERNEL32(00000000,00000000,00437580,?,00000004,?), ref: 00437380
EnterCriticalSection.KERNEL32(00506290), ref: 00437392
LeaveCriticalSection.KERNEL32(00506290,?,?,?), ref: 00437545
ResumeThread.KERNEL32(?), ref: 00437553
ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 00437565

Strings

data, xrefs: 00437245
fmt , xrefs: 00437224
WAVE, xrefs: 004371E1, 004371F8
RIFF, xrefs: 004371B4, 004371C8

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CreateCriticalSection$SemaphoreThread$EnterEventInitializeLeaveReleaseResume
String ID: RIFF$WAVE$data$fmt
API String ID: 1802393137-4212202414
Opcode ID: 1f4f1fb0654d643843ba443eee6c62bf41dbaafe7756f7bda6b53ceec7718e72
Instruction ID: 3b36d0e92ecd7ea351ef81ddf933bb2881005b542b3d166f59ff4336fec43f12
Opcode Fuzzy Hash: 1f4f1fb0654d643843ba443eee6c62bf41dbaafe7756f7bda6b53ceec7718e72
Instruction Fuzzy Hash: B4B102B56043019FD724DB24DC81A2F77D5FB88318F144A2EFA8697380E6B8ED05CB99

Function 0045EEA0 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 296stringlibraryCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000004,Untitled), ref: 0045EEFC
lstrcpyA.KERNEL32(00000108,0050C380), ref: 0045EF0A

Part of subcall function 0046F09D: __EH_prolog.LIBCMT ref: 0046F0A2

Part of subcall function 00471416: InterlockedDecrement.KERNEL32(-000000F4), ref: 0047142A

LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,00000003), ref: 0045F0D6
EnumResourceNamesA.KERNEL32(00000000,0000000E,0045EE60,00000000), ref: 0045F0F1
FreeLibrary.KERNEL32(?,?,?,?,00000003), ref: 0045F146

Part of subcall function 0045F2E0: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,00000000,?,0045EF88,?,?,00000003), ref: 0045F304
Part of subcall function 0045F2E0: CloseHandle.KERNEL32(00000000,?,?,0045EF88,?,?,00000003), ref: 0045F329

FreeLibrary.KERNEL32(?,?,?,?,?,?,00000003), ref: 0045F264

Part of subcall function 00471484: lstrlenA.KERNEL32(004EBE14,?,?,?,0041239F,004EBE04,004EBE14,?), ref: 004714AE

Part of subcall function 00471503: InterlockedIncrement.KERNEL32(-000000F4), ref: 00471546

Strings

Untitled, xrefs: 0045EEF6
icl, xrefs: 0045F02B, 0045F0BC, 0045F1E6
ico, xrefs: 0045EF68, 0045F185
dll, xrefs: 0045F015, 0045F0A6, 0045F1D0
exe, xrefs: 0045EFFF, 0045F090, 0045F1BA
bmp, xrefs: 0045F058

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Library$FreeInterlockedlstrcpy$CloseCreateDecrementEnumFileH_prologHandleIncrementLoadNamesResourcelstrlen
String ID: Untitled$bmp$dll$exe$icl$ico
API String ID: 512669960-3908647699
Opcode ID: 7b2fdd93bb655b9ba533a1d1734fdcb55384f03c7c1e911517c3e1ce0ba97275
Instruction ID: 87f68cac6fa1f83a54633933f61fd927329eb339b200a04d74b17ee5601f88cd
Opcode Fuzzy Hash: 7b2fdd93bb655b9ba533a1d1734fdcb55384f03c7c1e911517c3e1ce0ba97275
Instruction Fuzzy Hash: F7A10B71504341ABC710EF65CC81AAF77D86B54309F140E2EF99593292EB78E90DC76B

Function 0040A020 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 130stringprocessCOMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,?), ref: 0040A0B8
lstrcatA.KERNEL32(?,\shell\open\command,80000000,.htm,?,?,?,?), ref: 0040A0F7
lstrlenA.KERNEL32(?), ref: 0040A14C
lstrcatA.KERNEL32(00000000,004EBC8C), ref: 0040A195
lstrcatA.KERNEL32(00000000,?), ref: 0040A19D
WinExec.KERNEL32(?,?), ref: 0040A1A5

Part of subcall function 00471416: InterlockedDecrement.KERNEL32(-000000F4), ref: 0047142A

Strings

\shell\open\command, xrefs: 0040A0F1
mailto:, xrefs: 0040A086
.htm, xrefs: 0040A0D0
open, xrefs: 0040A0B1
"%1", xrefs: 0040A11B
\VO, xrefs: 0040A03B

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: lstrcat$DecrementExecExecuteInterlockedShelllstrlen
String ID: "%1"$.htm$\VO$\shell\open\command$mailto:$open
API String ID: 51986957-351272319
Opcode ID: c52b00253a0554a0f1561ef04ac30bb903421b257e8e8e7e3b8eb3e00ed38aae
Instruction ID: 1c9faf835a631aa9990e3421a01c6563ae46c5a1cbe0c9043d5f651ae57a446e
Opcode Fuzzy Hash: c52b00253a0554a0f1561ef04ac30bb903421b257e8e8e7e3b8eb3e00ed38aae
Instruction Fuzzy Hash: 2041E731144342ABD324DF65DC84F9BB3A4EB84750F104A2EF955A72D0EB78AC05C7AB

Function 0042CA40 Relevance: 19.8, APIs: 13, Instructions: 320windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0042CA5E
SetCapture.USER32(?,?,?,?,?,?,?,?,?,0047E088,000000FF,0042C29D,?,?,?,?), ref: 0042CA7B

Part of subcall function 00477D7C: __EH_prolog.LIBCMT ref: 00477D81
Part of subcall function 00477D7C: GetDC.USER32(00000000), ref: 00477DAA

Part of subcall function 00440510: GetWindowExtEx.GDI32(?,?), ref: 00440533

Part of subcall function 00477CAA: GetWindowExtEx.GDI32(?,?), ref: 00477CBB
Part of subcall function 00477CAA: GetViewportExtEx.GDI32(?,?), ref: 00477CC8
Part of subcall function 00477CAA: MulDiv.KERNEL32(?,00000000,00000000), ref: 00477CED
Part of subcall function 00477CAA: MulDiv.KERNEL32(?,00000000,00000000), ref: 00477D08

Part of subcall function 0047783B: SetMapMode.GDI32(?,?), ref: 00477854
Part of subcall function 0047783B: SetMapMode.GDI32(?,?), ref: 00477862

Part of subcall function 004777B0: SetROP2.GDI32(?,?), ref: 004777C9
Part of subcall function 004777B0: SetROP2.GDI32(?,?), ref: 004777D7

Part of subcall function 00477754: SetBkMode.GDI32(?,?), ref: 0047776D
Part of subcall function 00477754: SetBkMode.GDI32(?,?), ref: 0047777B

Part of subcall function 00478091: __EH_prolog.LIBCMT ref: 00478096
Part of subcall function 00478091: CreatePen.GDI32(?,?,?), ref: 004780B9

Part of subcall function 00477678: SelectObject.GDI32(?,00000000), ref: 0047769A
Part of subcall function 00477678: SelectObject.GDI32(?,?), ref: 004776B0

GetCapture.USER32 ref: 0042CB41
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0042CB60
DispatchMessageA.USER32(?), ref: 0042CBA1
DispatchMessageA.USER32(?), ref: 0042CBBD
ScreenToClient.USER32(?,?), ref: 0042CC04
GetCapture.USER32 ref: 0042CC2C
ReleaseCapture.USER32 ref: 0042CC54
ReleaseCapture.USER32 ref: 0042CCB0
DPtoLP.GDI32 ref: 0042CCF4
InvalidateRect.USER32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,?,?), ref: 0042CD7D
InvalidateRect.USER32(?,00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0042CE0B

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Capture$Mode$Message$DispatchH_prologInvalidateObjectRectReleaseSelectWindow$ClientCreateScreenViewport
String ID:
API String ID: 453157188-0
Opcode ID: 94c846517be21040bb1880835b283ea298a5a98bf9f035a891f81d1e499249dd
Instruction ID: a9d9feff164a58bc1f3445cd106c9e04f289eaa40406c24c17a27bb605ba7f3c
Opcode Fuzzy Hash: 94c846517be21040bb1880835b283ea298a5a98bf9f035a891f81d1e499249dd
Instruction Fuzzy Hash: 9EB1B671208710AFD324EB25D885F6FB7E9BF84704F504A1EF15683291DB78E905CB5A

Function 00417CD0 Relevance: 19.7, APIs: 13, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00417D1A

Part of subcall function 004757AE: IsWindowEnabled.USER32(?), ref: 004757B8

IsWindow.USER32(?), ref: 00417DBB
GetParent.USER32(?), ref: 00417DD6
IsWindowVisible.USER32(?), ref: 00417DEA
SetActiveWindow.USER32(?), ref: 00417E0B
IsWindow.USER32(?), ref: 00417E28
UpdateWindow.USER32(?), ref: 00417E36
IsWindow.USER32(?), ref: 00417E3D
IsWindow.USER32(?), ref: 00417E98
IsWindow.USER32(?), ref: 00417EF2
GetFocus.USER32 ref: 00417F06
IsWindow.USER32(00000000), ref: 00417F13
IsChild.USER32(?,00000000), ref: 00417F22

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$Parent$ActiveChildEnabledFocusUpdateVisible
String ID:
API String ID: 983273251-0
Opcode ID: 256eba9843d91fd78323f9a5e5e5b1632a414b9c0f2d8a220287970851882ebf
Instruction ID: 4470a9682c9feab395cd8ae13c9142f9bdb3a8f6857d57a6888fa44c00c6021b
Opcode Fuzzy Hash: 256eba9843d91fd78323f9a5e5e5b1632a414b9c0f2d8a220287970851882ebf
Instruction Fuzzy Hash: AF51A075A083059BD7249FA1D980AAFBBF8BF44740F04492FF94592310DB38E885CBA9

Function 0041F420 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 405COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,?,?), ref: 0041F4C6

Part of subcall function 0041F1F0: SetRect.USER32(?,00000000,00000032,00000032,?), ref: 0041F2D9
Part of subcall function 0041F1F0: OffsetRect.USER32(?,?,?), ref: 0041F2E6
Part of subcall function 0041F1F0: IntersectRect.USER32(?,?,?), ref: 0041F302
Part of subcall function 0041F1F0: IsRectEmpty.USER32(?), ref: 0041F30D

InflateRect.USER32(?,?,?), ref: 0041F539
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0041F73D
GetClipRgn.GDI32(?,00000000), ref: 0041F74C
CreatePolygonRgn.GDI32 ref: 0041F7CA
SelectClipRgn.GDI32(?,?), ref: 0041F8AD
CreatePolygonRgn.GDI32(?,00000005,00000002), ref: 0041F8D0
SelectClipRgn.GDI32(?,?), ref: 0041F951
DeleteObject.GDI32(?), ref: 0041F967

Strings

`\A, xrefs: 0041F43B
gfff, xrefs: 0041F62D

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$ClipCreate$InflatePolygonSelect$DeleteEmptyIntersectObjectOffset
String ID: `\A$gfff
API String ID: 1105800552-3693403256
Opcode ID: 002463bd868e213b3c005d189c5053b50a67326df2e2d58a4613c1d58e2a01c1
Instruction ID: 21808003a164f294b132e143f502ca60ad606ef5f00e253bb2e44b17dd95ff05
Opcode Fuzzy Hash: 002463bd868e213b3c005d189c5053b50a67326df2e2d58a4613c1d58e2a01c1
Instruction Fuzzy Hash: 63F12A706083419FD324CF19C984BABBBE5BBC8314F108A2EF59987351D774E94ACB56

Function 004721F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004721FD
GetSystemMetrics.USER32(0000002A), ref: 004722AE
GlobalLock.KERNEL32(?), ref: 00472338
CreateDialogIndirectParamA.USER32(?,?,?,Function_00072040,00000000), ref: 0047236A

Strings

Helv, xrefs: 004722E2
MS Shell Dlg, xrefs: 004722BC
\VO, xrefs: 0047227D
MS Sans Serif, xrefs: 004722CF

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: Helv$MS Sans Serif$MS Shell Dlg$\VO
API String ID: 2364537584-3953083670
Opcode ID: 6712e40696192dba4334bfd25885df9e5e14d6970fa915b4632f2d76f07b4467
Instruction ID: fde4db3d83bfafcfc887cc612e2a652cf5ead152118e26608ad6e8270f66426b
Opcode Fuzzy Hash: 6712e40696192dba4334bfd25885df9e5e14d6970fa915b4632f2d76f07b4467
Instruction Fuzzy Hash: 35617E3190020ADFCF10EFA4D9859EEBBB1BF04304F24846FE509A6291DB788E44DB99

Function 00433CF0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433D0B

Part of subcall function 004757C9: EnableWindow.USER32(?,00000000), ref: 004757D7

Part of subcall function 00475576: GetDlgItem.USER32(?,?), ref: 00475584

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433D45
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433D5C
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433DAD
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433DE7
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433E14
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433E4A

Strings

h O, xrefs: 00433DEC
\ O, xrefs: 00433DF3
P O, xrefs: 00433E19
D O, xrefs: 00433E20

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend$EnableItemWindow
String ID: D O$P O$\ O$h O
API String ID: 607626308-3003591817
Opcode ID: c4f34f34c212208e42cfb6fb293a5e3e66226cac0385e92f86c9542618333e27
Instruction ID: c5d2a1c0cf419669732a6fff45e4f0234bbcf3fc0023316852f4da3bfb549d37
Opcode Fuzzy Hash: c4f34f34c212208e42cfb6fb293a5e3e66226cac0385e92f86c9542618333e27
Instruction Fuzzy Hash: B1318531380B0077E67866758C96FEB12699BC5F04F10891EB31A9F2C6DDE8F905875C

Function 004167A0 Relevance: 18.4, APIs: 12, Instructions: 354COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(?,?,?,?), ref: 004167EE
GetClientRect.USER32(?,?), ref: 00416889
CreateRectRgn.GDI32 ref: 004168FA
CombineRgn.GDI32(?,?,004D7FEC,00000004), ref: 0041692B
SetRect.USER32(?,00000000,?,?,?), ref: 00416982
IntersectRect.USER32(?,?,?), ref: 0041698F
IsRectEmpty.USER32(?), ref: 004169BA
__ftol.LIBCMT ref: 00416A98
__ftol.LIBCMT ref: 00416AA5
CreateRectRgn.GDI32(00000000,?,00000000,00000000), ref: 00416AFE
CombineRgn.GDI32(?,?,004D7FEC,00000004), ref: 00416B2F

Part of subcall function 00420260: SetStretchBltMode.GDI32(?,00000000), ref: 00420274
Part of subcall function 00420260: CreateCompatibleDC.GDI32(?), ref: 004202F9
Part of subcall function 00420260: CreateCompatibleDC.GDI32(?), ref: 00420311
Part of subcall function 00420260: GetObjectA.GDI32(?,00000018,?), ref: 00420352
Part of subcall function 00420260: CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00420368

FillRgn.GDI32(?,?,00000000), ref: 00416BAC

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$Create$CombineCompatible__ftol$BitmapClientEmptyFillIntersectModeObjectStretch
String ID:
API String ID: 3212946024-0
Opcode ID: a60ac143f793ec1e8565695001fda561b7fec4dd3d7a87a3c07b57fd3af81bff
Instruction ID: 0e6a80a6e4318c68411253c9e066ec459b68b9a8fc38486085164a77caeaf467
Opcode Fuzzy Hash: a60ac143f793ec1e8565695001fda561b7fec4dd3d7a87a3c07b57fd3af81bff
Instruction Fuzzy Hash: 99D19C715083409FC714DF25C884AAFBBE9FBC4344F158A1EF49993251EB34E949CB66

Function 0045F6F0 Relevance: 18.1, APIs: 12, Instructions: 146stringlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32 ref: 0045F70C
FindResourceA.KERNEL32(00000000,?,0000000E), ref: 0045F72C
LoadResource.KERNEL32(00000000,00000000), ref: 0045F73C
LockResource.KERNEL32(00000000), ref: 0045F74B
lstrcpyA.KERNEL32(00000108,?,00000000,0045F20D,?,?,?,?,?,?,?,00000003), ref: 0045F79A
lstrcpyA.KERNEL32(00000004,005187F4,?,?,?,?,?,00000003), ref: 0045F7A5
FindResourceA.KERNEL32(00000000,00000000,00000003), ref: 0045F7D9
LoadResource.KERNEL32(00000000,00000000), ref: 0045F7EB
SizeofResource.KERNEL32(00000000,00000000), ref: 0045F7FD
LockResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000003), ref: 0045F815
FreeLibrary.KERNEL32(00000000), ref: 0045F86A
FreeLibrary.KERNEL32(00000000), ref: 0045F89A

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Resource$LibraryLoad$FindFreeLocklstrcpy$Sizeof
String ID:
API String ID: 680694701-0
Opcode ID: e9f1649fae0fcbdfd11c1a9c48ec548ff949134455c521bc6e02bfa377c7782b
Instruction ID: c1e52c1d842852864ad50ae5e09fc00e7d3b6428034577f7c2df6316cf1ac212
Opcode Fuzzy Hash: e9f1649fae0fcbdfd11c1a9c48ec548ff949134455c521bc6e02bfa377c7782b
Instruction Fuzzy Hash: 19418EB26003019BD350EB65D948A5BB7E9BF88711F044A3EEC5AD7301EB79E80CC766

Function 004174D0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 387windowCOMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 00417508
GetParent.USER32(?), ref: 00417599
IsWindow.USER32(?), ref: 004176CB
IsWindowVisible.USER32(?), ref: 004176DD

Part of subcall function 004757AE: IsWindowEnabled.USER32(?), ref: 004757B8

GetParent.USER32(?), ref: 0041772E
IsChild.USER32(?,?), ref: 0041774E
GetParent.USER32(?), ref: 004178F7
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00417914
IsWindow.USER32(?), ref: 0041796F

Part of subcall function 0040E6D0: IsChild.USER32(?,?), ref: 0040E74D
Part of subcall function 0040E6D0: GetParent.USER32(?), ref: 0040E767

Strings

`\A, xrefs: 00417980

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ParentWindow$Child$EnabledMessageSendVisible
String ID: `\A
API String ID: 2452671399-2688774508
Opcode ID: aa64087c053f8b682c7e6de7fe95a305eb914c8423ecfcc6edf21f42f63de7f3
Instruction ID: 06ea7e021641c4486a28e1da1497cc32289bdd10cc7d44b10d7623f0a89af477
Opcode Fuzzy Hash: aa64087c053f8b682c7e6de7fe95a305eb914c8423ecfcc6edf21f42f63de7f3
Instruction Fuzzy Hash: D0E18F716083419FD720DF25C884BABB7B5BF84714F004A2EF9959B381DB38E949CB96

Function 00408040 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

Part of subcall function 0041FE20: CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0041FEAC
Part of subcall function 0041FE20: CreateCompatibleDC.GDI32(?), ref: 0041FEBE
Part of subcall function 0041FE20: CreateCompatibleDC.GDI32(?), ref: 0041FEC7
Part of subcall function 0041FE20: SelectObject.GDI32(00000000,?), ref: 0041FED6
Part of subcall function 0041FE20: CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041FEE9
Part of subcall function 0041FE20: SelectObject.GDI32(?,00000000), ref: 0041FEF9
Part of subcall function 0041FE20: BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0041FF19
Part of subcall function 0041FE20: SelectObject.GDI32(00000000,?), ref: 0041FF25
Part of subcall function 0041FE20: DeleteDC.GDI32(00000000), ref: 0041FF32
Part of subcall function 0041FE20: SelectObject.GDI32(?,?), ref: 0041FF3A
Part of subcall function 0041FE20: DeleteDC.GDI32(?), ref: 0041FF41

__ftol.LIBCMT ref: 00408165
__ftol.LIBCMT ref: 00408172
CreateRectRgn.GDI32(00000000,?,00000000,?), ref: 004081E4
CombineRgn.GDI32(?,?,004D7AF0,00000004), ref: 0040820A
SetRect.USER32(?,00000000,?,?,?), ref: 00408256
IntersectRect.USER32(?,?,?), ref: 0040826E
IsRectEmpty.USER32(?), ref: 00408299
CreateRectRgn.GDI32(00000000,?,?,00000000), ref: 0040833E
CombineRgn.GDI32(?,?,004D7AF0,00000004), ref: 00408364

Strings

`\A, xrefs: 004080A0

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Create$Rect$ObjectSelect$Compatible$BitmapCombineDelete__ftol$EmptyIntersect
String ID: `\A
API String ID: 909876544-2688774508
Opcode ID: 357a318d80e4e3c8d1fd5bdeef9a49cbf78daf671901a178b81949cff686fed4
Instruction ID: 63671907397360969e349ad5660b0327fe40b9bad902412418eba6627bf7169b
Opcode Fuzzy Hash: 357a318d80e4e3c8d1fd5bdeef9a49cbf78daf671901a178b81949cff686fed4
Instruction Fuzzy Hash: 25A17A716083419BC320CF68C984A5FBBE9FBC8744F504A2EF59597391EB74E808CB96

Function 004693F4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,004DEC1C,00000001,00000000,00000000,771AE860,0051AD08,?,?,?,004629ED,?,?,?,00000000), ref: 00469436
LCMapStringA.KERNEL32(00000000,00000100,004DEC18,00000001,00000000,00000000,?,?,004629ED,?,?,?,00000000,00000001), ref: 00469452
LCMapStringA.KERNEL32(?,?,?,)F,?,?,771AE860,0051AD08,?,?,?,004629ED,?,?,?,00000000), ref: 0046949B
MultiByteToWideChar.KERNEL32(?,?,?,)F,00000000,00000000,771AE860,0051AD08,?,?,?,004629ED,?,?,?,00000000), ref: 004694D3
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,004629ED,?,?,?,00000000,00000001), ref: 0046952B
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,004629ED,?,?,?,00000000,00000001), ref: 00469541
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,004629ED,?,?,?,00000000,00000001), ref: 00469574
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,004629ED,?,?,?,00000000,00000001), ref: 004695DC

Strings

)F, xrefs: 004694BE, 00469520, 0046948F, 0046946F

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide
String ID: )F
API String ID: 352835431-1070133202
Opcode ID: 7363abf5f5682ae36ce60476e9292e1a49bdb7b9d4ef4710b8faabfbaf433b88
Instruction ID: 3be8cce5d83ac86928851763af1a71f82da28278e5e8115e3b8f9552b7e71d9f
Opcode Fuzzy Hash: 7363abf5f5682ae36ce60476e9292e1a49bdb7b9d4ef4710b8faabfbaf433b88
Instruction Fuzzy Hash: BA518E72500249BBCF228F94CD45ADF7FB8FF48750F10452AF912A1260E3798D51EB6A

Function 0041DDA0 Relevance: 16.8, APIs: 11, Instructions: 265windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041DDDD
MulDiv.KERNEL32(?,?,00000064), ref: 0041DE12
MulDiv.KERNEL32(?,?,00000064), ref: 0041DE3D
GetDeviceCaps.GDI32 ref: 0041DE77
GetSystemPaletteEntries.GDI32(?,00000000,000000FF,00000004), ref: 0041DEB1
CreatePalette.GDI32(00000000), ref: 0041DEBC
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041DF1C
CreateCompatibleDC.GDI32(?), ref: 0041DF4F
CreateCompatibleDC.GDI32(?), ref: 0041DF88
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041DFEB
GlobalFree.KERNEL32(00000000), ref: 0041E0B3

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Create$Compatible$Palette$BitmapCapsDeviceEntriesFreeGlobalObjectStretchSystem
String ID:
API String ID: 3563226738-0
Opcode ID: 8b213860d65f115ec9d9f929d5eff3fb916814fb8737f405b49db870d71c244d
Instruction ID: 4b63b71474c78258b4da8facf669470d9be33977debdc7d8171cbf374fef7e16
Opcode Fuzzy Hash: 8b213860d65f115ec9d9f929d5eff3fb916814fb8737f405b49db870d71c244d
Instruction Fuzzy Hash: A191E4B15087449FC320EF65C845BAFB7E8AF98714F50491EF69983281DB78E808CB5A

Function 00442920 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

GetTextExtentPoint32A.GDI32(?,?,?,00000090), ref: 0044299F
GetTextExtentPoint32A.GDI32(?,?,?,00000090), ref: 004429C4
GetWindowRect.USER32(?,?), ref: 00442A4E
SetRect.USER32(00000080,?,?,?,?), ref: 00442A83
SetRect.USER32(00000070,?,?,?,?), ref: 00442AC8
SetRect.USER32(00000060,?,?,?,?), ref: 00442B3B
GetSystemMetrics.USER32(00000001), ref: 00442B66
GetSystemMetrics.USER32(00000000), ref: 00442B6C
OffsetRect.USER32(00000080,00000000,00000000), ref: 00442B84
OffsetRect.USER32(00000080,00000000,00000000), ref: 00442B92
OffsetRect.USER32(00000080,00000000,00000000), ref: 00442BA4

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$Offset$ExtentMetricsPoint32SystemText$Window
String ID:
API String ID: 1551820068-0
Opcode ID: 9b1b75070c359752abfc581e54bf8ce2c68c067e639640637462b8b3ea684918
Instruction ID: 28797f9e3a3ba4b0bf582012105ec8d93f067c17edc9060daa6845c889502f4a
Opcode Fuzzy Hash: 9b1b75070c359752abfc581e54bf8ce2c68c067e639640637462b8b3ea684918
Instruction Fuzzy Hash: B0912671200B059FD328CF29C985A6AF7E6FF88710F448A2DA99AC7754EB74FC058B54

Function 00434B80 Relevance: 16.7, APIs: 11, Instructions: 185windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00434BAE
FillRect.USER32(?,?,00000000), ref: 00434C0E
FillRect.USER32(?,?,00000000), ref: 00434C7E

Part of subcall function 004780E1: __EH_prolog.LIBCMT ref: 004780E6
Part of subcall function 004780E1: CreateSolidBrush.GDI32(?), ref: 00478103

FillRect.USER32(?,?,00000000), ref: 00434CF5
CreateCompatibleDC.GDI32(?), ref: 00434D1D
SelectObject.GDI32(00000000,?), ref: 00434D33
SetStretchBltMode.GDI32(?,00000000), ref: 00434D65
StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00434D98
BitBlt.GDI32(?,00000000,?,?,?,00000000,00000000,00000000,00CC0020), ref: 00434DC3
SelectObject.GDI32(00000000,?), ref: 00434DCF
DeleteDC.GDI32(00000000), ref: 00434DDC

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$Fill$CreateObjectSelectStretch$BrushClientCompatibleDeleteH_prologModeSolid
String ID:
API String ID: 1645634290-0
Opcode ID: 918914f4a2a41eaeef932567b55c75b2219924ff28361cd063a752b413d02dfd
Instruction ID: 8bfd07817f4fcb2bd9df710c80809587db0eb4168bbd05e9446e04647d6dc126
Opcode Fuzzy Hash: 918914f4a2a41eaeef932567b55c75b2219924ff28361cd063a752b413d02dfd
Instruction Fuzzy Hash: 3A611A752057019FD764DF61C994FABB3E8AB88704F009A1EF95A83380DB38F905CB29

Function 0040CB80 Relevance: 16.7, APIs: 11, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetCurrentObject.GDI32(?,00000001), ref: 0040CBB9
GetCurrentObject.GDI32(?,00000002), ref: 0040CC03
GetCurrentObject.GDI32(?,00000006), ref: 0040CC4D
GetTextColor.GDI32(?), ref: 0040CC8C
GetBkMode.GDI32(?), ref: 0040CCB6
GetBkColor.GDI32(?), ref: 0040CCD5
GetBkMode.GDI32(?), ref: 0040CCF8
GetBkColor.GDI32(?), ref: 0040CD17
GetROP2.GDI32(?), ref: 0040CD3F
GetStretchBltMode.GDI32(?), ref: 0040CD60
GetPolyFillMode.GDI32(?), ref: 0040CD8C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Mode$ColorCurrentObject$FillPolyStretchText
String ID:
API String ID: 544274770-0
Opcode ID: 060a488ffee05343b83569cccd361ac8a96645330de28ab76d47bc019f3c6880
Instruction ID: f56b6998f22f5ff4a6008702b3646861877c2c4888b3fb6d4f5280ec4520e341
Opcode Fuzzy Hash: 060a488ffee05343b83569cccd361ac8a96645330de28ab76d47bc019f3c6880
Instruction Fuzzy Hash: 38516131214A01DBC364DB74D8C9BABB3A5EF84701F144B2DE56FA72A0DB38B845CB58

Function 00432010 Relevance: 16.6, APIs: 11, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12

GetClientRect.USER32(?,?), ref: 0043204D
CreateCompatibleBitmap.GDI32 ref: 00432082
CreateCompatibleDC.GDI32(?), ref: 004320B2

Part of subcall function 00477625: SelectObject.GDI32(?,?), ref: 0047762D

PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 004320EA
GetObjectA.GDI32(00000000,00000018,?), ref: 00432105
CreateCompatibleDC.GDI32(?), ref: 00432110
SelectObject.GDI32(00000000,00000000), ref: 00432120
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00432143
SelectObject.GDI32(00000000,?), ref: 0043214F
DeleteDC.GDI32(00000000), ref: 00432152
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0043217B

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreateSelect$BeginBitmapClientDeleteH_prologPaintRect
String ID:
API String ID: 1593221388-0
Opcode ID: 88a8c695e7ba364bb4d8ee4c802b7b88cbcf5bde873c1c54ad3ae0717262bcef
Instruction ID: 78bb33abe2f6c9293a47632c75bcdce08ace21a08d97a7278a116a874ad7c2c7
Opcode Fuzzy Hash: 88a8c695e7ba364bb4d8ee4c802b7b88cbcf5bde873c1c54ad3ae0717262bcef
Instruction Fuzzy Hash: 9B514E71208345AFD350DF68DD45F6BBBE8FB89714F00892DB69983281D778A808CB66

Function 0041D5F0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 368windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 0041D76E
AppendMenuA.USER32(?,?,00000000,?), ref: 0041D8D1
AppendMenuA.USER32(?,00000000,00000000,?), ref: 0041D909
ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041D927
AppendMenuA.USER32(?,?,00000000,?), ref: 0041D985
ModifyMenuA.USER32(?,?,?,?,?), ref: 0041D9AA
AppendMenuA.USER32(?,?,?,?), ref: 0041D9F2
ModifyMenuA.USER32(?,?,?,?,?), ref: 0041DA17

Strings

\VO, xrefs: 0041D6A7

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Menu$Append$Modify$CreatePopup
String ID: \VO
API String ID: 3846898120-2422581269
Opcode ID: 7adc28b1710fc8a41cc65e696f079b137ac368db9a8b6c4c09e73b26be4c3303
Instruction ID: 41b9f8ab24a1f392eb3dda8ba37b7d2696395050bfb9249bb3349a573394b85b
Opcode Fuzzy Hash: 7adc28b1710fc8a41cc65e696f079b137ac368db9a8b6c4c09e73b26be4c3303
Instruction Fuzzy Hash: 92D199B1A043019BC714DF18C884A6BB7F4FF89714F04492EF99A97391E738AD44CB9A

Function 00465905 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00460DEB), ref: 00465920
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00460DEB), ref: 00465934
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00460DEB), ref: 00465960
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00460DEB), ref: 00465998
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00460DEB), ref: 004659BA
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00460DEB), ref: 004659D3
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00460DEB), ref: 004659E6
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00465A24

Strings

F, xrefs: 004659CE, 004659C0

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: F
API String ID: 1823725401-3458207348
Opcode ID: 0bb270311abff756e3bee65d0a6dbd03f9842bf6a0a19154c91c5b834a9108d2
Instruction ID: 77d6de0c89d948db18753960ef0f55bf6c037abe9dd07b781a319983c7c7fc0f
Opcode Fuzzy Hash: 0bb270311abff756e3bee65d0a6dbd03f9842bf6a0a19154c91c5b834a9108d2
Instruction Fuzzy Hash: 1831D2F2515A56AFDB213BB49CC483FB69CEA55328F15062FF552C3200F6294C8987AB

Function 0046D1F2 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00465FF0,?,Microsoft Visual C++ Runtime Library,00012010,?,004DE994,?,004DE9E4,?,?,?,Runtime Error!Program: ), ref: 0046D204
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0046D21C
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0046D22D
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0046D23A

Strings

GetLastActivePopup, xrefs: 0046D22F
GetActiveWindow, xrefs: 0046D227
MessageBoxA, xrefs: 0046D216
user32.dll, xrefs: 0046D1FF
M, xrefs: 0046D260

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll$M
API String ID: 2238633743-1262693084
Opcode ID: b74d608f8057330dc438e58ffe9b4d9f0261e5985188d5f3b3a8d8d494876750
Instruction ID: 1732e1eb935fbe2e12e7279d807f1155cc478f5e4e51eab879eeeee0c37bf787
Opcode Fuzzy Hash: b74d608f8057330dc438e58ffe9b4d9f0261e5985188d5f3b3a8d8d494876750
Instruction Fuzzy Hash: 0C01D831F053419F8723AFF59C9496B3AE9EB58741310447BE501D32A2E6BCC848AB16

Function 0040C160 Relevance: 15.3, APIs: 10, Instructions: 316windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040C19F
CreateCompatibleBitmap.GDI32 ref: 0040C1FB
CreateCompatibleDC.GDI32(?), ref: 0040C22B
CreateRectRgn.GDI32(00000000,00000000,00000001,?), ref: 0040C2C0
SetRect.USER32(?,00000000,00000000,00000001,?), ref: 0040C2E9

Part of subcall function 00408040: __ftol.LIBCMT ref: 00408165
Part of subcall function 00408040: __ftol.LIBCMT ref: 00408172

FillRgn.GDI32(?,?,?), ref: 0040C366
PatBlt.GDI32(?,00000000,00000000,00000001,?,00F00021), ref: 0040C3D9

Part of subcall function 00406250: GetSysColor.USER32(0000000F), ref: 0040625D

Part of subcall function 004780E1: __EH_prolog.LIBCMT ref: 004780E6
Part of subcall function 004780E1: CreateSolidBrush.GDI32(?), ref: 00478103

GetObjectA.GDI32(?,00000018,?), ref: 0040C455
CreateCompatibleDC.GDI32(?), ref: 0040C493
BitBlt.GDI32(?,00000000,00000000,00000001,?,?,00000000,00000000,00CC0020), ref: 0040C4F2

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Create$CompatibleRect$__ftol$BitmapBrushClientColorFillH_prologObjectSolid
String ID:
API String ID: 2289681609-0
Opcode ID: 0cf4d6650ae559a525979e121d651c54641c0ea3ce0c4c9238f69ea19614ac3c
Instruction ID: d9dc6bfa404ec283bb3f5efa404aa69a93ced87f6cc69ea1882fcf85c48e1e1b
Opcode Fuzzy Hash: 0cf4d6650ae559a525979e121d651c54641c0ea3ce0c4c9238f69ea19614ac3c
Instruction Fuzzy Hash: CFC18271108741DFD720DB65C885BAFB7E8AF94744F008A2EF58AD3291DB78E908CB56

Function 0041CB70 Relevance: 15.3, APIs: 10, Instructions: 288COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(00FFFFFF), ref: 0041CCCF
GetWindowRect.USER32(?), ref: 0041CCF9
GetStockObject.GDI32(00000005), ref: 0041CD27
LoadCursorA.USER32(00000000,00007F00), ref: 0041CD35
GetWindowRect.USER32(?,?), ref: 0041CDA3
GetWindowRect.USER32(?,?), ref: 0041CDB4
GetWindowRect.USER32(?,?), ref: 0041CDC9
GetSystemMetrics.USER32(00000001), ref: 0041CDDF
GetWindowRect.USER32(?,?), ref: 0041CE6A
OffsetRect.USER32(?,00000000,00000001), ref: 0041CE84

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$Window$BrushCreateCursorLoadMetricsObjectOffsetSolidStockSystem
String ID:
API String ID: 3805611468-0
Opcode ID: fb3d6a6c6288458d8244ab5b7a05636bbd2df6641ee68d291c6c617b6e4c8abc
Instruction ID: 803f87606d9fe9649e4c4e69c22c8766caa075d75a0e823ccc29d29396558258
Opcode Fuzzy Hash: fb3d6a6c6288458d8244ab5b7a05636bbd2df6641ee68d291c6c617b6e4c8abc
Instruction Fuzzy Hash: BAA1A370644701AFD714DF65CC86FABB7E5AB84708F00891EF15A8B381EBB8E845CB59

Function 0040BD50 Relevance: 15.2, APIs: 10, Instructions: 198windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12

Part of subcall function 00477A95: GetClipBox.GDI32(?,?), ref: 00477A9C

GetClientRect.USER32(?,?), ref: 0040BD9E
IntersectRect.USER32(?,?,?), ref: 0040BDB6
IsRectEmpty.USER32(?), ref: 0040BDE6
GetObjectA.GDI32(?,00000018,?), ref: 0040BE1D
CreateCompatibleDC.GDI32(?), ref: 0040BE43
IntersectRect.USER32(?,?,?), ref: 0040BE98
IsRectEmpty.USER32(?), ref: 0040BEA3
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 0040BEE1
DPtoLP.GDI32(?,?,00000002), ref: 0040BF66
IsWindow.USER32(?), ref: 0040BFC8

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$EmptyIntersect$BeginClientClipCompatibleCreateH_prologObjectPaintWindow
String ID:
API String ID: 29348440-0
Opcode ID: e5685499fd7be07a9382c211cbe279cdece9712ed44dc58c37c8789e33f450ae
Instruction ID: cf43214bafb45d94c1aa6ea71f1c1c29fba0dc3f46401f9cd21b41b1fd4eae19
Opcode Fuzzy Hash: e5685499fd7be07a9382c211cbe279cdece9712ed44dc58c37c8789e33f450ae
Instruction Fuzzy Hash: DE811BB15087459FC324DF65C984AABB7E9FBC8704F008E2EF5AA93250D734E909CB56

Function 0041B420 Relevance: 15.2, APIs: 10, Instructions: 179COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0041B43D
GetWindowRect.USER32(?,?), ref: 0041B44C
IntersectRect.USER32(?,?,?), ref: 0041B4A5
EqualRect.USER32(?,?), ref: 0041B4D5
GetWindowRect.USER32(?,?), ref: 0041B4F3
OffsetRect.USER32(?,?,?), ref: 0041B56A
OffsetRect.USER32(?,?,00000000), ref: 0041B584
OffsetRect.USER32(?,?,00000000), ref: 0041B59C
OffsetRect.USER32(?,00000000,?), ref: 0041B5B6
OffsetRect.USER32(?,00000000,?), ref: 0041B5CE

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$Offset$Window$EqualIntersect
String ID:
API String ID: 2638238157-0
Opcode ID: b38d366e6dc3e0b5e9b345bb912f878da2ef6194c70035683dc9467c9e11fd05
Instruction ID: 760dd8cc131c464b768c9a8ae481bc2979dfdb08d40de6f5a4564263118fbbad
Opcode Fuzzy Hash: b38d366e6dc3e0b5e9b345bb912f878da2ef6194c70035683dc9467c9e11fd05
Instruction Fuzzy Hash: E751FB71618305AFC708CF29C98096BB7EAEBC8748F404A2EF985D3354D774ED458B92

Function 00432AA0 Relevance: 15.1, APIs: 10, Instructions: 86COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000002E), ref: 00432AB1
GetSystemMetrics.USER32(0000002D), ref: 00432AB7
GetSystemMetrics.USER32(0000000A), ref: 00432ABD
GetSystemMetrics.USER32(0000000A), ref: 00432AC8
GetSystemMetrics.USER32(00000009), ref: 00432AD6
GetSystemMetrics.USER32(00000009), ref: 00432AE2
GetWindowRect.USER32(?,?), ref: 00432B07
GetParent.USER32(?), ref: 00432B0D
GetWindowRect.USER32(?,00000000), ref: 00432B32
SetRect.USER32(?,?,00000000,?,?), ref: 00432B64

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MetricsSystem$Rect$Window$Parent
String ID:
API String ID: 3457858938-0
Opcode ID: 9d29aca0cbf1ed0b7cfb3df4bf34e3f24dc60c30c11b750d1ee14dc00aa7f24d
Instruction ID: 29d3d84f2ecd3a8ad3efdd76a75e3d8ef39b1c8232df174fe1973e8c6299897d
Opcode Fuzzy Hash: 9d29aca0cbf1ed0b7cfb3df4bf34e3f24dc60c30c11b750d1ee14dc00aa7f24d
Instruction Fuzzy Hash: 34218071A043056FC704EF68DD5496F77A9EBC8700F00492EB905D7280DBB4E8098BA6

Function 004418B0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 260windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004418DD
GetParent.USER32(?), ref: 004418E9
GetClientRect.USER32(?,?), ref: 004418FA

Part of subcall function 00477C26: ClientToScreen.USER32(00406A88,?), ref: 00477C3A
Part of subcall function 00477C26: ClientToScreen.USER32(00406A88,?), ref: 00477C43

GetParent.USER32(?), ref: 0044190C

Part of subcall function 00477BEA: ScreenToClient.USER32(?,00000000), ref: 00477BFE
Part of subcall function 00477BEA: ScreenToClient.USER32(?,00000008), ref: 00477C07

Part of subcall function 00477D7C: __EH_prolog.LIBCMT ref: 00477D81
Part of subcall function 00477D7C: GetDC.USER32(00000000), ref: 00477DAA

SendMessageA.USER32 ref: 0044193F

Part of subcall function 00477678: SelectObject.GDI32(?,00000000), ref: 0047769A
Part of subcall function 00477678: SelectObject.GDI32(?,?), ref: 004776B0

GetTextExtentPoint32A.GDI32(?,004F3148,00000001,?), ref: 0044196C
EqualRect.USER32(?,?), ref: 00441B2A

Strings

\VO, xrefs: 004419A0

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Client$Screen$Rect$ObjectParentSelect$EqualExtentH_prologMessagePoint32SendText
String ID: \VO
API String ID: 98060165-2422581269
Opcode ID: 9232f7fdc10d9f3cbcba3a39adae1181087138357b70c91d8f2144c0fc5dac1a
Instruction ID: 0a689c952e120c5e5f034a0976c3542a09c42ed92759d1887ccdf6d6dcbb7ad4
Opcode Fuzzy Hash: 9232f7fdc10d9f3cbcba3a39adae1181087138357b70c91d8f2144c0fc5dac1a
Instruction Fuzzy Hash: 1E91A1712083419FD718CF29C981A6BB7E5EBC8704F108A2EF586D3361D778E949CB5A

Function 00465ECC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00465F39
GetStdHandle.KERNEL32(000000F4,004DE994,00000000,00000000,00000000,?), ref: 0046600F
WriteFile.KERNEL32(00000000), ref: 00466016

Strings

Runtime Error!Program: , xrefs: 00465F9F
<program name unknown>, xrefs: 00465F49
..., xrefs: 00465F8B
Microsoft Visual C++ Runtime Library, xrefs: 00465FE5
hjO, xrefs: 00465EE7

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $hjO
API String ID: 3784150691-4007570488
Opcode ID: 015ef7d03db599dd83144b082588e9cb5e0da7faf4dd95da55a30e064c1a791a
Instruction ID: d1721224242d0791b5ccfd7e497cebd5367fbc419222c99c78898237f8552075
Opcode Fuzzy Hash: 015ef7d03db599dd83144b082588e9cb5e0da7faf4dd95da55a30e064c1a791a
Instruction Fuzzy Hash: 2931D572A01218AFDF20EB61CC46FAE736CEB45314F5005ABF544E6140FAB9DA858B5F

Function 0047728A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 004772A6
GetStockObject.GDI32(0000000D), ref: 004772AE
GetObjectA.GDI32(00000000,0000003C,?), ref: 004772BB
GetDC.USER32(00000000), ref: 004772CA
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004772E1
MulDiv.KERNEL32(?,00000048,00000000), ref: 004772ED
ReleaseDC.USER32(00000000,00000000), ref: 004772F8

Strings

System, xrefs: 0047729F, 0047730E

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 149c52793a063d85d281444012ef68c30f6264c7b16a6ba80e424fbf49e69a92
Instruction ID: ec98fbbbb0dfed13fdc92685394b9affedb8c907199883e60f7ad9283d9da613
Opcode Fuzzy Hash: 149c52793a063d85d281444012ef68c30f6264c7b16a6ba80e424fbf49e69a92
Instruction Fuzzy Hash: 1911C631A40308BBEB009BA1DC05FEE3BB8EB05740F50802AFA05E62C1D7749D05C7A8

Function 004751C0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,004754BA,?,00020000), ref: 004751C9
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 004751D2
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004751E6
#17.COMCTL32 ref: 00475201
#17.COMCTL32 ref: 0047521D
FreeLibrary.KERNEL32(00000000), ref: 00475229

Strings

InitCommonControlsEx, xrefs: 004751DE
COMCTL32.DLL, xrefs: 004751C2, 004751C8, 004751CF

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: 2b73516f9e04ee7b4116f50fc91c6c333e4e1d95da40135abc86590f7ad113a0
Instruction ID: 4c93ed9099af66e705174bc364a963ca8e4e62f59a7bc6e128bb3eb90552106f
Opcode Fuzzy Hash: 2b73516f9e04ee7b4116f50fc91c6c333e4e1d95da40135abc86590f7ad113a0
Instruction Fuzzy Hash: 7DF02836B10B124B97515FA4BD48A4F72A8AFD47627064C7AFC08E3300CFA8CC094B6E

Function 0046DA32 Relevance: 13.7, APIs: 9, Instructions: 221COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,004DEC1C,00000001,004DEC1C,00000001,00000000,022D11EC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00461473), ref: 0046DA70
CompareStringA.KERNEL32(00000000,00000000,004DEC18,00000001,004DEC18,00000001), ref: 0046DA8D
CompareStringA.KERNEL32(00450EB6,00000000,00000000,00000000,00461473,00000000,00000000,022D11EC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00461473), ref: 0046DAEB
GetCPInfo.KERNEL32(00000000,00000000,00000000,022D11EC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00461473,00000000), ref: 0046DB3C
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000), ref: 0046DBBB
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 0046DC1C
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 0046DC2F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0046DC7B
CompareStringW.KERNEL32(00450EB6,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0046DC93

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 42812d67ef1b10b62b122f887d1dd52ab6adfdf2ce626779a95d8a6719fc57d0
Instruction ID: cb9aa4ba0de53d452a5d6d931f9f0216e6e5d7b90683e57ae25ae3208a61256b
Opcode Fuzzy Hash: 42812d67ef1b10b62b122f887d1dd52ab6adfdf2ce626779a95d8a6719fc57d0
Instruction Fuzzy Hash: 2471DE32E04249AFCF219F94CC859EF7BBAFB05710F11412BF911A6224E3399C51DB9A

Function 004297A0 Relevance: 13.7, APIs: 9, Instructions: 186COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 00429817
IsRectEmpty.USER32(?), ref: 00429822
GetClientRect.USER32(00000000,?), ref: 00429861
DPtoLP.GDI32(?,?,00000002), ref: 00429873
LPtoDP.GDI32(?,?,00000002), ref: 004298B0
CreateRectRgnIndirect.GDI32(?), ref: 004298C8
OffsetRect.USER32(?,?,?), ref: 004298ED
LPtoDP.GDI32(?,?,00000002), ref: 004298FF

Part of subcall function 00478091: __EH_prolog.LIBCMT ref: 00478096
Part of subcall function 00478091: CreatePen.GDI32(?,?,?), ref: 004780B9

Part of subcall function 00477678: SelectObject.GDI32(?,00000000), ref: 0047769A
Part of subcall function 00477678: SelectObject.GDI32(?,?), ref: 004776B0

Part of subcall function 0047763C: GetStockObject.GDI32(?), ref: 00477645
Part of subcall function 0047763C: SelectObject.GDI32(?,00000000), ref: 0047765F
Part of subcall function 0047763C: SelectObject.GDI32(?,00000000), ref: 0047766A

Part of subcall function 004777B0: SetROP2.GDI32(?,?), ref: 004777C9
Part of subcall function 004777B0: SetROP2.GDI32(?,?), ref: 004777D7

Rectangle.GDI32(?,?,?,?,?), ref: 00429973

Part of subcall function 00477AA5: SelectClipRgn.GDI32(?,00000000), ref: 00477AC7
Part of subcall function 00477AA5: SelectClipRgn.GDI32(?,?), ref: 00477ADD

Part of subcall function 0047807B: DeleteObject.GDI32(00000000), ref: 0047808A

Part of subcall function 00477DEE: __EH_prolog.LIBCMT ref: 00477DF3
Part of subcall function 00477DEE: ReleaseDC.USER32(?,00000000), ref: 00477E12

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ObjectSelect$Rect$ClipCreateH_prolog$ClientCopyDeleteEmptyIndirectOffsetRectangleReleaseStock
String ID:
API String ID: 2841338838-0
Opcode ID: caa191a6e2f65a09d863d2b014c6b394f877e05d945b05c44e1edf77ed6aaf19
Instruction ID: 00d4ae316839440419f5d556b773976aee0350f1fdff004517802abbc70b1bd1
Opcode Fuzzy Hash: caa191a6e2f65a09d863d2b014c6b394f877e05d945b05c44e1edf77ed6aaf19
Instruction Fuzzy Hash: CE615CB12087409FC314DF69D885E6BB7E9EFC8714F408A1DF59683291DB78E908CB56

Function 0041B1B0 Relevance: 13.6, APIs: 9, Instructions: 118COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0041B1B6
ClientToScreen.USER32(?,?), ref: 0041B1F3
OffsetRect.USER32(?,?,?), ref: 0041B21C
GetParent.USER32(?), ref: 0041B222

Part of subcall function 00477BEA: ScreenToClient.USER32(?,00000000), ref: 00477BFE
Part of subcall function 00477BEA: ScreenToClient.USER32(?,00000008), ref: 00477C07

GetClientRect.USER32(?,?), ref: 0041B245
OffsetRect.USER32(?,?,00000000), ref: 0041B263
OffsetRect.USER32(?,?,00000000), ref: 0041B27B
OffsetRect.USER32(?,00000000,?), ref: 0041B299
OffsetRect.USER32(?,00000000,?), ref: 0041B2B9

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$Offset$Client$Screen$CaptureParent
String ID:
API String ID: 838496554-0
Opcode ID: b965dbb02c2fab110b49e3b4d55f999033a59b1a8a5cb64f0fd5743cfd8e9580
Instruction ID: f689bbbc356db07a37580ec23b9f2faee7da150ed85637c8f0b21fbf8769c6c7
Opcode Fuzzy Hash: b965dbb02c2fab110b49e3b4d55f999033a59b1a8a5cb64f0fd5743cfd8e9580
Instruction Fuzzy Hash: 6A41E6B5608301AFD718DF69D984D6FB7E9EBC8704F008A1DF985C3251DB74ED088A66

Function 0046F762 Relevance: 13.6, APIs: 9, Instructions: 80windowstringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,0000000C,?,?,0041CFF9,?,-00000001,00000000,?,?,?,004F0BD0), ref: 0046F76C
GetFocus.USER32 ref: 0046F787

Part of subcall function 00473302: UnhookWindowsHookEx.USER32(?), ref: 00473327

IsWindowEnabled.USER32(?), ref: 0046F7B0
EnableWindow.USER32(?,00000000), ref: 0046F7C2
GetOpenFileNameA.COMDLG32(?,?), ref: 0046F7ED
GetSaveFileNameA.COMDLG32(?,?), ref: 0046F7F4
EnableWindow.USER32(?,00000001), ref: 0046F80B
IsWindow.USER32(?), ref: 0046F811
SetFocus.USER32(?), ref: 0046F81F

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$EnableFileFocusName$EnabledHookOpenSaveUnhookWindowslstrlen
String ID:
API String ID: 3606897497-0
Opcode ID: 9f4b2208ab47776abf46190277f33575929c5c714d77e0e5705eaadd543611ad
Instruction ID: e352f8723ed710469a16f3f914ab69a754027901470806fa17429ddc2a37921e
Opcode Fuzzy Hash: 9f4b2208ab47776abf46190277f33575929c5c714d77e0e5705eaadd543611ad
Instruction Fuzzy Hash: 03218371210701AFD720AF72EC46B5B77D4EF40715F10483FF59186291EB79E849876A

Function 0041F1F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

SetRect.USER32(?,00000000,00000032,00000032,?), ref: 0041F2D9
OffsetRect.USER32(?,?,?), ref: 0041F2E6
IntersectRect.USER32(?,?,?), ref: 0041F302
IsRectEmpty.USER32(?), ref: 0041F30D
OffsetRect.USER32(?,?,?), ref: 0041F34A

Strings

`\A, xrefs: 0041F1F7
2, xrefs: 0041F296

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$Offset$EmptyIntersect
String ID: 2$`\A
API String ID: 765610062-1838255340
Opcode ID: bebef98721c078bd29f00fc75aaf2cee393377a285fa85bc06280d49842dbd68
Instruction ID: 93bdd1f3402a99630ecb035814579fbbec8ebc132cc835ca143157f893fb6f70
Opcode Fuzzy Hash: bebef98721c078bd29f00fc75aaf2cee393377a285fa85bc06280d49842dbd68
Instruction Fuzzy Hash: 366116752083419FC714CF69C8849ABBBE9FBC8314F148A2EF99987310D734E94ACB56

Function 0046C9C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,004DEC1C,00000001,?,771AE860,0051AD08,?,?,004629ED,?,?,?,00000000,00000001), ref: 0046C9FF
GetStringTypeA.KERNEL32(00000000,00000001,004DEC18,00000001,?,?,004629ED,?,?,?,00000000,00000001), ref: 0046CA19
GetStringTypeA.KERNEL32(?,?,?,?,)F,771AE860,0051AD08,?,?,004629ED,?,?,?,00000000,00000001), ref: 0046CA4D
MultiByteToWideChar.KERNEL32(?,0051AD09,?,?,00000000,00000000,771AE860,0051AD08,?,?,004629ED,?,?,?,00000000,00000001), ref: 0046CA85
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,004629ED,?), ref: 0046CADB
GetStringTypeW.KERNEL32(?,?,00000000,)F,?,?,?,?,?,?,004629ED,?), ref: 0046CAED

Strings

)F, xrefs: 0046CAE5, 0046CA40

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: StringType$ByteCharMultiWide
String ID: )F
API String ID: 3852931651-1070133202
Opcode ID: a542520c38bd21c8488bf1e4737d8855976a3bab91e72be1a03ad7e195084f87
Instruction ID: a40e318d064908d24936ccf6da067316cf119d6ee3c494caa51772306089cb6e
Opcode Fuzzy Hash: a542520c38bd21c8488bf1e4737d8855976a3bab91e72be1a03ad7e195084f87
Instruction Fuzzy Hash: CC416B72600219AFCF21DF94CC85EFF7BB8EB18750F20442AF911E6250E3798954DBA6

Function 004244D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93networkCOMMON

Download Yara Rule

APIs

accept.WS2_32 ref: 00424514

Strings

P, xrefs: 0042450C
%s:%d, xrefs: 0042458E

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: accept
String ID: %s:%d$P
API String ID: 3005279540-612342447
Opcode ID: 2142da63f02e74cbc3eecde08b87ef40ee9343fa0b223d14839971f07546babd
Instruction ID: d369be08a7afa1e247dea82d04a2a3b3b225294ab7dccc7a5d725fc1e84763a6
Opcode Fuzzy Hash: 2142da63f02e74cbc3eecde08b87ef40ee9343fa0b223d14839971f07546babd
Instruction Fuzzy Hash: 7F319571214A015FE310EB68EC98DBF73E8FFD0325F404B2EF591922D0E67499198B65

Function 0045D880 Relevance: 12.3, APIs: 8, Instructions: 306COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0045DBD8
__ftol.LIBCMT ref: 0045DBF5
__ftol.LIBCMT ref: 0045DC11
__ftol.LIBCMT ref: 0045DC2B
__ftol.LIBCMT ref: 0045DC49
__ftol.LIBCMT ref: 0045DC67
__ftol.LIBCMT ref: 0045DC83
__ftol.LIBCMT ref: 0045DC9D

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: __ftol
String ID:
API String ID: 495808979-0
Opcode ID: a326dffd14074a7c44b8695449b7337403b16a9057f3b478ccea4b676442838b
Instruction ID: d66bac2e501cad5e88b8036816d486774d2a7132a89948915131701c3a20a8f2
Opcode Fuzzy Hash: a326dffd14074a7c44b8695449b7337403b16a9057f3b478ccea4b676442838b
Instruction Fuzzy Hash: BFD133B2909342DFD301AF21D08925ABFF0FFD5744FA60999E0D56626AE3318578CF86

Function 0041A210 Relevance: 12.2, APIs: 8, Instructions: 181windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12

Part of subcall function 00477A95: GetClipBox.GDI32(?,?), ref: 00477A9C

IsRectEmpty.USER32(?), ref: 0041A25D
GetSysColor.USER32(0000000F), ref: 0041A26E

Part of subcall function 004780E1: __EH_prolog.LIBCMT ref: 004780E6
Part of subcall function 004780E1: CreateSolidBrush.GDI32(?), ref: 00478103

Part of subcall function 00477678: SelectObject.GDI32(?,00000000), ref: 0047769A
Part of subcall function 00477678: SelectObject.GDI32(?,?), ref: 004776B0

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041A2B8
GetClientRect.USER32(?,?), ref: 0041A2D1
LoadBitmapA.USER32(?,?), ref: 0041A308
GetObjectA.GDI32(?,00000018,?), ref: 0041A357
CreateCompatibleDC.GDI32(?), ref: 0041A37D
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0041A40F

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Object$CreateH_prologRectSelect$BeginBitmapBrushClientClipColorCompatibleEmptyLoadPaintSolid
String ID:
API String ID: 1390316934-0
Opcode ID: 4830e2f34cdc7cb464f192dd3328f15af2377adb3faa96b445f29857e5b436ad
Instruction ID: da5c8dc3e7b0601298c1433b8a577d220f0771ad75de7036a1bb814524562355
Opcode Fuzzy Hash: 4830e2f34cdc7cb464f192dd3328f15af2377adb3faa96b445f29857e5b436ad
Instruction Fuzzy Hash: 65615B711183819FD324DB68C955FABBBE8FBC4714F048A1DF19993281DB78A908CB62

Function 00440340 Relevance: 12.2, APIs: 8, Instructions: 162COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000058), ref: 00440358
GetDeviceCaps.GDI32(?,0000005A), ref: 00440361
GetDeviceCaps.GDI32(?,0000006E), ref: 00440372
GetDeviceCaps.GDI32(?,0000006F), ref: 0044038F
GetDeviceCaps.GDI32(?,00000070), ref: 004403A4
GetDeviceCaps.GDI32(?,00000071), ref: 004403B9
GetDeviceCaps.GDI32(?,00000008), ref: 004403CE
GetDeviceCaps.GDI32(?,0000000A), ref: 004403E3

Part of subcall function 00440120: __ftol.LIBCMT ref: 00440125

Part of subcall function 00440150: __ftol.LIBCMT ref: 00440155

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CapsDevice$__ftol
String ID:
API String ID: 1555043975-0
Opcode ID: 8398ba199c19d7dbc35e52de12665e09218da8f6fe5ba84e857d295fa2477440
Instruction ID: 637e0369b480934b6af01a5e202d36a4ecde455befc9a505ff508b8832f9b0ab
Opcode Fuzzy Hash: 8398ba199c19d7dbc35e52de12665e09218da8f6fe5ba84e857d295fa2477440
Instruction Fuzzy Hash: E9514571508704AFE300EF6ACC85A6FBBE4FFC9704F01495DF6949A290DB72D9248B96

Function 00431F30 Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 00432001

Part of subcall function 004757AE: IsWindowEnabled.USER32(?), ref: 004757B8

GetClientRect.USER32(?,?), ref: 00431F57
PtInRect.USER32(?,?,?), ref: 00431F6C
ClientToScreen.USER32(?,?), ref: 00431F7D
WindowFromPoint.USER32(?,?), ref: 00431F8D
ReleaseCapture.USER32 ref: 00431FA7
GetCapture.USER32 ref: 00431FC1
SetCapture.USER32(?), ref: 00431FCC

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Capture$ClientRectReleaseWindow$EnabledFromPointScreen
String ID:
API String ID: 3076215760-0
Opcode ID: 7e9896b394843612b1968a0b7f4d3827953597b8dd302301f63c9e221ebc70f0
Instruction ID: dc0a319ab2e6945f2799512b4cbe48e619e58efb27e3d34379d4af36321b770c
Opcode Fuzzy Hash: 7e9896b394843612b1968a0b7f4d3827953597b8dd302301f63c9e221ebc70f0
Instruction Fuzzy Hash: 8721C8362006009BD354EB19DD49E7FB3A4AFC8718F04891EF98582251E779D9098B69

Function 00475BBA Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 00475BDA
lstrcmpA.KERNEL32(?,?), ref: 00475BE6
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 00475BF8
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00475C1B
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00475C23
GlobalLock.KERNEL32(00000000), ref: 00475C30
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00475C3D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00475C5B

Part of subcall function 00478A43: GlobalFlags.KERNEL32(?), ref: 00478A4D
Part of subcall function 00478A43: GlobalUnlock.KERNEL32(?), ref: 00478A64
Part of subcall function 00478A43: GlobalFree.KERNEL32(?), ref: 00478A6F

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 614a3771396ca027813b1ada3edd4e39c187baaea604c8f59b4880b3471a74f5
Instruction ID: 147156600c64acad9190a60fb3f4e236369b3fe309035edf499b2925844bf02d
Opcode Fuzzy Hash: 614a3771396ca027813b1ada3edd4e39c187baaea604c8f59b4880b3471a74f5
Instruction Fuzzy Hash: 63110A72500204BEEB225B76CC4EEAF7ABDEF84740F00442EFA0CD5122D679CE449764

Function 00409F00 Relevance: 12.1, APIs: 8, Instructions: 55COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00409F1C
PtInRect.USER32(?,?,?), ref: 00409F31
ReleaseCapture.USER32 ref: 00409F41
InvalidateRect.USER32(?,00000000,00000000), ref: 00409F4F
GetCapture.USER32 ref: 00409F5F
SetCapture.USER32(?), ref: 00409F6A
InvalidateRect.USER32(?,00000000,00000000), ref: 00409F8B
SetCapture.USER32(?), ref: 00409F95

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CaptureRect$Invalidate$ClientRelease
String ID:
API String ID: 3559558096-0
Opcode ID: 6af7c6e2e8e9f1cf88adfb5836a79072d1160a7217a5140ed7a157fc157bc9c2
Instruction ID: 516b7efc7bc45a93edc4f1acf5a4a97732390063b087b06aadc7179c5d672c83
Opcode Fuzzy Hash: 6af7c6e2e8e9f1cf88adfb5836a79072d1160a7217a5140ed7a157fc157bc9c2
Instruction Fuzzy Hash: 5C115E725507119FD3A0AB74DC48F9B77A8BF84B04F008D2EF686D3251D735E8088B58

Function 004130C0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 359COMMON

Download Yara Rule

Strings

`\A, xrefs: 004134F7

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: `\A
API String ID: 2111968516-2688774508
Opcode ID: 1ee4e53543f775949fd2a4fdfc21ef5bb4f43ddb9cea6d4271e965e6cc315ff9
Instruction ID: 2feeacdd23fd66dcc309e48e132a7301f69564b4ff9871eb4d32aea763b38161
Opcode Fuzzy Hash: 1ee4e53543f775949fd2a4fdfc21ef5bb4f43ddb9cea6d4271e965e6cc315ff9
Instruction Fuzzy Hash: BFC182B1604201AFC311DF24C881DABB7F8EF99359F14492EF84697352E738EA458B96

Function 0040E0C0 Relevance: 10.8, APIs: 7, Instructions: 268windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0040E0FD
GetParent.USER32(?), ref: 0040E10F
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 0040E137
GetWindowRect.USER32(?,?), ref: 0040E1C1
InvalidateRect.USER32(?,?,00000001,?), ref: 0040E1E4
GetWindowRect.USER32(?,?), ref: 0040E3AC
InvalidateRect.USER32(?,?,00000001,?), ref: 0040E3CD

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$Window$Invalidate$MessageParentSend
String ID:
API String ID: 236041146-0
Opcode ID: 43c05b95eb46b15a430d16c57c654c819bb8eac372cd35a1bc0d2d0177836efd
Instruction ID: 70010f276b0e887eca2c70af41afaca73210653075d065733503dbcd81dc86ae
Opcode Fuzzy Hash: 43c05b95eb46b15a430d16c57c654c819bb8eac372cd35a1bc0d2d0177836efd
Instruction Fuzzy Hash: DC91C1716043059BC724EF26C841F6B77E8AF84718F05092EFD45AB3C2EB78E9158B99

Function 00418EE0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 196windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00418FBC
SendMessageA.USER32(?,00008003,00000000,00000000), ref: 00418FD3
GetWindowRect.USER32(?,00000000), ref: 00419025
GetClientRect.USER32(?,00000000), ref: 0041907D
GetWindowRect.USER32(?,00000000), ref: 004190A1

Strings

`\A, xrefs: 004190F1

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: RectWindow$ClientMessageSend
String ID: `\A
API String ID: 1071774122-2688774508
Opcode ID: ef40a2772205d8e7eaddef1016916fdd3baee166a5687fcfa59401985cf78a8c
Instruction ID: bedbf196f3d918205e6dc890d020f63c6bdb76d8da2aa9b8b0d6ed37f319dbba
Opcode Fuzzy Hash: ef40a2772205d8e7eaddef1016916fdd3baee166a5687fcfa59401985cf78a8c
Instruction Fuzzy Hash: 8161A2716043019FC710DF25C894AAFBBE9EB88758F044A1EF98597381DA38ED45CB9A

Function 00479ACE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000019F,00000000,00000000), ref: 00479AF2
GetParent.USER32(?), ref: 00479AF9

Part of subcall function 00475650: GetWindowLongA.USER32(?,000000F0), ref: 0047565C

SendMessageA.USER32(?,00000187,00000000,00000000), ref: 00479B4C
SendMessageA.USER32(0000AC84,00000111,?,?), ref: 00479B9D
SendMessageA.USER32(?,00000185,00000000,00000000), ref: 00479C28

Strings

, xrefs: 00479ACF

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend$LongParentWindow
String ID:
API String ID: 779260966-3916222277
Opcode ID: 162512ddf52b2d8149e98fb81116fe1752bc9684ec8ebd339e1184488911490a
Instruction ID: 338a8654d10beba46d9567e6a8d449294bb87e5d8f9a95ba3f87454236f9dc81
Opcode Fuzzy Hash: 162512ddf52b2d8149e98fb81116fe1752bc9684ec8ebd339e1184488911490a
Instruction Fuzzy Hash: 2931E9702147186FCE357A768C41DAF76DDEB84748B118D2FF54AC6281DA69EC02867C

Function 00474FF5 Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00475029
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00475052
UpdateWindow.USER32(?), ref: 0047506E
SendMessageA.USER32(?,00000121,00000000,?), ref: 00475094
SendMessageA.USER32(?,0000036A,00000000,00000001), ref: 004750B3
UpdateWindow.USER32(?), ref: 004750F6
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00475129

Part of subcall function 00475650: GetWindowLongA.USER32(?,000000F0), ref: 0047565C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 7ce95249318132969f36d30b51cb4f0e1d81c5b3354556473b0bf40dad3bc79b
Instruction ID: 6b816d86cdd16ea2b03b84f516d5dd31e0ed865554088fdffa6929d89306dfa6
Opcode Fuzzy Hash: 7ce95249318132969f36d30b51cb4f0e1d81c5b3354556473b0bf40dad3bc79b
Instruction Fuzzy Hash: 1541C530604B819FD730DF259C48E9FBAE4EFC1B04F10891EF5898A251CBB9D945CB9A

Function 0041B610 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 99COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041B69D
wsprintfA.USER32 ref: 0041B6B9

Strings

?? / %d], xrefs: 0041B6B3
%d / %d], xrefs: 0041B697
- [, xrefs: 0041B638
\VO, xrefs: 0041B6FC
- , xrefs: 0041B6E4

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: - $ - [$%d / %d]$?? / %d]$\VO
API String ID: 2111968516-1963051370
Opcode ID: bc8311b896f07ec52dccd00fd9849e7cb164e431f183439c226d552b68b28405
Instruction ID: a1e8c6bfc7a438e738839362478429af709fd75956f218e17927240221d64be9
Opcode Fuzzy Hash: bc8311b896f07ec52dccd00fd9849e7cb164e431f183439c226d552b68b28405
Instruction Fuzzy Hash: 9D314D74204701AFC314DB29C991FEBB7E4EF94714F10C91EF49A872A1EB78A844CB96

Function 0047981F Relevance: 10.6, APIs: 7, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047AE3D: __EH_prolog.LIBCMT ref: 0047AE42

Part of subcall function 00475650: GetWindowLongA.USER32(?,000000F0), ref: 0047565C

SendMessageA.USER32(?,000001A1,00000000,00000000), ref: 00479868
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 00479877
SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 00479890
SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 004798B8
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 004798C7
SendMessageA.USER32(?,00000198,?,?), ref: 004798DD
PtInRect.USER32(?,000000FF,?), ref: 004798E9

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend$H_prologLongRectWindow
String ID:
API String ID: 2846605207-0
Opcode ID: 2bd39d2c5f3ec6d9bb8cbf5bf0bd66aa2124f6a6b3463d4e701ae12013792b18
Instruction ID: d63d5e1490857601e22bfdde95a2a15f68158ab6853eac25c4717fe93cc63861
Opcode Fuzzy Hash: 2bd39d2c5f3ec6d9bb8cbf5bf0bd66aa2124f6a6b3463d4e701ae12013792b18
Instruction Fuzzy Hash: 88316AB0A0020CFFDB10DF98CC80DEEB7B9EF45318B11846AE516A72A1D774AE129F14

Function 0045FD20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,00000000,?,0045F087,?,00000210), ref: 0045FD3F
WriteFile.KERNEL32(00000000,?,0000000E,?,00000000,?), ref: 0045FDA6
WriteFile.KERNEL32(00000000,?,?,0000000E,00000000,?), ref: 0045FDDC
CloseHandle.KERNEL32(00000000), ref: 0045FDF1
CloseHandle.KERNEL32(00000000), ref: 0045FE07

Strings

BM, xrefs: 0045FD57

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: File$CloseHandleWrite$Create
String ID: BM
API String ID: 2874586052-2348483157
Opcode ID: df60151c3438061c4b531414e37397bb17dcee89a719ea7e86594321528e7c34
Instruction ID: 84575d10aac4443774a38c1c55ded729eb01556e44bc9fcbb81f7091afca414c
Opcode Fuzzy Hash: df60151c3438061c4b531414e37397bb17dcee89a719ea7e86594321528e7c34
Instruction Fuzzy Hash: 6821BF322043059BD320DB66CC45A6BB7DCEFC5354F04492EF995872A2EA34E80C87AA

Function 0046F83D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046F842
GetParent.USER32(?), ref: 0046F87F
SendMessageA.USER32(?,00000464,00000104,00000000), ref: 0046F8A7
GetParent.USER32(?), ref: 0046F8D0
SendMessageA.USER32(?,00000465,00000104,00000000), ref: 0046F8ED

Strings

\VO, xrefs: 0046F86B

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageParentSend$H_prolog
String ID: \VO
API String ID: 1056721960-2422581269
Opcode ID: f088b6cfc480e49edcbb0b2362e2cc04d86a4ce240b5345642c9888ee93bcca4
Instruction ID: 18468bb8ba120c13cb89bc39a23ed3a3ea1ade1c322a80c161b177aec39f29f4
Opcode Fuzzy Hash: f088b6cfc480e49edcbb0b2362e2cc04d86a4ce240b5345642c9888ee93bcca4
Instruction Fuzzy Hash: 8A314370900216ABDB14EBA5DC55EEEB774FF10328F10852EF425A71E1EB389909CB59

Function 0047BB16 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 0047BB44
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 0047BB67
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 0047BB86
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0047BB96
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0047BBA0

Strings

software, xrefs: 0047BB2E

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: c25f4e89f3030bb1be845e48a609b697115ee6d8fbb6b6528055e0ea53569078
Instruction ID: c5fae3ce8684c3541d7db562a1300cd6bf032ff265fcf64221e4ca920f74098d
Opcode Fuzzy Hash: c25f4e89f3030bb1be845e48a609b697115ee6d8fbb6b6528055e0ea53569078
Instruction Fuzzy Hash: AB11F876D00118FBCB21DB96DC88EEFFFBCEF85744F1040AAA504A2121D3706A00DBA4

Function 004609DB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00460A19
GetSystemMetrics.USER32(00000000), ref: 00460A31
GetSystemMetrics.USER32(00000001), ref: 00460A38
lstrcpyA.KERNEL32(?,DISPLAY), ref: 00460A5C

Strings

DISPLAY, xrefs: 00460A56
B, xrefs: 004609FA

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: 92544a67865e79956c7191939567c3bf09aa611fb64778a5aa98bff9e6b92e81
Instruction ID: b6f3742cdbcad88fa81bf7298c33677bdfb62cc56253175d50272c966f63f57e
Opcode Fuzzy Hash: 92544a67865e79956c7191939567c3bf09aa611fb64778a5aa98bff9e6b92e81
Instruction Fuzzy Hash: 0211C672610324AFCF519F94CC8499BBFBCEF19791B004467FC059A246E2B5DA00CBAA

Function 0047731B Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00477327
GetSysColor.USER32(00000010), ref: 0047732E
GetSysColor.USER32(00000014), ref: 00477335
GetSysColor.USER32(00000012), ref: 0047733C
GetSysColor.USER32(00000006), ref: 00477343
GetSysColorBrush.USER32(0000000F), ref: 00477350
GetSysColorBrush.USER32(00000006), ref: 00477357

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: a58a2a3821aad9f9910b442f734b991c3eded8fc445f87b89ae9fa4e41de6ccd
Instruction ID: 2cef25cf44b60ece385b146d0e5ec3ecdf1b425a2ee51da4f0664f1fb60a5a4c
Opcode Fuzzy Hash: a58a2a3821aad9f9910b442f734b991c3eded8fc445f87b89ae9fa4e41de6ccd
Instruction Fuzzy Hash: 03F01C719407489BD770BFB29D49B4BBAE4FFC4B10F020D2ED2858BA90E6B5A401DF44

Function 00417A60 Relevance: 9.2, APIs: 6, Instructions: 176windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00417AB1
IsWindow.USER32(?), ref: 00417AC6
IsChild.USER32(?,?), ref: 00417AD7
SetFocus.USER32(?), ref: 00417AE8
IsWindow.USER32(?), ref: 00417BE0
IsWindowVisible.USER32(?), ref: 00417BEE

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$ChildFocusVisible
String ID:
API String ID: 372613587-0
Opcode ID: 8a6c0282328351e9b25e707ed2d1aa4fb2ef7b527566c208047451ddcb9d4f2f
Instruction ID: bb16c596b12c0e5cf22eae30f690d04a0f2ce5c153819b008815721780a8bb22
Opcode Fuzzy Hash: 8a6c0282328351e9b25e707ed2d1aa4fb2ef7b527566c208047451ddcb9d4f2f
Instruction Fuzzy Hash: C0517D716043059FC720EF25C880DABB3F8BF88348F05492EF9559B252DB78E9498BA5

Function 00433200 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0043322C

Part of subcall function 0047118B: InterlockedIncrement.KERNEL32(-000000F4), ref: 004711A0

OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0043325D
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 004332A5
DocumentPropertiesA.WINSPOOL.DRV(?,?,?,00000000,00000000,0000000E), ref: 0043333B
ClosePrinter.WINSPOOL.DRV(?,?,?,?,00000000,00000000,0000000E), ref: 00433370

Part of subcall function 00471416: InterlockedDecrement.KERNEL32(-000000F4), ref: 0047142A

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: DocumentInterlockedProperties$CloseDecrementIncrementMessageOpenPrinterPrinter.Send
String ID:
API String ID: 1978028495-0
Opcode ID: ec7068991d3905ac8eecc7db706bf64f1a5d2e5e45925eafd18774466bb0b679
Instruction ID: ca97010a144181708fe8c5cea391bc646fb274e62e1fb9885e8ea07893d214ba
Opcode Fuzzy Hash: ec7068991d3905ac8eecc7db706bf64f1a5d2e5e45925eafd18774466bb0b679
Instruction Fuzzy Hash: 574129B5104305ABC720DF25C881EEF77A9EF88764F404A1DF84987392D738D949CB6A

Function 00429A60 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 00429AA2
IsRectEmpty.USER32(?), ref: 00429AD3
OffsetRect.USER32(?,00000000,?), ref: 00429B23
LPtoDP.GDI32(?,?,00000002), ref: 00429B58
GetClientRect.USER32(?,?), ref: 00429B67
IntersectRect.USER32(?,?,?), ref: 00429B7C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$ClientCopyEmptyIntersectOffset
String ID:
API String ID: 1743551499-0
Opcode ID: 8e76b1244c17516a45adb06e627a0e922e1092a8ca7f8b4f87f46b9e9cdbf64c
Instruction ID: bd3a679f251095f51495ea2364d2c4c3797c8b53ddd4b3e5e36d2f2b9cec77fb
Opcode Fuzzy Hash: 8e76b1244c17516a45adb06e627a0e922e1092a8ca7f8b4f87f46b9e9cdbf64c
Instruction Fuzzy Hash: FC411AB66187019FC318CF69D88096BB7E9FBC8710F048A2EF956C7251DB74D909CB62

Function 0041F0B0 Relevance: 9.1, APIs: 6, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0041F020: CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0041F09B

CreateCompatibleDC.GDI32(?), ref: 0041F10A
DeleteObject.GDI32(00000000), ref: 0041F11F

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Create$BitmapCompatibleDeleteObject
String ID:
API String ID: 3709961035-0
Opcode ID: 93a4151f8b778894cdd70d02ae2cf38c429d520ac03b6037c0b94f7b92ba3d2b
Instruction ID: 6f3f17f7978d440e063501b17b8c08c2bd89ab3fd6cea7901ec28b90cb460b2b
Opcode Fuzzy Hash: 93a4151f8b778894cdd70d02ae2cf38c429d520ac03b6037c0b94f7b92ba3d2b
Instruction Fuzzy Hash: BE3173762047409FC310DF69D984F5BB7E8FB89724F108A2EF55983381DB39E8098766

Function 0047ABB0 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,0051A4BC,00000000,?,00000000,?,0047AE18,0051A4BC,00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2), ref: 0047ABBB
EnterCriticalSection.KERNEL32(0000001C,00000010,?,00000000,?,0047AE18,0051A4BC,00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2), ref: 0047AC0A
LeaveCriticalSection.KERNEL32(0000001C,00000000,?,00000000,?,0047AE18,0051A4BC,00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2), ref: 0047AC1D
LocalAlloc.KERNEL32(00000000,?,?,00000000,?,0047AE18,0051A4BC,00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2), ref: 0047AC33
LocalReAlloc.KERNEL32(?,?,00000002,?,00000000,?,0047AE18,0051A4BC,00000000,?,00000000,0047A82F,0047A12E,0047A84B,00476126,004773C2), ref: 0047AC45
TlsSetValue.KERNEL32(00000000,00000000), ref: 0047AC81

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 33a1f9ab3c87f1b1cd77c6540df78440d74931dab3cc581fb799a306892d302e
Instruction ID: 4ab6ae8ff67a6025013d40401f3715a3899d62dd382f0d20cb94c317050ee652
Opcode Fuzzy Hash: 33a1f9ab3c87f1b1cd77c6540df78440d74931dab3cc581fb799a306892d302e
Instruction Fuzzy Hash: 2131C271100605AFD724CF15C889FAAB7E8FF84364F00C92EE51AC7640E775E819CB5A

Function 00473B22 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00473B27
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00473B74
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00473B96
GetCapture.USER32 ref: 00473BA8
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00473BB7
WinHelpA.USER32(?,?,?,?), ref: 00473BCB

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: 2806fd6ea49f7c3922771f4d03cc515cb6d0147371629576b819bbfa8f042c8e
Instruction ID: 6d5422c4d33b506628c1522f307ec8bf6054d7a9e0dd56f1c79e164d4f743655
Opcode Fuzzy Hash: 2806fd6ea49f7c3922771f4d03cc515cb6d0147371629576b819bbfa8f042c8e
Instruction Fuzzy Hash: 8521E571640208BFEB20AF61CC85FBE76B9EF44748F10862DF1199B1E2CB759D009B54

Function 00478FC7 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00478FFA
GetLastActivePopup.USER32(?), ref: 00479009
IsWindowEnabled.USER32(?), ref: 0047901E
EnableWindow.USER32(?,00000000), ref: 00479031
GetWindowLongA.USER32(?,000000F0), ref: 00479043
GetParent.USER32(?), ref: 00479051

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: fc03eead2d1831e5dcce7a925296d57d5bce9d5cc3706b5d3440cbb1e1f75017
Instruction ID: 306960c9b9f82c95336da914b788e918744c3fa3e8904266bdbb70e06c214a23
Opcode Fuzzy Hash: fc03eead2d1831e5dcce7a925296d57d5bce9d5cc3706b5d3440cbb1e1f75017
Instruction Fuzzy Hash: 4E11C6326613615796B15E695C44FAFB3AC9F55F51F05812EED08E3300DB28CC0183ED

Function 0042C730 Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0042C752
ScreenToClient.USER32(00000001,?), ref: 0042C761

Part of subcall function 0042C7E0: DPtoLP.GDI32(?,?,00000001), ref: 0042C8F7

LoadCursorA.USER32(00000000,00007F85), ref: 0042C791
SetCursor.USER32(00000000), ref: 0042C798
LoadCursorA.USER32(00000000,00007F84), ref: 0042C7B7
SetCursor.USER32(00000000), ref: 0042C7BE

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Cursor$Load$ClientScreen
String ID:
API String ID: 789353160-0
Opcode ID: ada83e27c1795162a8ff2465344e1172f93ec26adbb87773cfa476b482060837
Instruction ID: 2a9546ff0cf2e49e0f60108d2f32204b8a95b6a530c96c48dcdfbe8ef4dfb3c8
Opcode Fuzzy Hash: ada83e27c1795162a8ff2465344e1172f93ec26adbb87773cfa476b482060837
Instruction Fuzzy Hash: EA11A535654312ABC650DB64EC89E9F73A8AF94F15F00492EF546C6280EB74D90CCBB7

Function 004099D0 Relevance: 9.1, APIs: 6, Instructions: 54windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000002,?), ref: 004099EB
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 004099FD
SendMessageA.USER32(?,0000110A,00000002,?), ref: 00409A0B
SendMessageA.USER32(?,0000110A,00000001,?), ref: 00409A1D
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 00409A2F
SendMessageA.USER32(?,0000110A,00000001,?), ref: 00409A3D

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 133d26b22a3130ff4542d3e0f48d2eea80f351cc3097cbdf2f7af533ed5693d0
Instruction ID: ee0772fc05c6400be0ad4b1873380546aecd196e175bd684b20db392d3a28ec2
Opcode Fuzzy Hash: 133d26b22a3130ff4542d3e0f48d2eea80f351cc3097cbdf2f7af533ed5693d0
Instruction Fuzzy Hash: D00186B27503057EF534DA699CC2FA7A2AD9F98B51F008619B701EB2C0C5F5EC414B70

Function 004789CC Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 004789CF

Part of subcall function 00478871: GetWindowLongA.USER32(00000000,000000F0), ref: 00478882

GetParent.USER32(00000000), ref: 004789F6

Part of subcall function 00478871: GetClassNameA.USER32(00000000,?,0000000A), ref: 0047889D
Part of subcall function 00478871: lstrcmpiA.KERNEL32(?,combobox), ref: 004788AC

GetWindowLongA.USER32(?,000000F0), ref: 00478A11
GetParent.USER32(?), ref: 00478A1F
GetDesktopWindow.USER32 ref: 00478A23
SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 00478A37

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: a43a6b71186a3a17e73452defbb75b076c179080453ec623488e5ead03ab6071
Instruction ID: d7f564f3d80e53fff4acdfd6527964d116c44dd12120e1f5e749313b05157627
Opcode Fuzzy Hash: a43a6b71186a3a17e73452defbb75b076c179080453ec623488e5ead03ab6071
Instruction Fuzzy Hash: F1F0A4326C0621A7D232A6255C8CFEF6258AF81F90F15852FF919A73D0DF18DC0146BD

Function 004788E6 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004788F5
GetWindow.USER32(?,00000005), ref: 00478906
GetDlgCtrlID.USER32(00000000), ref: 0047890F
GetWindowLongA.USER32(00000000,000000F0), ref: 0047891E
GetWindowRect.USER32(00000000,?), ref: 00478930
PtInRect.USER32(?,?,?), ref: 00478940

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: db058719d9ae77dfdaa6f857061e08932f6f5a30abbac4ac40eaf5082ea10b3b
Instruction ID: b82978f4404474fd73478a6bbead52f5e023de98caa434e5583676361a84388b
Opcode Fuzzy Hash: db058719d9ae77dfdaa6f857061e08932f6f5a30abbac4ac40eaf5082ea10b3b
Instruction Fuzzy Hash: 8C0171B218011AABDB115B549C0CEFF3768EF05B10F048839FA19A11A0EB3499169799

Function 0040A1F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00477EE4: __EH_prolog.LIBCMT ref: 00477EE9
Part of subcall function 00477EE4: BeginPaint.USER32(?,?,?,?,00407489), ref: 00477F12

Part of subcall function 00477A95: GetClipBox.GDI32(?,?), ref: 00477A9C

IsRectEmpty.USER32(?), ref: 0040A236
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0040A2BD
GetCurrentObject.GDI32(?,00000006), ref: 0040A34A
GetClientRect.USER32(?,?), ref: 0040A3BC

Part of subcall function 00477F56: __EH_prolog.LIBCMT ref: 00477F5B
Part of subcall function 00477F56: EndPaint.USER32(?,?,?,?,00407503), ref: 00477F78

Strings

\VO, xrefs: 0040A2CD

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: H_prologPaintRect$BeginClientClipCurrentEmptyObject
String ID: \VO
API String ID: 3717962522-2422581269
Opcode ID: cfe7148ca181c22940f6768df8a20795e4e9d604ed636a32b2c3e9ca6d84ceb7
Instruction ID: 474253ae1ef768a4ae09072bc2a0d7472f43f811c21447b85e6cebe019d57f94
Opcode Fuzzy Hash: cfe7148ca181c22940f6768df8a20795e4e9d604ed636a32b2c3e9ca6d84ceb7
Instruction Fuzzy Hash: 8C617C711083419FC324EF25C855FABB7E8EB98714F40892EF59A83291DB78E909CB57

Function 00434550 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004345B9
SendMessageA.USER32(?,00000111,?,?), ref: 00434679

Strings

xbP, xrefs: 004346A9
xbP, xrefs: 00434663
xbP, xrefs: 00434624

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSendWindow
String ID: xbP$xbP$xbP
API String ID: 701072176-513826123
Opcode ID: 465348d3c645543bc299fd9dbeb98de5cc56cbca78e8fdd467b59b9e346e0f31
Instruction ID: 2a2e48c1518b9720d4ad33c11a777d444eb5be4864d24ece92a9eea03154ccb5
Opcode Fuzzy Hash: 465348d3c645543bc299fd9dbeb98de5cc56cbca78e8fdd467b59b9e346e0f31
Instruction Fuzzy Hash: 2441E5367002015BDB149E2A9C81BFF73A4EBCA324F54513FF904C6381D66DEC498766

Function 00465CEE Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00465D0D
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00465D42
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00465DA2

Strings

__MSVCRT_HEAP_SELECT, xrefs: 00465D3D
__GLOBAL_HEAP_SELECTED, xrefs: 00465D7C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: ea07d74dff9601dd6729374ec5c162a70e4d5f69d43cc85151fc0c291c61e57b
Instruction ID: 5e41485a9fb421a23fc31160a342d5255a634354a085955b2d94d7803e309790
Opcode Fuzzy Hash: ea07d74dff9601dd6729374ec5c162a70e4d5f69d43cc85151fc0c291c61e57b
Instruction Fuzzy Hash: 003118719016486AEF3187749C59BDF37689B06304F5444DBD085D52C2F67D8E85CB1B

Function 0042D180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0042D1F4
SendMessageA.USER32(?,000000B1,?,000000FF), ref: 0042D24D
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0042D25C
SendMessageA.USER32(?,000000C2,00000000,?), ref: 0042D28A

Strings

\VO, xrefs: 0042D215

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend$Window
String ID: \VO
API String ID: 2326795674-2422581269
Opcode ID: 49511954d75018c5e553bf4b8cc517f7588575ccd6593bf643b1d8cebfd6da8a
Instruction ID: 46cf872f3f66d90519b4ea261d8a0bc57440fdf0faf768798cba680202627916
Opcode Fuzzy Hash: 49511954d75018c5e553bf4b8cc517f7588575ccd6593bf643b1d8cebfd6da8a
Instruction Fuzzy Hash: 5B41A372644751DBD320DB59D840B5BB7D4EB94710F448A5EF495873D1C378D408CBA6

Function 00473510 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 004735C9
GetWindowLongA.USER32(?,000000FC), ref: 004735DA
GetWindowLongA.USER32(?,000000FC), ref: 004735EA
SetWindowLongA.USER32(?,000000FC,?), ref: 00473606

Strings

(, xrefs: 004735B4

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: 71a653b974616c0dd4e33500b1673da93b34ce0bf1909815758ec7880ca53585
Instruction ID: 7d3766404ba413d65f4c151c9af4cbed576f01b85d82abc5dba8b0f4bbb2de90
Opcode Fuzzy Hash: 71a653b974616c0dd4e33500b1673da93b34ce0bf1909815758ec7880ca53585
Instruction Fuzzy Hash: E8310470600700AFDB20AF69C945BAEBBF5FF44715F10852EE549A7391DB38E9048B99

Function 0047B667 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0047B698

Part of subcall function 0047B784: lstrlenA.KERNEL32(00000104,00000000,?,0047B6C8), ref: 0047B7BB

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0047B739
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0047B766

Strings

.HLP, xrefs: 0047B733
.INI, xrefs: 0047B760

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 03aa441e8f36a40aa0b0080d2966bf85189b0513c32a9b860623e2ceee1860a8
Instruction ID: 91b3b58434f680409ace84902381da1db0f6636f7247d68cf68f52cca6364cdc
Opcode Fuzzy Hash: 03aa441e8f36a40aa0b0080d2966bf85189b0513c32a9b860623e2ceee1860a8
Instruction Fuzzy Hash: B3319275904718AFDB20EF75D885BC6B7FCEF04304F10896BE199D2151EB78AA84CB54

Function 0041DCA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 0041DCE0
GlobalSize.KERNEL32(?), ref: 0041DD03
GlobalSize.KERNEL32(?), ref: 0041DD33
GlobalUnlock.KERNEL32(?), ref: 0041DD43

Strings

BM, xrefs: 0041DCFD

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Global$Size$LockUnlock
String ID: BM
API String ID: 2233901773-2348483157
Opcode ID: a5107ad4b284dcc5fc03810f8d1788f072d9878de327c7c5a8a37d85a743f303
Instruction ID: 7c17986d419e6b422a183d29a7b9a15c13cbdf0aa0fdb924cc9e9f1f98fb6990
Opcode Fuzzy Hash: a5107ad4b284dcc5fc03810f8d1788f072d9878de327c7c5a8a37d85a743f303
Instruction Fuzzy Hash: 3921A476900254ABC710DF99D845BDEBBB8FF48720F10426EE819F3391D77859408BA9

Function 00441E90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000002D), ref: 00441EB9
SystemParametersInfoA.USER32 ref: 00441F13
CreateFontIndirectA.GDI32(?), ref: 00441F21
CreatePalette.GDI32(00000300), ref: 00441F79

Strings

T1O, xrefs: 00441F4A

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CreateSystem$FontIndirectInfoMetricsPaletteParameters
String ID: T1O
API String ID: 934993634-3033138381
Opcode ID: 7a966f36f23f7e382abaf7ba26d8d5a4f97cf0e2390176339ab9f28b610ba8ae
Instruction ID: 19617e9a6c9bf552c3a79fea8c1a8d7140cae78d895a9b968e27c9bf6f537121
Opcode Fuzzy Hash: 7a966f36f23f7e382abaf7ba26d8d5a4f97cf0e2390176339ab9f28b610ba8ae
Instruction Fuzzy Hash: C1318E75104B808FD320CF29C988ADBFBF5FF85308F40896EE29A8B651DB75A449CB11

Function 00473A28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00473A5E
wsprintfA.USER32 ref: 00473A7A
GetClassInfoA.USER32(?,-00000058,?), ref: 00473A89

Strings

Afx:%x:%x:%x:%x:%x, xrefs: 00473A74
Afx:%x:%x, xrefs: 00473A58

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: wsprintf$ClassInfo
String ID: Afx:%x:%x$Afx:%x:%x:%x:%x:%x
API String ID: 845911565-79760390
Opcode ID: f54a8fc83c1011cfc085a0d098967c483da68277522d01b4379f6d157d018e5a
Instruction ID: 6ea9788f14ddcf9242bbab710ec52391ef120b2420bf06cb95be39599d388c72
Opcode Fuzzy Hash: f54a8fc83c1011cfc085a0d098967c483da68277522d01b4379f6d157d018e5a
Instruction Fuzzy Hash: C4210E71D00209AF8F10DF99DC859EF7BB8EF49355B00842FF909A2201D7759A51DFA9

Function 004162F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconA.SHELL32(00000001,?,?,00000058), ref: 00416369
DestroyIcon.USER32(?,?,?,00000058), ref: 00416376
Shell_NotifyIconA.SHELL32(?,?,00000000,00000058), ref: 004163A9

Strings

d, xrefs: 00416319
X, xrefs: 00416307

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Icon$NotifyShell_$Destroy
String ID: X$d
API String ID: 944232879-651813629
Opcode ID: 7722b9a4f4c03d6e67f1f7fa6c719532c2ecf10fccce330a19e675eefbccbcaf
Instruction ID: 8a4a884cc1f4ae3e10fcba756162d3f7778dc1e5a27c2367a493320ea0f24b33
Opcode Fuzzy Hash: 7722b9a4f4c03d6e67f1f7fa6c719532c2ecf10fccce330a19e675eefbccbcaf
Instruction Fuzzy Hash: 57215C75608700AFE350DF19D804B9BBBE9BFD4704F00891EB9D893390EBB5D9588B96

Function 00472080 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 004720C1
GetDlgItem.USER32(?,00000002), ref: 004720E0
IsWindowEnabled.USER32(00000000), ref: 004720EB
SendMessageA.USER32(?,00000111,00000002,00000000), ref: 00472101

Strings

Edit, xrefs: 004720CB

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: 95b5a31261601f3ab02bfa5c90586a9f76cd3ad7f35a9da7127be285fdff7172
Instruction ID: 9911f1a79d4ed03f00a0681194788acbcdf8697d4a65494979a04c41696bd65a
Opcode Fuzzy Hash: 95b5a31261601f3ab02bfa5c90586a9f76cd3ad7f35a9da7127be285fdff7172
Instruction Fuzzy Hash: 9601C8302402117AEA345A25CE09BEF7B64FF41B14F50C92BF609E22E1DBE8DC45CA2D

Function 0042A2F0 Relevance: 7.7, APIs: 5, Instructions: 229COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 0042A379
GetClientRect.USER32(00000000,?), ref: 0042A3B2
DPtoLP.GDI32 ref: 0042A408
GetClientRect.USER32(00000000,?), ref: 0042A4DC
DPtoLP.GDI32 ref: 0042A532

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$Client$Copy
String ID:
API String ID: 472922470-0
Opcode ID: 94c0f2e6afcdfc1bd51962deb361956ae7109f034d32f9ad5f80e351e898f6b6
Instruction ID: f0c1285175a6668b853d415c7d131b4352f0c0578ab17944900ec7397010f16e
Opcode Fuzzy Hash: 94c0f2e6afcdfc1bd51962deb361956ae7109f034d32f9ad5f80e351e898f6b6
Instruction Fuzzy Hash: 888170713083519FC324EB69D880B6FB7E5BBC8704F90491EF58A87241EA78D8498B67

Function 0040BB50 Relevance: 7.7, APIs: 5, Instructions: 159windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 0040BB72
CreateRectRgn.GDI32 ref: 0040BBF4
GetClientRect.USER32(?,?), ref: 0040BC1D
FillRgn.GDI32(?,?,?), ref: 0040BC96
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0040BD0C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$ClientCreateEmptyFill
String ID:
API String ID: 97219908-0
Opcode ID: 918a9007a2d38f8686e368cf99bc8f9c7edbd52d26804ec2b138aab913d9c66d
Instruction ID: b0b6e790513edd1af68f820209ec9d043b6fa56eca7c654f8fa267db77f9f921
Opcode Fuzzy Hash: 918a9007a2d38f8686e368cf99bc8f9c7edbd52d26804ec2b138aab913d9c66d
Instruction Fuzzy Hash: DD516271214742AFD714DF25C885E6BB3E9FF84704F00892EF55993281DB78E808CBAA

Function 00465A37 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00465A95
GetFileType.KERNEL32(?,?,00000000), ref: 00465B40
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00465BA3
GetFileType.KERNEL32(00000000,?,00000000), ref: 00465BB1
SetHandleCount.KERNEL32 ref: 00465BE8

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 6ad41282d2625491f7e0a53f88d2ac9c428aee7c1d36388a5de60aeb16bb1178
Instruction ID: a78537c471bcbadaae6a51c9efbd63af8d3e36fd870dad2b93cc080a74d30bf6
Opcode Fuzzy Hash: 6ad41282d2625491f7e0a53f88d2ac9c428aee7c1d36388a5de60aeb16bb1178
Instruction Fuzzy Hash: 1351E771504A018FC7218B78D8847667BE4AB11B29F28476ED5A2CB2E1F778AC09D71B

Function 0045F990 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,00000000,?,?,?,0045F1A6,00000000), ref: 0045F9B4

Part of subcall function 0045F8B0: WriteFile.KERNEL32(0045F9DC,?,00000002,?), ref: 0045F8D4

CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,0045F1A6,00000000,?,?,?,?,?,00000003,?), ref: 0045F9E1
WriteFile.KERNEL32(00000000,?,00000010,?,00000000,?,00000000), ref: 0045FA7F
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,0045F1A6,00000000,?), ref: 0045FAD4
CloseHandle.KERNEL32(?,00000000,?,?,?,?,0045F1A6,00000000,?,?,?,?,?,00000003,?), ref: 0045FB01

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: File$Write$CloseHandle$Create
String ID:
API String ID: 3850996263-0
Opcode ID: eed810e7deda5275f21c5c7f648a47e70229db3339725e19607d5cc81075127d
Instruction ID: 5740aed00236501e6cc2cf7219e402e70938c91831d051f6d58866dfcdf51a9b
Opcode Fuzzy Hash: eed810e7deda5275f21c5c7f648a47e70229db3339725e19607d5cc81075127d
Instruction Fuzzy Hash: 65414971208342ABD324DF64D888B6BF7E8EF98305F10092DF99587342D364E90CCBA6

Function 00416FF0 Relevance: 7.6, APIs: 5, Instructions: 104windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004170C0
WinHelpA.USER32(?,00000000,00000002,00000000), ref: 004170DB
GetMenu.USER32(?), ref: 004170EB
SetMenu.USER32(?,00000000), ref: 004170F8
DestroyMenu.USER32(00000000), ref: 00417103

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Menu$DestroyHelpWindow
String ID:
API String ID: 427501538-0
Opcode ID: ac906b6202dcbc346569720b558076221f140322cae316f149bad285d3a8cc59
Instruction ID: ea224330ad742797991e0e1692febec797dc60a484b7df87ddeac0bd0110c4fe
Opcode Fuzzy Hash: ac906b6202dcbc346569720b558076221f140322cae316f149bad285d3a8cc59
Instruction Fuzzy Hash: C731C7716043096BC314AF66CC45EAFBBBCFF49348F05091EF90593241DB39B8958BA9

Function 00422A60 Relevance: 7.6, APIs: 5, Instructions: 103synchronizationCOMMON

Download Yara Rule

APIs

midiStreamStop.WINMM(?,00000000,?,00000000,004225CA,00000000,005057D0,00414F56,005057D0,?,00414DFF,005057D0,00412DB6,00000001,00000000,000000FF), ref: 00422A95
midiOutReset.WINMM(?,?,00414DFF,005057D0,00412DB6,00000001,00000000,000000FF), ref: 00422AB3
WaitForSingleObject.KERNEL32(?,000007D0,?,00414DFF,005057D0,00412DB6,00000001,00000000,000000FF), ref: 00422AD6
midiStreamClose.WINMM(?,?,00414DFF,005057D0,00412DB6,00000001,00000000,000000FF), ref: 00422B13
midiStreamClose.WINMM(?,?,00414DFF,005057D0,00412DB6,00000001,00000000,000000FF), ref: 00422B47

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: midi$Stream$Close$ObjectResetSingleStopWait
String ID:
API String ID: 3142198506-0
Opcode ID: 6b3b54964f08d9fe8f0ca6423ab8d61fb40268fd61be1ee63eb23db956633a04
Instruction ID: e705a0a11c53174dce0fa6023e126b315d145eb59caf43c1d7e69b1a4cb34893
Opcode Fuzzy Hash: 6b3b54964f08d9fe8f0ca6423ab8d61fb40268fd61be1ee63eb23db956633a04
Instruction Fuzzy Hash: BE313E72700B219BCB309F69A9C455FB7E5BF947017544A3FE286C6A00C7B8E846CB98

Function 00413F10 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00413F80
GetMenu.USER32(?), ref: 00413F8F
DestroyAcceleratorTable.USER32(?), ref: 00413FDC
SetMenu.USER32(?,00000000), ref: 00413FF1
DestroyMenu.USER32(?), ref: 00414001

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Menu$Destroy$AcceleratorTableWindow
String ID:
API String ID: 1240299919-0
Opcode ID: 8cc4d858e18f7080302e3e9c6356e24eff324c9e05093acf29b536d7feb157ca
Instruction ID: 6fcf1f34a8950d99d13075ba1c4768ff069a6b73ed772d6f054bd9bca95a2fb7
Opcode Fuzzy Hash: 8cc4d858e18f7080302e3e9c6356e24eff324c9e05093acf29b536d7feb157ca
Instruction Fuzzy Hash: A13198B1A003056FC720EF66DC44D6B77B8EF85758F02492DFD0597242EA38E809CBA5

Function 00418D70 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 00418D8C

Part of subcall function 0040E6D0: IsChild.USER32(?,?), ref: 0040E74D
Part of subcall function 0040E6D0: GetParent.USER32(?), ref: 0040E767

GetCursorPos.USER32(?), ref: 00418DA4
GetClientRect.USER32(?,?), ref: 00418DB3
PtInRect.USER32(?,?,?), ref: 00418DD4
SetCursor.USER32(?,?,00000000,?,?,?,?,00418A00), ref: 00418E52

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ChildCursorRect$ClientParent
String ID:
API String ID: 1110532797-0
Opcode ID: 7097b24e5ecbf9d06d8e486ba81364cf802807eb91742df89d1d3d53767b26f7
Instruction ID: 9b19a506daec7c76f0880b13d1c77013ede7635c09223fc3fd92456753349406
Opcode Fuzzy Hash: 7097b24e5ecbf9d06d8e486ba81364cf802807eb91742df89d1d3d53767b26f7
Instruction Fuzzy Hash: 9D21B4726003016FC720EB25DC45F9F73F8AF94B14F144A2EF945E7281EA38E94587A9

Function 00406950 Relevance: 7.6, APIs: 5, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00477E30: __EH_prolog.LIBCMT ref: 00477E35
Part of subcall function 00477E30: GetWindowDC.USER32(?,?,?,00406981), ref: 00477E5E

GetClientRect.USER32 ref: 00406992
GetWindowRect.USER32(?,?), ref: 004069A1

Part of subcall function 00477BEA: ScreenToClient.USER32(?,00000000), ref: 00477BFE
Part of subcall function 00477BEA: ScreenToClient.USER32(?,00000008), ref: 00477C07

OffsetRect.USER32(?,?,?), ref: 004069CC

Part of subcall function 00477B27: ExcludeClipRect.GDI32(?,?,?,?,?,75A4A5C0,?,?,004069DC,?), ref: 00477B4C
Part of subcall function 00477B27: ExcludeClipRect.GDI32(?,?,?,?,?,75A4A5C0,?,?,004069DC,?), ref: 00477B61

OffsetRect.USER32(?,?,?), ref: 004069EF
FillRect.USER32(?,?,?), ref: 00406A0A

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Rect$Client$ClipExcludeOffsetScreenWindow$FillH_prolog
String ID:
API String ID: 2829754061-0
Opcode ID: c738cfb8676412fdb4e0a56ff11d419ca13dc1501c020e851cab6cce927af71d
Instruction ID: eee0c987fc614536d2daa9374927ce5fe99d7396ce8cb420638cc8a01fe91ff9
Opcode Fuzzy Hash: c738cfb8676412fdb4e0a56ff11d419ca13dc1501c020e851cab6cce927af71d
Instruction Fuzzy Hash: 213184B5218301AFD714DF14C845EABB7E9EBC4714F008E1DF59A97290DB34E905CB56

Function 00409950 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046FF40: SendMessageA.USER32(?,0000110C,00000000,00000040), ref: 0046FF61

SendMessageA.USER32(?,0000110A,00000004,?), ref: 00409975
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 00409995
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 004099A7
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 004099B5
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 004099C7

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ab67c1cb1104f1d5a713625efd013d28bf64115f8ba2a987784984193f5be86c
Instruction ID: 07a1db4b6557d881dfa859639065baa88a573200386c9e97a9dbd01fe48328c6
Opcode Fuzzy Hash: ab67c1cb1104f1d5a713625efd013d28bf64115f8ba2a987784984193f5be86c
Instruction Fuzzy Hash: 9F018FF27407053AE634AA669CC1F6792AC9F94B55F00092EB741AB3C5DAF8EC064678

Function 00473987 Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0047398C
GetClassInfoA.USER32(?,?,?), ref: 004739A7
RegisterClassA.USER32(?), ref: 004739B2
lstrcatA.KERNEL32(00000034,?,00000001), ref: 004739E9
lstrcatA.KERNEL32(00000034,?), ref: 004739F7

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: df358d1c3a3c9fdfb965a767acf4d16736bf97d716d1a91b456bf5f7ed8b59cc
Instruction ID: c7af577bfda2311b3ce93856460fac526ed147dac0ea54cfca751778f9469f54
Opcode Fuzzy Hash: df358d1c3a3c9fdfb965a767acf4d16736bf97d716d1a91b456bf5f7ed8b59cc
Instruction Fuzzy Hash: 08114872500204BECB10EF718C01BEE7FB8EF44318F00892FF809A7191D7789A049BA9

Function 00465C5A Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,004630C2,00464DFB,00000000,?,?,00000000,00000001), ref: 00465C5C
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00465C6A
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00465CB6

Part of subcall function 00463472: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 00463568

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00465C8E
GetCurrentThreadId.KERNEL32 ref: 00465C9F

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: d22401dc1213226e7c3ceef3b87f96fb918f2d23230bc1dabba43767e6f7fab9
Instruction ID: e115db0091c0705883853dd79ce4c1cc3ab505c96ef8448535080f619c3c52d2
Opcode Fuzzy Hash: d22401dc1213226e7c3ceef3b87f96fb918f2d23230bc1dabba43767e6f7fab9
Instruction Fuzzy Hash: AAF062325027129BD7622B31AC0DA1E3B60AB01771B11092EF941952E0FB6A8845879A

Function 004135C0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 291COMMON

Download Yara Rule

Strings

<, xrefs: 0041394A
`\A, xrefs: 00413972

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: <$`\A
API String ID: 0-3533779597
Opcode ID: ad0aebaef8f7e38166afa2f98e862278ff36d9dece0a2cb9a8d52c3576c31f50
Instruction ID: ce7faf287b8bb78e3ae234feee66ede161724abfa1844a19e1e1c42e7f84d820
Opcode Fuzzy Hash: ad0aebaef8f7e38166afa2f98e862278ff36d9dece0a2cb9a8d52c3576c31f50
Instruction Fuzzy Hash: 58B1A6B15187418FC714CF24C890AABB7E1BBC5311F14892EF5DAD7380DB74DA898B86

Function 0041C300 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B3E0: InvalidateRect.USER32(?,00000000,00000000), ref: 0041B40A

Part of subcall function 004737B2: GetWindowTextLengthA.USER32(?), ref: 004737BF
Part of subcall function 004737B2: GetWindowTextA.USER32(?,00000000,00000000), ref: 004737D7

SendMessageA.USER32(?,000000B0,?,?), ref: 0041C582
SendMessageA.USER32(?,000000B1,?,?), ref: 0041C5BE
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0041C5CB

Strings

\VO, xrefs: 0041C328

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend$TextWindow$InvalidateLengthRect
String ID: \VO
API String ID: 2881497910-2422581269
Opcode ID: 31e4b854dbc15c1fa53f5711e76d3ed6941ffa04c3924a3747c3a5f829f790ab
Instruction ID: 6086eebae5186b2b57b8e9b414bfee4723fff071ede089f459321a71d1549631
Opcode Fuzzy Hash: 31e4b854dbc15c1fa53f5711e76d3ed6941ffa04c3924a3747c3a5f829f790ab
Instruction Fuzzy Hash: 4181F7F1548302ABD614DB64DCD1DBF73E8AB84344F148E2FF59582291E638E889C76B

Function 0040F120 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00412B20: GetCurrentThreadId.KERNEL32 ref: 00412B45
Part of subcall function 00412B20: IsWindow.USER32(00000000), ref: 00412B61
Part of subcall function 00412B20: SendMessageA.USER32(00000000,000083E7,00412451,00000000), ref: 00412B7A
Part of subcall function 00412B20: ExitProcess.KERNEL32 ref: 00412B8F

DeleteCriticalSection.KERNEL32(00506290,?,?,?,?,?,?,?,?,00414EBD), ref: 0040F15A

Part of subcall function 00473476: __EH_prolog.LIBCMT ref: 0047347B

Strings

`\A, xrefs: 0040F16B, 0040F23F, 0040F255, 0040F26B, 0040F281, 0040F297, 0040F2AD, 0040F2C3, 0040F2D9, 0040F31F, 0040F335, 0040F34B, 0040F361, 0040F377, 0040F38D, 0040F3A3, 0040F3E6
!, xrefs: 0040F148
#, xrefs: 0040F3D3

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CriticalCurrentDeleteExitH_prologMessageProcessSectionSendThreadWindow
String ID: !$#$`\A
API String ID: 2888814780-2661838773
Opcode ID: 062e78243ff93cf5c0e6832bc7945e3024dd77ec5527ef1cda715c22e9d473f9
Instruction ID: 923d0d47f0203151a878fdb31e224976cfad0f4189bfc8f6c860de677049e1d4
Opcode Fuzzy Hash: 062e78243ff93cf5c0e6832bc7945e3024dd77ec5527ef1cda715c22e9d473f9
Instruction Fuzzy Hash: 59912F74008B81CED312EF75C45479BBFE4AFA5308F54485EE4DA07392DBB96248CBA6

Function 0042D8B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0042D8EF
CreateFontIndirectA.GDI32(00000028), ref: 0042D958
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0042D99F

Strings

(, xrefs: 0042D944

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CreateExtentFontIndirectPoint32Textwsprintf
String ID: (
API String ID: 3175173087-3887548279
Opcode ID: 299b925808a7e7a92dbdedcc0387106de36e4c50e49d52bfb2bcf69a00837a6f
Instruction ID: dab4ecaa91b9f72f48b9694423ea9894d7cd8dce00644c7cfcac5791a4074aae
Opcode Fuzzy Hash: 299b925808a7e7a92dbdedcc0387106de36e4c50e49d52bfb2bcf69a00837a6f
Instruction Fuzzy Hash: 4951D3712083458FC324CF28D885B6FB7E5FB88304F144A1EF59A83381DBB99949CB96

Function 004245F0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

`\A, xrefs: 0042478F
, xrefs: 00424629

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: $`\A
API String ID: 0-2008107022
Opcode ID: 7e551758bfe3d387ff134eebcb1ca0ac7451f092d95ae119ecd1f94b83e1ae8f
Instruction ID: a13ea363fb901079675aeaacd131e3a629689ec94de5627d83f294a2c171b3a0
Opcode Fuzzy Hash: 7e551758bfe3d387ff134eebcb1ca0ac7451f092d95ae119ecd1f94b83e1ae8f
Instruction Fuzzy Hash: 7D51BE712047519FC314EF15D880B6BB7A8FBC5358F400A2EF95693290DB38E845CB9A

Function 0041EEA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0041EF8C
__ftol.LIBCMT ref: 0041EFC3
__ftol.LIBCMT ref: 0041EFF9

Strings

A, xrefs: 0041EFC8

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: __ftol
String ID: A
API String ID: 495808979-2078354741
Opcode ID: d1d7c8796dd1e0fc7e18fd3c04c0511726537b6201def722743b8b60609e40ea
Instruction ID: 0aa2dff4cff6530d269409322a96791c9cfc400316d17b88a55875f4f6294be8
Opcode Fuzzy Hash: d1d7c8796dd1e0fc7e18fd3c04c0511726537b6201def722743b8b60609e40ea
Instruction Fuzzy Hash: A941C5366093428FC305CF2AC4846EA7BE1FF99308F15457EE8858B352D735D94ACB46

Function 00433530 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004737B2: GetWindowTextLengthA.USER32(?), ref: 004737BF
Part of subcall function 004737B2: GetWindowTextA.USER32(?,00000000,00000000), ref: 004737D7

wsprintfA.USER32 ref: 00433613
SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 0043363B
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0043364A

Strings

\VO, xrefs: 00433548

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSendTextWindow$Lengthwsprintf
String ID: \VO
API String ID: 1782877324-2422581269
Opcode ID: 9caee4791c6c3e554a1b37e1dfdda0f5d82fe4ecff284b182bc48e2b1d8887b3
Instruction ID: 49f03d078ba073193933987f35b28b69398918e96e40f34d73f7c43643f427b6
Opcode Fuzzy Hash: 9caee4791c6c3e554a1b37e1dfdda0f5d82fe4ecff284b182bc48e2b1d8887b3
Instruction Fuzzy Hash: 4631B475304701ABD308DB29CC52B5FB3A5EB84724F649B2DF166973C0DB78E8058B56

Function 00477170 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 0047718C
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 004771DF
GlobalUnlock.KERNEL32(?), ref: 00477276

Strings

@, xrefs: 004771C9

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: @
API String ID: 231414890-2766056989
Opcode ID: fda675224f07c068402271ec94c06a72f208673c7e6f695ea28984e3c9d6d041
Instruction ID: 8798f135224ea644b1800b34de8569c5d8ee272eb5da236c064fe979a223e1e8
Opcode Fuzzy Hash: fda675224f07c068402271ec94c06a72f208673c7e6f695ea28984e3c9d6d041
Instruction Fuzzy Hash: A241E672804205EFCB10DF98C8819EEBBB9FF40354F54C56EE8299B255D3399A46CB98

Function 00415FE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,00415FC8), ref: 00416039
DestroyIcon.USER32(?), ref: 0041606E
DestroyIcon.USER32(?), ref: 0041607B

Strings

`\A, xrefs: 004160A2, 004160E9, 004160FC, 0041610F

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: DestroyIcon
String ID: `\A
API String ID: 1234817797-2688774508
Opcode ID: 761f47c2a3f37122c1072ff8fb6ec03166ead46a12daddd7b9905a8a9997515d
Instruction ID: 09e9816dcff21b1b804e06b8a58c9b0629c295ab4cb01a2469fa92893a28e424
Opcode Fuzzy Hash: 761f47c2a3f37122c1072ff8fb6ec03166ead46a12daddd7b9905a8a9997515d
Instruction Fuzzy Hash: BA418DB15047819BC320DF29C48179AFBE4BF59318F804A2EE49A53781D77CA508CB6A

Function 00409C90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 00409CCB
SendMessageA.USER32(?,00000187,00000000,00000000), ref: 00409CFD

Part of subcall function 00479459: SendMessageA.USER32(?,0000018A,?,00000000), ref: 00479471
Part of subcall function 00479459: SendMessageA.USER32(?,00000189,?,00000000), ref: 0047948A

SendMessageA.USER32(?,00000188,00000000,00000000), ref: 00409D5A

Strings

\VO, xrefs: 00409CDF

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID: \VO
API String ID: 3850602802-2422581269
Opcode ID: c06985711f85bd6d9bbc47a0798021d997339fa470093162065689ef662c0e2c
Instruction ID: f143268d9e0b6b29eb241e206de38e3cf2d3dc1fce7556eccb965650d86efd69
Opcode Fuzzy Hash: c06985711f85bd6d9bbc47a0798021d997339fa470093162065689ef662c0e2c
Instruction Fuzzy Hash: E6317E74244741AFD224DF2A8881E6BB7F8EFC5714F104A2EF595A7291CB38D8068B26

Function 0041477A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32(?), ref: 004147E7
GetCursorPos.USER32(?), ref: 00414851
SetCursorPos.USER32(?,?), ref: 00414861

Part of subcall function 0041A590: LoadCursorA.USER32(?,00000408), ref: 0041A603

Strings

`\A, xrefs: 00414C88

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Cursor$DestroyIconLoad
String ID: `\A
API String ID: 119682594-2688774508
Opcode ID: ef6170720ba11adb66df67358556cd214e6b983a7c85d236bd498c65f0189d48
Instruction ID: dcddfa23036b98578abdaa4fce896515b70f69de6043bf4d00fd039ac944e299
Opcode Fuzzy Hash: ef6170720ba11adb66df67358556cd214e6b983a7c85d236bd498c65f0189d48
Instruction Fuzzy Hash: 96319EB55043009BC710EF65DC85E9BB7A8ABCA319F00092EF45693242EB38E945CB66

Function 00424390 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

`\A, xrefs: 0042448A
, xrefs: 004243C5

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID: $`\A
API String ID: 0-2008107022
Opcode ID: daeac239ee1d62d8471d38dfb951b29072305b985e22c23df7f9733d87dc178a
Instruction ID: 848e24b7744dc9c3b43e3cdec458c2a90b6442e17aba5e7475930466da012d1d
Opcode Fuzzy Hash: daeac239ee1d62d8471d38dfb951b29072305b985e22c23df7f9733d87dc178a
Instruction Fuzzy Hash: 96316A712087409FC714EF14D854B6BB7F4FBD4724F804A2EF996A3290D73899068F5A

Function 0047B2EA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 0047B2F6
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0047B3A5
LoadBitmapA.USER32(00000000,00007FE3), ref: 0047B3BD

Strings

, xrefs: 0047B305

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: 5e83080ebf64355408b2e65338068eca4a6151a7688fad9ecd31b7d4ce9c676f
Instruction ID: a45b76971128027f44e9eb6ae6fd7d8625a873a67368b54a9ca8109b8ff00e7e
Opcode Fuzzy Hash: 5e83080ebf64355408b2e65338068eca4a6151a7688fad9ecd31b7d4ce9c676f
Instruction Fuzzy Hash: A2213A71E00215AFDB10CB78DC85BEE7BB9EF40700F058566E909EB282D7349A48CB80

Function 00441C30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00441D03

Part of subcall function 004737B2: GetWindowTextLengthA.USER32(?), ref: 004737BF
Part of subcall function 004737B2: GetWindowTextA.USER32(?,00000000,00000000), ref: 004737D7

GetParent.USER32(?), ref: 00441CC0
SendMessageA.USER32(?,0000004E,00000000,?), ref: 00441CE5

Strings

\VO, xrefs: 00441C5D

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSendTextWindow$LengthParent
String ID: \VO
API String ID: 484616098-2422581269
Opcode ID: e3d164a2e560d7c2c916d26dca62c8c5460d43233692d99e0e957734983a00bb
Instruction ID: efd056f1778dcc39e12d4f9717203a6543ddbfe9dd98ccfd209597f202be80f9
Opcode Fuzzy Hash: e3d164a2e560d7c2c916d26dca62c8c5460d43233692d99e0e957734983a00bb
Instruction Fuzzy Hash: 2D219FB1644B01AFD320DF19C880B5BB7F4BB88710F108A1EF59A87390D778E9018B59

Function 0040AAC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(0047C208,00000142,00000000,FFFF0000), ref: 0040AB52
SendMessageA.USER32(0047C208,0000014D,000000FF,0040AA75), ref: 0040AB70
SendMessageA.USER32(0047C208,0000014E,00000000,00000000), ref: 0040AB83

Strings

\VO, xrefs: 0040AAD6

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID: \VO
API String ID: 3850602802-2422581269
Opcode ID: e0b0cac994ff81a42fc1794e52fa775b5c75a5a17ebc694bc2e838f037608d12
Instruction ID: 404d4c7e958285de4ce8751bb6dd8727cd12173663b9bc10eb621aff801b78bc
Opcode Fuzzy Hash: e0b0cac994ff81a42fc1794e52fa775b5c75a5a17ebc694bc2e838f037608d12
Instruction Fuzzy Hash: 5D21AF71204701ABC224DF28DC45FAB77E5AB84720F504B1EF16A933D0CB78A805CB56

Function 00407110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,000000B0,?,?), ref: 00407166

Part of subcall function 004756B5: SetWindowTextA.USER32(?,0041B73A), ref: 004756C3

SendMessageA.USER32(?,000000B1,?,?), ref: 00407183
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00407190

Strings

\VO, xrefs: 00407128

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend$TextWindow
String ID: \VO
API String ID: 1596935084-2422581269
Opcode ID: 052b3ca67787d31f5ff75ea2301033b044eb4e8ea23863666ead1434d49d02f4
Instruction ID: aef75d0e84d0180187101b313497eb113f8736dffdcb52cbfc0ae54a304f7dad
Opcode Fuzzy Hash: 052b3ca67787d31f5ff75ea2301033b044eb4e8ea23863666ead1434d49d02f4
Instruction Fuzzy Hash: 21213DB1508745AFD320DF29C880A6BB7F8FB89754F504E1EF19997290C774E8058B56

Function 004333D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046F5C8: __EH_prolog.LIBCMT ref: 0046F5CD
Part of subcall function 0046F5C8: lstrcpynA.KERNEL32(?,?,00000104), ref: 0046F6BA

Part of subcall function 0046F762: lstrlenA.KERNEL32(?,?,?,0000000C,?,?,0041CFF9,?,-00000001,00000000,?,?,?,004F0BD0), ref: 0046F76C
Part of subcall function 0046F762: GetFocus.USER32 ref: 0046F787
Part of subcall function 0046F762: IsWindowEnabled.USER32(?), ref: 0046F7B0
Part of subcall function 0046F762: EnableWindow.USER32(?,00000000), ref: 0046F7C2
Part of subcall function 0046F762: GetOpenFileNameA.COMDLG32(?,?), ref: 0046F7ED
Part of subcall function 0046F762: EnableWindow.USER32(?,00000001), ref: 0046F80B
Part of subcall function 0046F762: IsWindow.USER32(?), ref: 0046F811
Part of subcall function 0046F762: SetFocus.USER32(?), ref: 0046F81F

Part of subcall function 0046F83D: __EH_prolog.LIBCMT ref: 0046F842
Part of subcall function 0046F83D: GetParent.USER32(?), ref: 0046F87F
Part of subcall function 0046F83D: SendMessageA.USER32(?,00000464,00000104,00000000), ref: 0046F8A7
Part of subcall function 0046F83D: GetParent.USER32(?), ref: 0046F8D0
Part of subcall function 0046F83D: SendMessageA.USER32(?,00000465,00000104,00000000), ref: 0046F8ED

Part of subcall function 004756B5: SetWindowTextA.USER32(?,0041B73A), ref: 004756C3

Part of subcall function 00471416: InterlockedDecrement.KERNEL32(-000000F4), ref: 0047142A

SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 0043347D
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0043348C

Part of subcall function 004757F0: SetFocus.USER32(?,00411BE3), ref: 004757FA

Strings

out.prn, xrefs: 004333F9
prn, xrefs: 004333FE

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$MessageSend$Focus$EnableH_prologParent$DecrementEnabledFileInterlockedNameOpenTextlstrcpynlstrlen
String ID: out.prn$prn
API String ID: 4074345921-3109735852
Opcode ID: 217e41d7b4a0f0f8ff833f30aea21e32e770fae48fbd6f24470a5813633546c1
Instruction ID: 9964e7ce650b6d10914b26df8945c595f7ba066c3462c9269aa011685f3d1402
Opcode Fuzzy Hash: 217e41d7b4a0f0f8ff833f30aea21e32e770fae48fbd6f24470a5813633546c1
Instruction Fuzzy Hash: F021A171248380ABD330EB14C846BEBB7A4AB94724F108B1EB5A9572D2DBBC6404CB57

Function 00406C80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(0047BEA8,000000B1,00000000,000000FF), ref: 00406D0D
SendMessageA.USER32(0047BEA8,000000B7,00000000,00000000), ref: 00406D1C

Strings

%l@, xrefs: 00406CE4, 00406D1E, 00406CCF, 00406CD3, 00406CEA
\VO, xrefs: 00406C96

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID: %l@$\VO
API String ID: 3850602802-1733826371
Opcode ID: d7f4fef47b7ecbaf1cf0dab5b80bb7c5b9d5a700707f2a7d9350ab3522e49080
Instruction ID: a928e3903d56a6bd3af210cd617a22176563732abff316a28aa37eefe7c1b5f6
Opcode Fuzzy Hash: d7f4fef47b7ecbaf1cf0dab5b80bb7c5b9d5a700707f2a7d9350ab3522e49080
Instruction Fuzzy Hash: 4F119371204701ABD324EF29DC51FABB7E5EB84720F508B1EF56A933D0CB78A4048B65

Function 0046FE29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53stringwindowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046FE2E
SendMessageA.USER32(?,0000110C,00000000,?), ref: 0046FE7A
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0046FE83

Strings

\VO, xrefs: 0046FE45

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: H_prologMessageSendlstrlen
String ID: \VO
API String ID: 3754839358-2422581269
Opcode ID: 91a11773fc6a589897db5c3940ec81170e171f8b4ae18ea5e6641c886d7a6c48
Instruction ID: aa7417d04c5bb0dd70febfd6f743ceb632d8cbf3717b1c36d74b77db4533dbce
Opcode Fuzzy Hash: 91a11773fc6a589897db5c3940ec81170e171f8b4ae18ea5e6641c886d7a6c48
Instruction Fuzzy Hash: A4113072D00118EFCB04DF95D885BDDBBB4EF44324F10812AF5199B1A1D7749A44CB58

Function 00469508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,004629ED,?,?,?,00000000,00000001), ref: 0046952B
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,004629ED,?,?,?,00000000,00000001), ref: 00469541
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,004629ED,?,?,?,00000000,00000001), ref: 00469574
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,004629ED,?,?,?,00000000,00000001), ref: 004695DC
WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,?,?,00000000,00000000,?,00000000,?,?,004629ED,?), ref: 00469601

Strings

)F, xrefs: 00469520

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide
String ID: )F
API String ID: 352835431-1070133202
Opcode ID: 5a379001549b9402f075e7a3d2bc38e1d20ce8d8fe187049eae39cf203c63ff9
Instruction ID: c3b7cbf578a4f100360659d34f1e19fbe27f187d68e4f7fdfd8ff7bdbe5fa8f8
Opcode Fuzzy Hash: 5a379001549b9402f075e7a3d2bc38e1d20ce8d8fe187049eae39cf203c63ff9
Instruction Fuzzy Hash: 85113D32900209ABDF228F94CD449DEBFB5FF48750F148569F91162160D3768E61DB55

Function 0046E519 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0051AD08), ref: 0046E525
InterlockedDecrement.KERNEL32(0051AD08), ref: 0046E53C

Part of subcall function 004684F4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 00468531
Part of subcall function 004684F4: EnterCriticalSection.KERNEL32(?,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 0046854C

InterlockedDecrement.KERNEL32(0051AD08), ref: 0046E56C

Strings

m4F, xrefs: 0046E519

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Interlocked$CriticalDecrementSection$EnterIncrementInitialize
String ID: m4F
API String ID: 2038102319-2614859315
Opcode ID: f56620686cb74791d32d136e5c9c0ea4dd61fd69cfa01a7405b7a061497df9e0
Instruction ID: 3699e6e87b21ed1b02a0105f7244611f8b864d5753c5fcb6df8eb5d1e4a38bae
Opcode Fuzzy Hash: f56620686cb74791d32d136e5c9c0ea4dd61fd69cfa01a7405b7a061497df9e0
Instruction Fuzzy Hash: 72F0903610121ABBDB116FD6AC4199E3798EF84369F04443EF50505151EBB55A12869B

Function 00476F7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,#G,00000000,00476F78,?,00000000,?,?,0047230A,?,00000000,?,?), ref: 00476F8F
GlobalLock.KERNEL32(00000000), ref: 00476F9D
GlobalUnlock.KERNEL32(00000000), ref: 00476FD1

Strings

#G, xrefs: 00476F7F, 00476F8C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Global$AllocLockUnlock
String ID: #G
API String ID: 3972497268-2764570518
Opcode ID: 4bbaee8282b53a55c25b47964a58e88ebc5eb5f714c14162cc3b65c16e9c4791
Instruction ID: 4f12b76569c5b7c9d9e87cfae53657f30aa98190fe3b42406f3c855fa17f429b
Opcode Fuzzy Hash: 4bbaee8282b53a55c25b47964a58e88ebc5eb5f714c14162cc3b65c16e9c4791
Instruction Fuzzy Hash: 6FF0F072900602ABD7609F64EC09E6AB7F4FF44300B15CC2EF989C3250E374E899CB15

Function 00478871 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 00478882
GetClassNameA.USER32(00000000,?,0000000A), ref: 0047889D
lstrcmpiA.KERNEL32(?,combobox), ref: 004788AC

Strings

combobox, xrefs: 004788A6

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: 65d7b5280bd3e05bba082ad91dae0627e4f963beb53e2cc18d0260e067e873e5
Instruction ID: 8033ba15f317681660d57f643f54750901f3a10673394120bddeac407067b3f6
Opcode Fuzzy Hash: 65d7b5280bd3e05bba082ad91dae0627e4f963beb53e2cc18d0260e067e873e5
Instruction Fuzzy Hash: 67E0E5325A0209BFCF40AF60CC4DA9D3B68EB00301F10853AB52AE5090DB34D149CB59

Function 0046606F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00460EB0), ref: 00466074
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00466084

Strings

KERNEL32, xrefs: 0046606F
IsProcessorFeaturePresent, xrefs: 0046607E

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 62f5441584a6ec97a87fca1abe4d7c580f0184ee8fc490a446cc450bea8109f4
Instruction ID: 5b093410ee1e546a08ae72aee597d809d8e0cdbfafd2c430d4278d0458039995
Opcode Fuzzy Hash: 62f5441584a6ec97a87fca1abe4d7c580f0184ee8fc490a446cc450bea8109f4
Instruction Fuzzy Hash: F8C0123035030253D9606BB19C19F1E21481B08B43F55083BA50DD4680EE68D500552E

Function 0046380C Relevance: 6.5, APIs: 5, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87f7e8928570c3293da41dcbe6def17c3e950dbd5f9b8b2005c870bd6766bed
Instruction ID: 0676d73c22ecd4589984e604746bb89cf3a6c3e5c538f517ea729b90bcbc0727
Opcode Fuzzy Hash: b87f7e8928570c3293da41dcbe6def17c3e950dbd5f9b8b2005c870bd6766bed
Instruction Fuzzy Hash: 499148B1D01294AACF21EF699C409DE7AB4EF44765F20021BF815B6291F7398E40DB6F

Function 0046A27C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,?,?,?,0046A748,00000000,00000010,00000000,00000009,00000009,?,004626F1,00000010,00000000), ref: 0046A29D
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,0046A748,00000000,00000010,00000000,00000009,00000009,?,004626F1,00000010,00000000), ref: 0046A2C1
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,0046A748,00000000,00000010,00000000,00000009,00000009,?,004626F1,00000010,00000000), ref: 0046A2DB
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0046A748,00000000,00000010,00000000,00000009,00000009,?,004626F1,00000010,00000000,?), ref: 0046A39C
HeapFree.KERNEL32(00000000,00000000,?,?,0046A748,00000000,00000010,00000000,00000009,00000009,?,004626F1,00000010,00000000,?,00000000), ref: 0046A3B3

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 7e8d4c338e1b366931e40148bb8043b3ebc89daed19ccdca063ff6b3309603ff
Instruction ID: 7ceeeae8b3e58c0154ad3d75aad2ef64ad170c482578115f1cde978b5a8352b8
Opcode Fuzzy Hash: 7e8d4c338e1b366931e40148bb8043b3ebc89daed19ccdca063ff6b3309603ff
Instruction Fuzzy Hash: 2B313171640B059FD3218F24EC41B26B7E0EB44B54F10453AEA55A73D0FB7CA8A4DB4E

Function 004233C0 Relevance: 6.2, APIs: 4, Instructions: 246COMMON

Download Yara Rule

APIs

midiStreamOpen.WINMM(?,?,00000001,00423A00,?,00030000,?,?,?,00000000), ref: 004233EB
midiStreamProperty.WINMM ref: 004234D2
midiOutPrepareHeader.WINMM(?,?,00000040,00000001,?,?,?,?,00000000), ref: 00423620

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: midi$Stream$HeaderOpenPrepareProperty
String ID:
API String ID: 2061886437-0
Opcode ID: ecf68b696309d1b47c3f35a980cdfd015be0179d47e3eac7d4237405563466f3
Instruction ID: a582029f944ea6128e4d10f4eec4402f384e375b00ab52bf8cea3919812bd4bf
Opcode Fuzzy Hash: ecf68b696309d1b47c3f35a980cdfd015be0179d47e3eac7d4237405563466f3
Instruction Fuzzy Hash: 33A169717006158FC724DF28D890BAAB7F6FB84304F50496EE686C7751EB39BA19CB40

Function 00412180 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004121D3

Strings

%d, %d, xrefs: 004121C6
", xrefs: 00412227, 004122C7
\VO, xrefs: 004121B0

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: "$%d, %d$\VO
API String ID: 2111968516-319548089
Opcode ID: f9a7cb01872229ae49c7a890a942e29391193e7de113a631739161dbbecd496d
Instruction ID: 513d0e2aa3f346817cd27db529ceec45dc4da4c335aeeaaad5056cfa31f87b4b
Opcode Fuzzy Hash: f9a7cb01872229ae49c7a890a942e29391193e7de113a631739161dbbecd496d
Instruction Fuzzy Hash: CB81D9719002199BCB14DF69DD82FEF7374EF10308F14402EF919A7292EB78A919C7A9

Function 0041C8F0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041CACB

Part of subcall function 004756B5: SetWindowTextA.USER32(?,0041B73A), ref: 004756C3

Strings

`\A, xrefs: 0041CA8E
\VO, xrefs: 0041CAE7

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: TextWindowwsprintf
String ID: \VO$`\A
API String ID: 430165219-155183320
Opcode ID: 0ef0a240ac92bdd1ccc4889044a0bc1a825b0350aebd2410d0a1a91bba02dc73
Instruction ID: 07356d6b615637c58fd5b144c06da639d8ec314fd2e8eae916a5833a0ba899af
Opcode Fuzzy Hash: 0ef0a240ac92bdd1ccc4889044a0bc1a825b0350aebd2410d0a1a91bba02dc73
Instruction Fuzzy Hash: 2F61B2B12447469BC320DF65CCC5BABB7E4EF84304F40892EF49687381EA78E8458B5A

Function 004206C0 Relevance: 6.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f632bb61a9b5feacdf21c6a8a4123768eb6083e9f7abbfe41e645991422f81
Instruction ID: b4df958ac809872bb030ff44051441e487975955f30236b5e99e8648f8d58b86
Opcode Fuzzy Hash: 17f632bb61a9b5feacdf21c6a8a4123768eb6083e9f7abbfe41e645991422f81
Instruction Fuzzy Hash: 0D516EB25083409FC310EF69D88596BFBE8FB89714F408A2EF19983351D779E908CB56

Function 0046BAF8 Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(000001D0,000001D0,00000000,000001D0,00000000,00000000,00000000,00000000), ref: 0046BB72
GetLastError.KERNEL32 ref: 0046BB7C
ReadFile.KERNEL32(?,?,00000001,000001D0,00000000), ref: 0046BC42
GetLastError.KERNEL32 ref: 0046BC4C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 65e1275e7023957f001490c308896dbd9e6354e03a9f7a838130bf1730a4fafd
Instruction ID: e75d8994f562e5d97d515d0f536fb6fe5a3dde498461481afc77ca18c4f0861f
Opcode Fuzzy Hash: 65e1275e7023957f001490c308896dbd9e6354e03a9f7a838130bf1730a4fafd
Instruction Fuzzy Hash: 7851B434A043859FDF218F58C8847AA7BB0EF12314F14449FE851DB355EB789A86CB9B

Function 004214D0 Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004214E2
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0042153A
__ftol.LIBCMT ref: 00421625
__ftol.LIBCMT ref: 00421632

Part of subcall function 00477678: SelectObject.GDI32(?,00000000), ref: 0047769A
Part of subcall function 00477678: SelectObject.GDI32(?,?), ref: 004776B0

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ObjectSelect__ftol$ClientRect
String ID:
API String ID: 2514210182-0
Opcode ID: d38e878cf15cda7bed9e86f97a52f56a69d67952749aaec9eaffa6bc4f1ffebc
Instruction ID: 5ad6f27c5c6b5d277297b5eee5dd38b48e6e594233cc91bb2dac66054f3481d6
Opcode Fuzzy Hash: d38e878cf15cda7bed9e86f97a52f56a69d67952749aaec9eaffa6bc4f1ffebc
Instruction Fuzzy Hash: 5751BEB17083129FC714CF28D88096FBBE9FBD8740F544A2EF88A93261D634DC458B96

Function 00435440 Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0043547E
GetDC.USER32(?), ref: 004355E2
ReleaseDC.USER32(?,?), ref: 00435606
DeleteObject.GDI32(?), ref: 00435638

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: DeleteObject$Release
String ID:
API String ID: 2600533906-0
Opcode ID: 3bfa6719a29b074762b195ff6625576447e868de6e7dbf8d84426252f671c3bf
Instruction ID: 6e884ec8670b6891ae9016c6985c8f60ce9af6a9cef92a81c5fe89db1a059d05
Opcode Fuzzy Hash: 3bfa6719a29b074762b195ff6625576447e868de6e7dbf8d84426252f671c3bf
Instruction Fuzzy Hash: 0C517CB1A002049BDF14DF28C880B9A3BE6BF58314F48857AED4DCF31AD7789949CB65

Function 004102F0 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000001), ref: 00410364
GetParent.USER32(00000001), ref: 004103B4
IsWindow.USER32(?), ref: 004103D4
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 0041044F

Part of subcall function 00475787: ShowWindow.USER32(?,?,0040E3DC,00000000), ref: 00475795

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$ParentShow
String ID:
API String ID: 2052805569-0
Opcode ID: 9096024bdc0929ab85291fb461ca96aa74f0a1840d651731b93a1f2d45d61d7c
Instruction ID: df28f4d30dc7654d47b5946cfbc528e90af3ca4c435bebaf93127f8d07e722d4
Opcode Fuzzy Hash: 9096024bdc0929ab85291fb461ca96aa74f0a1840d651731b93a1f2d45d61d7c
Instruction Fuzzy Hash: E641B471600301ABC320DE61DC81FEB73A8AF84755F04452EFE599B381D7B8E8898BA5

Function 0046B908 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 0046B9CF

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ce8a87ea8cf3446ac1ca91bdb64e265e206ef6949272315ba5fa4ab1fae782bb
Instruction ID: 77592d1b29af7321ee1a7018eed3b6cd1b6b81bd231168f216050ec6e608b44a
Opcode Fuzzy Hash: ce8a87ea8cf3446ac1ca91bdb64e265e206ef6949272315ba5fa4ab1fae782bb
Instruction Fuzzy Hash: F551B671900248EFCB11CFA8C884AAE7BB4FF41350F1485AAE915DB251E734DE84CB9A

Function 004415F0 Relevance: 6.1, APIs: 4, Instructions: 100windowCOMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(?), ref: 0044167A
SendMessageA.USER32(?,00000030,00000000,00000000), ref: 004416BE
SendMessageA.USER32(?,000000B1,?,000000FF), ref: 004416F4
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00441703

Part of subcall function 004756B5: SetWindowTextA.USER32(?,0041B73A), ref: 004756C3

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend$BrushCreateSolidTextWindow
String ID:
API String ID: 3501373727-0
Opcode ID: 0cadf077a1faec3d132d784520d4ff896d100c4fa04386011f8b64846b1e290a
Instruction ID: a2454982319da30a903411cd454487a92ba701b631de0fcfbd6a78aa6767c7c4
Opcode Fuzzy Hash: 0cadf077a1faec3d132d784520d4ff896d100c4fa04386011f8b64846b1e290a
Instruction Fuzzy Hash: 6D3148B4204700AFD324DF19C855B2AFBF5EB88B14F108A1EF5598B791DBB9E840CB59

Function 00438680 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00438728

Strings

0%x, xrefs: 00438711
,!O, xrefs: 00438700
O8, xrefs: 004386F8, 00438710, 0043871D

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: ,!O$0%x$ O8
API String ID: 2111968516-898697609
Opcode ID: c41a35089f416c6284a470480a56969be2d8c41dd07900f163f283ddb541e515
Instruction ID: fd089378e4da1e448a884d101375c2c560dac89b8c86bab1326439607aaa80bb
Opcode Fuzzy Hash: c41a35089f416c6284a470480a56969be2d8c41dd07900f163f283ddb541e515
Instruction Fuzzy Hash: E721F6722147045AD718D624CC52B3FB7D9EBC8350F54052FF692872C0CFA8D909C39A

Function 00478E4F Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00478FC7: GetParent.USER32(?), ref: 00478FFA
Part of subcall function 00478FC7: GetLastActivePopup.USER32(?), ref: 00479009
Part of subcall function 00478FC7: IsWindowEnabled.USER32(?), ref: 0047901E
Part of subcall function 00478FC7: EnableWindow.USER32(?,00000000), ref: 00479031

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 00478E85
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 00478EF3
MessageBoxA.USER32(00000000,?,?,00000000), ref: 00478F01
EnableWindow.USER32(00000000,00000001), ref: 00478F1D

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 1958756768-0
Opcode ID: 18b0c601841b15aa6d059dd182d20111807b22c304eabbd33af568a5ec3fe3cb
Instruction ID: f59c3b812d087f8928edbd99408dddc3e9858eaf2b351d33065fb75313e81677
Opcode Fuzzy Hash: 18b0c601841b15aa6d059dd182d20111807b22c304eabbd33af568a5ec3fe3cb
Instruction Fuzzy Hash: AC219172A40108AFDB209F94CC89AEFB7B9FB44714F14843EE608E3250DB759E448BA5

Function 004759A0 Relevance: 6.1, APIs: 4, Instructions: 85stringtimeCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(0047599C,?,00000104,?,?,?,?,?,?,?,0047598A,?), ref: 004759CA
GetFileTime.KERNEL32(00000000,0047598A,?,?,?,?,?,?,?,?,?,0047598A,?), ref: 004759EB
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0047598A,?), ref: 004759FA
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,0047598A,?), ref: 00475A1B

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: b80975c059b9540ccbec6622bca63b71363b83ccb7dbc5ee5f85d425cc7d6a31
Instruction ID: ad75c2e8f81d007a769454aa23ac8f21c60a34c194146d1856053fc2a6a6f42c
Opcode Fuzzy Hash: b80975c059b9540ccbec6622bca63b71363b83ccb7dbc5ee5f85d425cc7d6a31
Instruction Fuzzy Hash: E9314172510609AFDB10DF64DC85AEBB7B8BB14310F108A3EF156DB590E7B4A988CB94

Function 0040C050 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 0040C0E8
ScreenToClient.USER32(?,?), ref: 0040C10A
ChildWindowFromPointEx.USER32(?,?,?,00000005), ref: 0040C120
GetFocus.USER32 ref: 0040C12B

Part of subcall function 004757F0: SetFocus.USER32(?,00411BE3), ref: 004757FA

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Focus$ChildClientFromMessagePointScreenWindow
String ID:
API String ID: 3117237277-0
Opcode ID: 5cf6b0a2dee58f06aa9dfcd361a6029909ef63f3001a5ce2e3c53427cae5a828
Instruction ID: 0412fe23eb9ff6f3894f01fa5feb2a14950c3f8df382ee4e7b2f7e8fb51cefdd
Opcode Fuzzy Hash: 5cf6b0a2dee58f06aa9dfcd361a6029909ef63f3001a5ce2e3c53427cae5a828
Instruction Fuzzy Hash: 8821B671300601ABD324DB24CC41FAFB3A9BF84708F04853EF9459B382DB38E9568B99

Function 00460D55 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00460D7B

Part of subcall function 00465E36: HeapCreate.KERNELBASE(00000000,00001000,00000000,00460DB3,00000001), ref: 00465E47
Part of subcall function 00465E36: HeapDestroy.KERNEL32 ref: 00465E86

GetCommandLineA.KERNEL32 ref: 00460DDB
GetStartupInfoA.KERNEL32(?), ref: 00460E06
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00460E29

Part of subcall function 00460E82: ExitProcess.KERNEL32 ref: 00460E9F

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 8b82d0610ab3d1d62a4eb495c3add024158ee8c7d1c3baac9356294e9090662c
Instruction ID: c30c858c66c05b3aa47d89c326ba0563f42dd63914086c04cf86f7e32328d0f1
Opcode Fuzzy Hash: 8b82d0610ab3d1d62a4eb495c3add024158ee8c7d1c3baac9356294e9090662c
Instruction Fuzzy Hash: B521D3B1801714AFDB04BFB6DC4AAAE7BA8EF04714F10452FF5019B291FB398900DB5A

Function 0040C960 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

StartPage.GDI32(?), ref: 0040C9A5
EndPage.GDI32(?), ref: 0040C9CB

Part of subcall function 00419360: wsprintfA.USER32 ref: 0041936F

Part of subcall function 004756B5: SetWindowTextA.USER32(?,0041B73A), ref: 004756C3

UpdateWindow.USER32(?), ref: 0040CA1A
EndPage.GDI32(?), ref: 0040CA32

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Page$Window$StartTextUpdatewsprintf
String ID:
API String ID: 104827578-0
Opcode ID: 87e4e5f4961113ed1ea1be3bfdbb4525f84b341f547e229db3b0bbc5ed9f7b2c
Instruction ID: 79726203bd45200697234c43343935048a14d825f4a6b0b9a0ff78cb4a58cf9e
Opcode Fuzzy Hash: 87e4e5f4961113ed1ea1be3bfdbb4525f84b341f547e229db3b0bbc5ed9f7b2c
Instruction Fuzzy Hash: 542150B1701B009BC264DB3AD884BDBB7E9EFC5705F10892EE5AFD6250E634A4458F58

Function 004072F0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040731C
GetParent.USER32(?), ref: 00407331
SetParent.USER32(?,?), ref: 0040734F
GetWindowRect.USER32(?,?), ref: 00407364

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Parent$RectWindow
String ID:
API String ID: 2276825053-0
Opcode ID: 3fa578b7b7422879f321c53aa662269ed82e927f9905939ca72f009f82550d62
Instruction ID: 1640b5b8d2b67f05f64fadbf04484e01987407c17399ab641615a293fca3cba6
Opcode Fuzzy Hash: 3fa578b7b7422879f321c53aa662269ed82e927f9905939ca72f009f82550d62
Instruction Fuzzy Hash: 05118CB5A043056BE724EF74C885DAFB7A9EF84200F00892EBC1693341EA78FC098775

Function 0046DBED Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 0046DC1C
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 0046DC2F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0046DC7B
CompareStringW.KERNEL32(00450EB6,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0046DC93

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 6655f26ffc0afa8016740ca33ddbdfb13ffcd7e0004bf3d731a60cd1137e0aeb
Instruction ID: e19b81a4661682579d86ddb5aab8191b703a949f75eb5e89d80fb10038dfc18f
Opcode Fuzzy Hash: 6655f26ffc0afa8016740ca33ddbdfb13ffcd7e0004bf3d731a60cd1137e0aeb
Instruction Fuzzy Hash: 77213832D0020DEBCF218F94CD859DEBFB6FF49350F10452AFA1566260D3769921DBA5

Function 0040E890 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 0040E89D

Part of subcall function 0040E6D0: IsChild.USER32(?,?), ref: 0040E74D
Part of subcall function 0040E6D0: GetParent.USER32(?), ref: 0040E767

SendMessageA.USER32(00000000,000000F0,00000000,00000000), ref: 0040E8F6
SendMessageA.USER32(00000000,000000F1,00000000,00000000), ref: 0040E906
GetWindow.USER32(00000000,00000002), ref: 0040E90B

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSendWindow$ChildParent
String ID:
API String ID: 1043810220-0
Opcode ID: 983395c40ee5904a749397dd9b96e0fd0da87e834a3b7062d3655be47a7811a2
Instruction ID: 8c81c6e933d9ccce6afc50cee7c653784b8d28663058d5f999d6f23c9f8fc6d1
Opcode Fuzzy Hash: 983395c40ee5904a749397dd9b96e0fd0da87e834a3b7062d3655be47a7811a2
Instruction Fuzzy Hash: 4E019E723807167AE275562A9C46F6B62585B81B10F510A36BA00FA2D1DEA8EC20866D

Function 004324A0 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004324BB
SendMessageA.USER32(?,000083EB,?,00000000), ref: 004324E5
SendMessageA.USER32(?,000083EC,?,00000000), ref: 004324F9
SendMessageA.USER32(?,000083E9,?,00000000), ref: 0043251C

Part of subcall function 004756DC: GetDlgCtrlID.USER32(?), ref: 004756E6

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend$CtrlParent
String ID:
API String ID: 1383977212-0
Opcode ID: e66c7ec9dde963a66869cf152d950e225302d2855a0dd4059c7b650e4c17af0b
Instruction ID: 42702cda0262ca79ca67ff3d12cf12f48b302c672bc58014daa9b4585956dd87
Opcode Fuzzy Hash: e66c7ec9dde963a66869cf152d950e225302d2855a0dd4059c7b650e4c17af0b
Instruction Fuzzy Hash: E20188B13007083BD51077658D81D6FB26CAB88B04F40851EF50597281CEA8FD0147BC

Function 00471AB3 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00471AE7
GetCurrentProcess.KERNEL32(?,00000000), ref: 00471AED
DuplicateHandle.KERNEL32(00000000), ref: 00471AF0
GetLastError.KERNEL32(00000000), ref: 00471B0A

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 8482aed165c2512234180adf1d9e1824d894ad1c444c2f423e361db84f3c2d5e
Instruction ID: bd135dfb245c9f2fee2e2f103d1c79ab93f8f9c0d894a6a10ea5be06ec73e52a
Opcode Fuzzy Hash: 8482aed165c2512234180adf1d9e1824d894ad1c444c2f423e361db84f3c2d5e
Instruction Fuzzy Hash: 990184357002006BDB50ABAE8C4AF9E7B9DEF44760F14856AF509DB2A1EAB4EC008764

Function 00470384 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?), ref: 0047039C
GetParent.USER32(00000000), ref: 004703A9
ScreenToClient.USER32(00000000,?), ref: 004703CA
IsWindowEnabled.USER32(00000000), ref: 004703E3

Part of subcall function 00478871: GetWindowLongA.USER32(00000000,000000F0), ref: 00478882

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: 2b4dbf0198ff72efe3d83c6f3a83321ee806fa80e5152eaf4b6216687f7dbd4a
Instruction ID: 52fe14495a31689bff503b43dcac7968387efcd0b9720fcffea49beac97ce636
Opcode Fuzzy Hash: 2b4dbf0198ff72efe3d83c6f3a83321ee806fa80e5152eaf4b6216687f7dbd4a
Instruction Fuzzy Hash: 56017C36642511AB87029B9A9C089EFBAB9EF85740B14802EFD09D3310EB74DD059B69

Function 00474451 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0047445C
GetTopWindow.USER32(00000000), ref: 0047446F
GetTopWindow.USER32(?), ref: 0047449F
GetWindow.USER32(00000000,00000002), ref: 004744BA

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 4548389d28d0fb70943f76c8780c95065629889c73cdd6319ff12b2ef7d2f55a
Instruction ID: c0a4cfd677d84b0655d1c44915a15aec2048695e7ca91855f0a1d236a5efff8b
Opcode Fuzzy Hash: 4548389d28d0fb70943f76c8780c95065629889c73cdd6319ff12b2ef7d2f55a
Instruction Fuzzy Hash: CC018F32541625BBCF226F618D00FFF3A69AF90364F04C226FD0C91251E739C915BAAD

Function 004744CA Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 004744D8
SendMessageA.USER32(00000000,?,?,?), ref: 0047450E
GetTopWindow.USER32(00000000), ref: 0047451B
GetWindow.USER32(00000000,00000002), ref: 00474539

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 8855169cd8072d5f56e44a838d3c039c5efcf382cf6d9b5b77292cacc174c188
Instruction ID: 8f497f38b8482791a6a28812452cd29023edc090027fa11635bd4495850bfb06
Opcode Fuzzy Hash: 8855169cd8072d5f56e44a838d3c039c5efcf382cf6d9b5b77292cacc174c188
Instruction Fuzzy Hash: 99010C32000119BBCF226F959D05EEF3B2AAF85354F058416FA0865161C73ACA71EFA9

Function 00475F82 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 00475FAA
GetFocus.USER32 ref: 00475FBD
GetParent.USER32(?), ref: 00475FCB
GetNextDlgTabItem.USER32(?,?,00000000), ref: 00475FE7

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: ce871369303230fc7cdab178edfaa5d037a7ef1c1b9f91077420df2d0c3135a8
Instruction ID: 87022672fba6de406e3175f553ef5a9fe0c26924d9e7d00376cd3d8517cd016d
Opcode Fuzzy Hash: ce871369303230fc7cdab178edfaa5d037a7ef1c1b9f91077420df2d0c3135a8
Instruction Fuzzy Hash: F1115231110A019FDB789F21DC59F9AB7B5EF40715F11C92EF14B865A0CBB8E845CB58

Function 004791F3 Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0047921F
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00479228
wsprintfA.USER32 ref: 00479244
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0047925D

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: c4d8bf82f58f8833f1965e24aaff97e072c2ef1820d8e692d4e49412f3ecfa81
Instruction ID: 9ceb464a6a5bb35563c00da6d720deff35c4a9548139d8f9f74bebe399d9c080
Opcode Fuzzy Hash: c4d8bf82f58f8833f1965e24aaff97e072c2ef1820d8e692d4e49412f3ecfa81
Instruction Fuzzy Hash: 56018672410219BBCB116F64EC09FEF3BACFF04714F04882AFA1596161D7B5D915DB98

Function 00474BB9 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 00474BF7
SetBkColor.GDI32(00000000,00000000), ref: 00474C03
GetSysColor.USER32(00000008), ref: 00474C13
SetTextColor.GDI32(00000000,?), ref: 00474C1D

Part of subcall function 00478871: GetWindowLongA.USER32(00000000,000000F0), ref: 00478882

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 50a8c659d7a6823ae04f94d4646602daa5b3685b4a7a206130cb2c72dcf0e80e
Instruction ID: 756e2f98890d83afba20cb9758447a97f16ab56049c579dda22b3612742da2c0
Opcode Fuzzy Hash: 50a8c659d7a6823ae04f94d4646602daa5b3685b4a7a206130cb2c72dcf0e80e
Instruction Fuzzy Hash: 6D017C31001209AFDB225F64DE49BFF3A65AB40316F128A26FA0AD42A0C7B5D894D769

Function 0046EDEE Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0051AC58,00000001), ref: 0046EE16
InitializeCriticalSection.KERNEL32(0051AC40,?,?,?,0046EDAD), ref: 0046EE21
EnterCriticalSection.KERNEL32(0051AC40,?,?,?,0046EDAD), ref: 0046EE60

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExchangeInitializeInterlocked
String ID:
API String ID: 3643093385-0
Opcode ID: 6884976e643e8122cc832b638958d1d73e22e03ff453906b5b15007c89357df5
Instruction ID: 0dffa976f6b5ba8de2f82bd675e1eaa5de4c01dc12e2b9a9f7fdf71ad4f9ce22
Opcode Fuzzy Hash: 6884976e643e8122cc832b638958d1d73e22e03ff453906b5b15007c89357df5
Instruction Fuzzy Hash: B8F0C835781381DBDA234B5AEC8D6973BD4F7907A9F200427F101D4150FBAA4C89A79F

Function 00433E80 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00433EC3
wsprintfA.USER32 ref: 00433ED9

Strings

gfff, xrefs: 00433E8B
%d.%d, xrefs: 00433ED3

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %d.%d$gfff
API String ID: 2111968516-3773932281
Opcode ID: a1de9d865fe79d4c02ddc5f4c5e3c8721c89c887a8060d0c6f8def602031cd89
Instruction ID: d3c1ff37403c6978e9661676bc3a2ab459ffae3ff073e7712c1d4bfddc6d5f40
Opcode Fuzzy Hash: a1de9d865fe79d4c02ddc5f4c5e3c8721c89c887a8060d0c6f8def602031cd89
Instruction Fuzzy Hash: 11F059727042002BCB8CD92EBC19E2B2A9AABEA711F05C83FF545C7390C5208C15837A

Function 00477CAA Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,?), ref: 00477CBB
GetViewportExtEx.GDI32(?,?), ref: 00477CC8
MulDiv.KERNEL32(?,00000000,00000000), ref: 00477CED
MulDiv.KERNEL32(?,00000000,00000000), ref: 00477D08

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: dfc845a6968910fac889864f4fcc9f57ebc784cfaa4d233433e403db94c4de0e
Instruction ID: 767944e921de6bc67fe0cc032fde4d9675f5cd915e55196d6398597cd8d26b68
Opcode Fuzzy Hash: dfc845a6968910fac889864f4fcc9f57ebc784cfaa4d233433e403db94c4de0e
Instruction Fuzzy Hash: 6DF01976800108BFEF117B61ED0ACAEBBBDEF86310710483EF95192171EB71AD549B58

Function 00477D13 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,?), ref: 00477D24
GetViewportExtEx.GDI32(?,?), ref: 00477D31
MulDiv.KERNEL32(?,00000000,00000000), ref: 00477D56
MulDiv.KERNEL32(?,00000000,00000000), ref: 00477D71

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 28a3238d5cd6bb27234265935c6a76c60f9ca0fb3652fde87231de1beddd0028
Instruction ID: 48812a4b2ee311ed5035f98de22daf18ed24feb1be4866cb34c85e970939ef63
Opcode Fuzzy Hash: 28a3238d5cd6bb27234265935c6a76c60f9ca0fb3652fde87231de1beddd0028
Instruction Fuzzy Hash: 81F01976800108BFEF117B61ED0ACAEBBBDEF86310710483EF95192171EB71AD549B58

Function 00431E10 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00431E1F
PtInRect.USER32(?,?,?), ref: 00431E34

Part of subcall function 004757AE: IsWindowEnabled.USER32(?), ref: 004757B8

Part of subcall function 00432250: UpdateWindow.USER32(00000002), ref: 0043226D

GetCapture.USER32 ref: 00431E5C
SetCapture.USER32(00000002), ref: 00431E67

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CaptureRectWindow$ClientEnabledUpdate
String ID:
API String ID: 2789096292-0
Opcode ID: 2f1c6b9db328b2fa4602e8743c9fd717a6b1e388f9f9ad59fc05a77ec411fe08
Instruction ID: 667ce2fa9f6084ff7c9be60e82219702445662034a606e764793f0253b7cdfcb
Opcode Fuzzy Hash: 2f1c6b9db328b2fa4602e8743c9fd717a6b1e388f9f9ad59fc05a77ec411fe08
Instruction Fuzzy Hash: B2F04F316106109BD3A4AB64DD459AF73ACAF98B00F04491EF946C3261DB79E9058BA9

Function 00409FB0 Relevance: 6.0, APIs: 4, Instructions: 35registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,00000000,00000000), ref: 00409FCA
RegQueryValueA.ADVAPI32 ref: 00409FEE
lstrcpyA.KERNEL32(?,00000000), ref: 0040A001
RegCloseKey.ADVAPI32(?), ref: 0040A00C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcpy
String ID:
API String ID: 534897748-0
Opcode ID: aafda49c741e81cac164e1e17a97ce70e0591c0bf146f6feeefe49c244375635
Instruction ID: 3170904fe6f49d3d1a7073d8894fe0a4a880854ab71c55b704a3587bed78fbf4
Opcode Fuzzy Hash: aafda49c741e81cac164e1e17a97ce70e0591c0bf146f6feeefe49c244375635
Instruction Fuzzy Hash: 29F03C75114305BFD320DB10D888FAFBBA8FF85754F00892CB98882250D6B0D848DBA2

Function 0047895B Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00478968
GetWindowTextA.USER32(?,?,00000100), ref: 00478984
lstrcmpA.KERNEL32(?,?), ref: 00478998
SetWindowTextA.USER32(?,?), ref: 004789A8

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 9371f575e3185c2a01eaebe746d973e8c7ac01405ba2f2f1ce45b1672bc2b9f6
Instruction ID: 109b06fdf509409025cc74f2ed0fffdb65eaad036146733461488f20b948b61e
Opcode Fuzzy Hash: 9371f575e3185c2a01eaebe746d973e8c7ac01405ba2f2f1ce45b1672bc2b9f6
Instruction Fuzzy Hash: 00F0FE71400018AFDF626F64DC08ADE7B69FB08390F048566F949E1120DB75CE94DB9A

Function 004139F0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00413B5D
GetObjectA.GDI32(00000000), ref: 00413B64

Strings

`\A, xrefs: 00413B0A

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Object$Stock
String ID: `\A
API String ID: 1996491644-2688774508
Opcode ID: 5f12d60e5a78c731cb25799951413c524574fdbd7c0cf3d00ceb85e9aedd3aa1
Instruction ID: bdc55b84dc5b9fd4334a8a381d692ba1c2ee4bb36110122106d84c3e310d8724
Opcode Fuzzy Hash: 5f12d60e5a78c731cb25799951413c524574fdbd7c0cf3d00ceb85e9aedd3aa1
Instruction Fuzzy Hash: 0181BC76604B41CFC314DF28C451AABB7E1FFC8710F14892EE89687391D738A856CB96

Function 00460F22 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00460FB2

Strings

pow, xrefs: 00460F8A, 00460FA7

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 212a8d856db3816d4406613bec46858bc7cac588b53281c0afa33b79318dbcd7
Instruction ID: 4171650f2f4a1df392c0191d016635fe788e80799915e171b59a20db18761cc3
Opcode Fuzzy Hash: 212a8d856db3816d4406613bec46858bc7cac588b53281c0afa33b79318dbcd7
Instruction Fuzzy Hash: A2516C70A1810296CB257B59C90137B2B94AF51710F25CD6BE885823A8FB7D8CD9DA8F

Function 0042D5A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 0042D700
IsRectEmpty.USER32(?), ref: 0042D70B

Part of subcall function 0042A7E0: CreateFontIndirectA.GDI32(?), ref: 0042A90C

Part of subcall function 004415F0: CreateSolidBrush.GDI32(?), ref: 0044167A
Part of subcall function 004415F0: SendMessageA.USER32(?,00000030,00000000,00000000), ref: 004416BE
Part of subcall function 004415F0: SendMessageA.USER32(?,000000B1,?,000000FF), ref: 004416F4
Part of subcall function 004415F0: SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00441703

Strings

\VO, xrefs: 0042D66C

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend$CreateRect$BrushCopyEmptyFontIndirectSolid
String ID: \VO
API String ID: 4199050670-2422581269
Opcode ID: 6dab97d4302485b34c6f8bc53f07f910a48471d08e5a981b761e610bdc16ca13
Instruction ID: f60b160a0031a8d90ff9a1883a2e007c51fb549e5d7e9841b8fb99ddac668227
Opcode Fuzzy Hash: 6dab97d4302485b34c6f8bc53f07f910a48471d08e5a981b761e610bdc16ca13
Instruction Fuzzy Hash: 6B6192703047519FD324EB25D851B6BB7E9BFD8708F40491EF68683381EBB8E9058B66

Function 0046503B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

Part of subcall function 004684F4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 00468531
Part of subcall function 004684F4: EnterCriticalSection.KERNEL32(?,?,?,00463528,00000009,00000000,00000000,00000001,00465C7F,00000001,00000074,?,?,00000000,00000001), ref: 0046854C

GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,00460DF5), ref: 0046508C

Part of subcall function 00468555: LeaveCriticalSection.KERNEL32(?,00462712,00000009,004626FE,00000000,?,00000000,00000000,00000000), ref: 00468562

Strings

0hO, xrefs: 00465073
iO, xrefs: 00465080

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInfoInitializeLeave
String ID: iO$0hO
API String ID: 1866836854-3891599295
Opcode ID: 20ec889f60c6588de9c1acbfd770fb54cca6662076d46a1b784432f58641761b
Instruction ID: c923f71560c60628e42dc69d23c8bd4a305f714fa178b3e21f6f5aded566bfd6
Opcode Fuzzy Hash: 20ec889f60c6588de9c1acbfd770fb54cca6662076d46a1b784432f58641761b
Instruction Fuzzy Hash: 3C419971E05A416FEB12DB34DC843FA7BE59B06314F24416FE5448B292E67D484ACB8B

Function 0046528E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 004652A2

Strings

, xrefs: 004652C7
, xrefs: 004652EB

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 2f7578ec8ba704814a79f59183dfc3503d2b168d2c41fe87c96eb161924d6da2
Instruction ID: 0a2f1113c68eb85f9f9d5d409bdba79164b72a1d777722a96e4f14e97266964f
Opcode Fuzzy Hash: 2f7578ec8ba704814a79f59183dfc3503d2b168d2c41fe87c96eb161924d6da2
Instruction Fuzzy Hash: 33417C310016581FDB128715CD89BFB3FAD9B06B44F1404E6D989C7253E2A94D89DB67

Function 0040B470 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040B4B1
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040B50F

Strings

`\A, xrefs: 0040B5D9

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID: `\A
API String ID: 3850602802-2688774508
Opcode ID: 4e846563cc9ca5d12bae5b3308cfacd542bc504a885ac32ce95212060d7f3b2a
Instruction ID: e00b1aa3a64edda0ebb46017065ed98eddd27ce3ede2d2440ea283d4d7ab7dbb
Opcode Fuzzy Hash: 4e846563cc9ca5d12bae5b3308cfacd542bc504a885ac32ce95212060d7f3b2a
Instruction Fuzzy Hash: 52419471108740AFC324DF26C885A6FB7E9FFC4718F104A2EF596932C1DB7899058B9A

Function 0040B600 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040B641
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040B69F

Strings

`\A, xrefs: 0040B769

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID: `\A
API String ID: 3850602802-2688774508
Opcode ID: 999a7325f5b2202d19a6f1e4d80770e4fd245f9c6dcdfe12e67e022980dd02ca
Instruction ID: 670346674399c2dba06cb107e91aa43bf2a79514d6dd298aac24d7008dfbb52c
Opcode Fuzzy Hash: 999a7325f5b2202d19a6f1e4d80770e4fd245f9c6dcdfe12e67e022980dd02ca
Instruction Fuzzy Hash: 6441A4711087409FC324DF26C881A6FB7E8FFC4714F104A2EF596932D1DBB959058B9A

Function 0040B790 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040B7D1
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0040B82F

Strings

`\A, xrefs: 0040B8F9

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID: `\A
API String ID: 3850602802-2688774508
Opcode ID: 528b8edeaac06324250395da88c0f5e8818727179b3296a6b050354174c50f93
Instruction ID: 94b3e494e637acf84bc60025dc1123acbd2ba271fce7492f076d4c06f6b82f31
Opcode Fuzzy Hash: 528b8edeaac06324250395da88c0f5e8818727179b3296a6b050354174c50f93
Instruction Fuzzy Hash: 2B41A4711087419FC324EF26C881A6FB7E8FFC4714F104A2EF5A5932D1DB7899058B9A

Function 004097E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046FE29: __EH_prolog.LIBCMT ref: 0046FE2E
Part of subcall function 0046FE29: SendMessageA.USER32(?,0000110C,00000000,?), ref: 0046FE7A
Part of subcall function 0046FE29: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0046FE83

SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004098CC
SendMessageA.USER32(?,0000110A,00000003,?), ref: 00409838

Part of subcall function 00471416: InterlockedDecrement.KERNEL32(-000000F4), ref: 0047142A

Part of subcall function 0047165F: __EH_prolog.LIBCMT ref: 00471664

Part of subcall function 004715F9: __EH_prolog.LIBCMT ref: 004715FE

Part of subcall function 00471503: InterlockedIncrement.KERNEL32(-000000F4), ref: 00471546

Strings

\VO, xrefs: 004097F8

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: H_prologMessageSend$Interlocked$DecrementIncrementlstrlen
String ID: \VO
API String ID: 1725347760-2422581269
Opcode ID: 9bd6de667f26d1c9229c37c5ec5daf46954d820851f1164340cb64e6e1a28f54
Instruction ID: d92ebe92da421d1659773463777622f1bd55c83284f9b5bfad8cdcf729940095
Opcode Fuzzy Hash: 9bd6de667f26d1c9229c37c5ec5daf46954d820851f1164340cb64e6e1a28f54
Instruction Fuzzy Hash: 15418471508381AFC305DFA9C841A9FFBE8BF95714F004A1EF59593291DBB8D908CB66

Function 0040E470 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00472D76: __EH_prolog.LIBCMT ref: 00472D7B

DestroyAcceleratorTable.USER32(?), ref: 0040E50B
DestroyIcon.USER32(00000000,?,?,?,005058D4,00000000), ref: 0040E535

Strings

`\A, xrefs: 0040E588

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Destroy$AcceleratorH_prologIconTable
String ID: `\A
API String ID: 1516885281-2688774508
Opcode ID: 1d255b87550d275914525e1ebbd7717defa34fb0d57925d59eda7907f298e8ee
Instruction ID: 775ca92308f85a9897729adc8a612dc58421f5097e80363fbe6efaacf30fa4bf
Opcode Fuzzy Hash: 1d255b87550d275914525e1ebbd7717defa34fb0d57925d59eda7907f298e8ee
Instruction Fuzzy Hash: 6831D2B15007159FC310DF6AD880A2AB7E4FF44318F540E2FE445A7382E7789D148BD9

Function 0046F5C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046F5CD
lstrcpynA.KERNEL32(?,?,00000104), ref: 0046F6BA

Strings

\VO, xrefs: 0046F5E6

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpyn
String ID: \VO
API String ID: 588646068-2422581269
Opcode ID: 610392fe81648a739ac0f500bb9f82921e67f1f9246371256dba4bc4eae5396a
Instruction ID: 3216c4e49dc1d6730ad5413f679635b2654f560e746e2ebf90df1299a80aa2c5
Opcode Fuzzy Hash: 610392fe81648a739ac0f500bb9f82921e67f1f9246371256dba4bc4eae5396a
Instruction Fuzzy Hash: BE316DB0501741DFD721DF39D881B9BBBE0FB44308F10882FE59A97252D778A808CB5A

Function 00473A18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 0047BAF5: LeaveCriticalSection.KERNEL32(?,0047AE75,00000010,00000010,?,00000000,?,?,?,0047A845,0047A8A8,0047A12E,0047A84B,00476126,004773C2), ref: 0047BB0D

Part of subcall function 00463C1C: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00460E35,00000000), ref: 00463C4A

wsprintfA.USER32 ref: 00473A5E
wsprintfA.USER32 ref: 00473A7A
GetClassInfoA.USER32(?,-00000058,?), ref: 00473A89

Strings

Afx:%x:%x, xrefs: 00473A58

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: wsprintf$ClassCriticalExceptionInfoLeaveRaiseSection
String ID: Afx:%x:%x
API String ID: 2529146597-2071556601
Opcode ID: 8435226cc81b8374e767ea666604062d6414ae829c95b5186c90fffca76efa7f
Instruction ID: 66cfd75e97f2c83f3c14577e4fed8a20604b3ead41e0dd9909153bb70698c104
Opcode Fuzzy Hash: 8435226cc81b8374e767ea666604062d6414ae829c95b5186c90fffca76efa7f
Instruction Fuzzy Hash: 76110671D00209AFDB10EFA9D8819DF7BB8EF48355B00842FF909E3241D7749A519BA9

Function 0040AFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0040B044
SendMessageA.USER32(0047C228,00000186,00000000,00000000), ref: 0040B057

Strings

\VO, xrefs: 0040AFD6

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID: \VO
API String ID: 3850602802-2422581269
Opcode ID: 7bcb56382f203f92bb360be545e10e7055090fe8f97e19c9ce728d13c29ff950
Instruction ID: 53abe11ae815a783adcc920e622eadbd3d623cbe3b9eed68381b5b20fed00556
Opcode Fuzzy Hash: 7bcb56382f203f92bb360be545e10e7055090fe8f97e19c9ce728d13c29ff950
Instruction Fuzzy Hash: 6D115E71204640ABD224DF28E851BABB7E4EB84720F504B1EF17A933D0CB78A8058B65

Function 004322E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 0043233C

Part of subcall function 00432A40: IsWindow.USER32(?), ref: 00432A4E
Part of subcall function 00432A40: RedrawWindow.USER32(?,00000000,00000000,00000105,?,00432A3D,?,004324B7,?), ref: 00432A65

GetSysColor.USER32(00000012), ref: 00432348

Part of subcall function 00432A70: IsWindow.USER32(?), ref: 00432A7E
Part of subcall function 00432A70: RedrawWindow.USER32(?,00000000,00000000,00000105,?,00432A30,?,004324B7,?), ref: 00432A95

Part of subcall function 00471553: lstrlenA.KERNEL32(?,?,?,0046F6D5,?), ref: 00471564

Strings

\VO, xrefs: 0043230B, 0043231D

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: Window$ColorRedraw$lstrlen
String ID: \VO
API String ID: 3716826877-2422581269
Opcode ID: 5bac33302833689086c9732894bea0c770fd6dbd45deb2b0cb1a90a7da780490
Instruction ID: 96e4ca6a6c563cbd8586b94625db8b8ee2a911f4fa33c4d52d56096a5dfb5eb0
Opcode Fuzzy Hash: 5bac33302833689086c9732894bea0c770fd6dbd45deb2b0cb1a90a7da780490
Instruction Fuzzy Hash: E011C2B0200745AFD714DF1AC802B6AB7E4FB44B08F00492FF18A97791CBBDA9048B59

Function 00478759 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0047875E
lstrcpynA.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 004787C8

Strings

\VO, xrefs: 0047877B

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpyn
String ID: \VO
API String ID: 588646068-2422581269
Opcode ID: c45771153aea5767220ff410ab9e14e2e82083b097921eaa62c7a59e7a9bd3fe
Instruction ID: a71a9644b934ac998ae84b6d1acc41753ad6a3535250134cc98731f36c80fdbe
Opcode Fuzzy Hash: c45771153aea5767220ff410ab9e14e2e82083b097921eaa62c7a59e7a9bd3fe
Instruction Fuzzy Hash: 7211883250020AEFCB14DF89CC84BEEBBB4BF04314F00852EF12A972A0CB789A14CB14

Function 004767D9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004767DE
lstrcpynA.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 00476848

Strings

\VO, xrefs: 004767FB

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpyn
String ID: \VO
API String ID: 588646068-2422581269
Opcode ID: 69f5c3184915103ebacf0fefc9ee30b69007a780203c0d253ae3728a41223605
Instruction ID: 52c0564d3985a7a4b101afd551ad902e1b0b262ee106b384b965da0abe797fcb
Opcode Fuzzy Hash: 69f5c3184915103ebacf0fefc9ee30b69007a780203c0d253ae3728a41223605
Instruction Fuzzy Hash: AC11763251064AEBCB14DF99CC44BEEBBB5BF04318F00852EF12A972A0CB789A14CB14

Function 004787F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004787FE
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 0047886A

Strings

\VO, xrefs: 00478822

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: H_prologMessageSend
String ID: \VO
API String ID: 2337391251-2422581269
Opcode ID: 1b6fe466023abccb91115c7c38ef1b4dcdebbeb98d77aed33a2ee9b9b5dbb811
Instruction ID: 6657fc21c891a47c1ff0d5aeba75ee27a6975583502373d44de87d931a3cd47a
Opcode Fuzzy Hash: 1b6fe466023abccb91115c7c38ef1b4dcdebbeb98d77aed33a2ee9b9b5dbb811
Instruction Fuzzy Hash: A501F2B1900214AFDF10DF58C806BDEBBA0EF04714F20C55EF558AB2E1D7B89A02CB89

Function 0047165F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00471664
lstrlenA.KERNEL32(00000000,00000000,?,?,0041281C,?,?,004EBC78,?,?,?,?,?,?,00000000,005057D0), ref: 0047168B

Strings

\VO, xrefs: 0047166B

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: H_prologlstrlen
String ID: \VO
API String ID: 2133942097-2422581269
Opcode ID: ca935107dea9d81d13e7dabbb16eb301f7598db24a061b1e39ba39513095cfc9
Instruction ID: d542f7bc7d66c7a23b97b677f53885a3f42558b3377023c90f75084e7cdcbfaf
Opcode Fuzzy Hash: ca935107dea9d81d13e7dabbb16eb301f7598db24a061b1e39ba39513095cfc9
Instruction Fuzzy Hash: EF011A71920259EFCB05DF54CC45BEEB778FB08318F10852EF416A62A0D7B4AA14CB58

Function 004716D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004716D8
lstrlenA.KERNEL32(?,?,?,?,00438AAF,?,004F2190,?), ref: 004716FF

Strings

\VO, xrefs: 004716DF

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: H_prologlstrlen
String ID: \VO
API String ID: 2133942097-2422581269
Opcode ID: bf6d714f83b775fa9c125178d7f17d48e2b3ee8d4544db423a2ba86cf05d867c
Instruction ID: 1bff26d244639c0aea2ccb8df215bdb040bf91bda4575c97149ea729dd75a3a2
Opcode Fuzzy Hash: bf6d714f83b775fa9c125178d7f17d48e2b3ee8d4544db423a2ba86cf05d867c
Instruction Fuzzy Hash: FF010C71910219EBCB05DF98C845FEE7774FB08318F10855EF416A6260D7B89A04CB54

Function 00477AA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

SelectClipRgn.GDI32(?,00000000), ref: 00477AC7
SelectClipRgn.GDI32(?,?), ref: 00477ADD

Strings

`\A, xrefs: 00477AA5

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ClipSelect
String ID: `\A
API String ID: 4060119947-2688774508
Opcode ID: 06b51b8d0a35539911a1174ba0e1fdbdffd80f8d1274dfde723953f1898d98e6
Instruction ID: faa437b46a610acd50fec76494086bcc72a138a544a13e83142fd3d386856dad
Opcode Fuzzy Hash: 06b51b8d0a35539911a1174ba0e1fdbdffd80f8d1274dfde723953f1898d98e6
Instruction Fuzzy Hash: 4AF03077204612AB66209E59C9C0CBBA79CDF94310359C82AEE09D7214C664ED048B74

Function 0046CABD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,004629ED,?), ref: 0046CADB
GetStringTypeW.KERNEL32(?,?,00000000,)F,?,?,?,?,?,?,004629ED,?), ref: 0046CAED

Strings

)F, xrefs: 0046CAE5

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringTypeWide
String ID: )F
API String ID: 3139900361-1070133202
Opcode ID: 17efe85d00afa005840a53ffc94325bd6acabfb6b8851e07d3c38c67bca12130
Instruction ID: 2dc489e4fd365e7d0f0a1b92d6689d4fdbeb19f46853b5a05488ceb34da3ce60
Opcode Fuzzy Hash: 17efe85d00afa005840a53ffc94325bd6acabfb6b8851e07d3c38c67bca12130
Instruction Fuzzy Hash: E0F0FE36501159AFCF21CFC0DC85AEEBF72FB04360F108529FA2172160D77589659B95

Function 004199D0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00419A61
wsprintfA.USER32 ref: 00419A7B
wsprintfA.USER32 ref: 00419A96

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: e53baf390d40236d1657f97d7af99b5c604668d13809a90b2874d4a2185e978b
Instruction ID: b0b98e4cac10e2ece0834141785c99a3cc00aaf60ef2c678ae699edb56292cf9
Opcode Fuzzy Hash: e53baf390d40236d1657f97d7af99b5c604668d13809a90b2874d4a2185e978b
Instruction Fuzzy Hash: 5531B2B15043405BC204DB65D8959AFB7E8EFC4758F400A2EF94693281EB78DE08CBAA

Function 0047ACB6 Relevance: 5.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0047AD13
LeaveCriticalSection.KERNEL32(?,?), ref: 0047AD23
LocalFree.KERNEL32(?), ref: 0047AD2C
TlsSetValue.KERNEL32(?,00000000), ref: 0047AD42

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: fd644273c7f307a0ffcf8950e43e428b1a7ccda5098349a4df74bd8a50e62122
Instruction ID: 6c8010bf763666ba20fb44a718955ca79741aca7d31deec4cd7fc69a8fa1f5b5
Opcode Fuzzy Hash: fd644273c7f307a0ffcf8950e43e428b1a7ccda5098349a4df74bd8a50e62122
Instruction Fuzzy Hash: 6B21AC31200200EFC7258F48D888BAE77B5FF85712F10886EE5068B2A1C7B9FC51CB5A

Function 00469DDA Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00469BA2,00000000,00000000,00000000,00462693,00000000,00000000,?,00000000,00000000,00000000), ref: 00469E02
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00469BA2,00000000,00000000,00000000,00462693,00000000,00000000,?,00000000,00000000,00000000), ref: 00469E36
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00469E50
HeapFree.KERNEL32(00000000,?), ref: 00469E67

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: a0f725b136460bb36cf323bef517479620b52ee3df21469fa7b09c70f0ba89c9
Instruction ID: 764ef8006c5f468928c8b252b055112af992b906e46ba553757168ce6ae6ab6f
Opcode Fuzzy Hash: a0f725b136460bb36cf323bef517479620b52ee3df21469fa7b09c70f0ba89c9
Instruction Fuzzy Hash: 0E115E712016009FC7228F18FC45D667BB5FBA4321710891FF551C65B0E3719C4ADF16

Function 0047BA85 Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0051A640,?,00000000,?,?,0047AE5E,00000010,?,00000000,?,?,?,0047A845,0047A8A8,0047A12E,0047A84B), ref: 0047BAC0
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0047AE5E,00000010,?,00000000,?,?,?,0047A845,0047A8A8,0047A12E,0047A84B), ref: 0047BAD2
LeaveCriticalSection.KERNEL32(0051A640,?,00000000,?,?,0047AE5E,00000010,?,00000000,?,?,?,0047A845,0047A8A8,0047A12E,0047A84B), ref: 0047BADB
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0047AE5E,00000010,?,00000000,?,?,?,0047A845,0047A8A8,0047A12E,0047A84B,00476126), ref: 0047BAED

Part of subcall function 0047B9F2: GetVersion.KERNEL32(?,0047BA95,?,0047AE5E,00000010,?,00000000,?,?,?,0047A845,0047A8A8,0047A12E,0047A84B,00476126,004773C2), ref: 0047BA05

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 01aa9aade19124b3cea00fe5ff2cd721bf68ccfd6847a0ba3cf67cc248036e82
Instruction ID: 1ff7931f1da3bfeb8180eec7f2ef4101beebb9c49667dfdd82b79d79a43bd364
Opcode Fuzzy Hash: 01aa9aade19124b3cea00fe5ff2cd721bf68ccfd6847a0ba3cf67cc248036e82
Instruction Fuzzy Hash: 9CF0A47140221BDFCB12EF65EC84AD6B36DFB60315B00843BE21542111D778E98ADA99

Function 004684CB Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,00465BF9,?,00460DC5), ref: 004684D8
InitializeCriticalSection.KERNEL32(?,00465BF9,?,00460DC5), ref: 004684E0
InitializeCriticalSection.KERNEL32(?,00465BF9,?,00460DC5), ref: 004684E8
InitializeCriticalSection.KERNEL32(?,00465BF9,?,00460DC5), ref: 004684F0

Memory Dump Source

Source File: 00000002.00000002.1418523973.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1418505642.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.0000000000480000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418571960.00000000004D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418634739.00000000004E8000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418653375.00000000004EA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418670555.00000000004EB000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418689567.00000000004F5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.00000000004F9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.0000000000505000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418706307.000000000051A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1418765234.000000000051D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_#U4ee3#U7406.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 7f7fc44961e1164cfba578e1359e8f998d32cbb71831ebf8b5216d9e8ead6d5a
Instruction ID: 4f3d349e70bd1fc45f64f6966d9e4b6a4ef094c0ceeb66d6a0274661e593c40b
Opcode Fuzzy Hash: 7f7fc44961e1164cfba578e1359e8f998d32cbb71831ebf8b5216d9e8ead6d5a
Instruction Fuzzy Hash: B3C00231A100389ACE516B55FE058593F26EB442603020072A10451034CA711C74DFD8

Analysis Process: look2.exePID: 7696, Parent PID: 7648COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	285
Total number of Limit Nodes:	16

Executed Functions

Function 004020F2 Relevance: 49.2, APIs: 17, Strings: 11, Instructions: 163
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 004020F7

Part of subcall function 00401D21: GetCommandLineA.KERNEL32(?,kinh.xmcxmr.com,00000458), ref: 00401D54

wsprintfA.USER32 ref: 00402153
CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 00402167
GetLastError.KERNEL32 ref: 00402170
CloseHandle.KERNEL32(00000000), ref: 00402186
ExpandEnvironmentStringsA.KERNEL32(%SystemRoot%\system32\,?,00000104), ref: 004021A4
GetFileAttributesA.KERNEL32(?,?), ref: 0040220D
ExpandEnvironmentStringsA.KERNEL32(%Temp%\,?,00000104), ref: 00402225
GetTickCount.KERNEL32 ref: 00402227
wsprintfA.USER32 ref: 00402247
LoadLibraryA.KERNELBASE(?), ref: 00402267
GetProcAddress.KERNEL32(00000000,MainThread), ref: 00402288
DeleteFileA.KERNEL32(?), ref: 00402297
GetProcAddress.KERNEL32(00000000,Install), ref: 004022A5
wsprintfA.USER32 ref: 004022CF
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004022F5
FreeLibrary.KERNELBASE(?), ref: 004022FE

Strings

svchcst, xrefs: 0040213B
kinh.xmcxmr.com, xrefs: 0040210F, 00402117, 00402123, 0040214C
"%s",MainThread, xrefs: 004022C9
MainThread, xrefs: 00402282
Install, xrefs: 0040229F
%SystemRoot%\system32\, xrefs: 0040219F
%s:%d:%s, xrefs: 0040214D
%Temp%\, xrefs: 00402220
%s%d.bat, xrefs: 00402241
rundll32.exe, xrefs: 004022DD
open, xrefs: 004022E2

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: Filewsprintf$AddressEnvironmentExpandLibraryProcStrings$AttributesCloseCommandCountCreateDeleteErrorFreeH_prologHandleLastLineLoadMoveMutexTick
String ID: "%s",MainThread$%SystemRoot%\system32\$%Temp%\$%s%d.bat$%s:%d:%s$Install$MainThread$kinh.xmcxmr.com$open$rundll32.exe$svchcst
API String ID: 257601923-1586354655
Opcode ID: 5f648a773d603a6aeff2806bd0974a3f6d7f380e9a8df7a5a8c895d7b1df6949
Instruction ID: 5d7dcedb8153f61fd942b4d46a4edae1349ef5c03a613b66aa2a42c1be64b2cd
Opcode Fuzzy Hash: 5f648a773d603a6aeff2806bd0974a3f6d7f380e9a8df7a5a8c895d7b1df6949
Instruction Fuzzy Hash: 37518F71900218ABDB25ABA1DD89EEF777CBF44304F4001BAF605F21D1DB789A458FA9

Function 0042EFFF Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00454218,004540C0,00000100,!@,004541FC,004541FC,0042F2A8,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2,!@,?), ref: 0042F00E
GlobalAlloc.KERNELBASE(00002002,00000000,!@,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2,!@,?,00000100,?,?), ref: 0042F063
GlobalHandle.KERNEL32(006325C0), ref: 0042F06C
GlobalUnlock.KERNEL32(00000000), ref: 0042F075
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0042F087
GlobalHandle.KERNEL32(006325C0), ref: 0042F09E
GlobalLock.KERNEL32(00000000), ref: 0042F0A5
LeaveCriticalSection.KERNEL32(?,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2,!@,?,00000100,?,?), ref: 0042F0AB
GlobalLock.KERNEL32(?), ref: 0042F0BA
LeaveCriticalSection.KERNEL32(?,?,?), ref: 0042F103

Strings

!@, xrefs: 0042F055
!@, xrefs: 0042F001

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID: !@$!@
API String ID: 2667261700-740718224
Opcode ID: 098847425a676799355a27391d09094d27e98224197783b73840aaa79e1fccc5
Instruction ID: 1a134948075b3ef4c12703b1b5943ba3c26e82e5cc25974ba4d6318aeb358564
Opcode Fuzzy Hash: 098847425a676799355a27391d09094d27e98224197783b73840aaa79e1fccc5
Instruction Fuzzy Hash: 223180752007059FDB249F28EC89A6AB7F8FB84305B404A3EF852C3662E775F9498B14

Function 00401AAE Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(?,?,?,?,75A38400,80000002,00000000), ref: 00401AED
wsprintfA.USER32 ref: 00401B16
lstrcpyA.KERNEL32(0044DF80,00000000), ref: 00401B6B

Strings

%4d-%.2d-%.2d %.2d:%.2d, xrefs: 00401B0C
kinh.xmcxmr.com, xrefs: 00401B28
2024-11-21 03:40, xrefs: 00401B11

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: LocalTimelstrcpywsprintf
String ID: %4d-%.2d-%.2d %.2d:%.2d$2024-11-21 03:40$kinh.xmcxmr.com
API String ID: 3871240451-1442559968
Opcode ID: fba96d34ee47eef86a4be669fe4e61190d887298eaac3ad5a0476fc67a3859f8
Instruction ID: aada652e1d41f3351531325a79c1a4dff71f0cd1773ba7ca89e3baf48a56e0ab
Opcode Fuzzy Hash: fba96d34ee47eef86a4be669fe4e61190d887298eaac3ad5a0476fc67a3859f8
Instruction Fuzzy Hash: 9E21B3A2A402147AEB10A7E28C4AFEB37AC9F45715F00047BFA09B21D1EA3D9941C77D

Function 0041FA77 Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0041FA84
GetSystemMetrics.USER32(0000000C), ref: 0041FA8B
GetDC.USER32(00000000), ref: 0041FAA4
GetDeviceCaps.GDI32(00000000,00000058), ref: 0041FAB5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041FABD
ReleaseDC.USER32(00000000,00000000), ref: 0041FAC5

Part of subcall function 0042F489: GetSystemMetrics.USER32(00000002), ref: 0042F49B
Part of subcall function 0042F489: GetSystemMetrics.USER32(00000003), ref: 0042F4A5

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: ee63e318037f6f51dbb1f692778a7d58b7f9b8a48d16266dad5152c1c354cd67
Instruction ID: 25ee367f1de250752158a8579bdf5a166f246b04e59f62f292f49ff813c08f0c
Opcode Fuzzy Hash: ee63e318037f6f51dbb1f692778a7d58b7f9b8a48d16266dad5152c1c354cd67
Instruction Fuzzy Hash: CBF0B435640700AFE2206BB29C49F5777B4EFD0752F11453FE60546290CAB8A8498FA9

Function 0042F469 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,?,?,0042F464), ref: 0042F4E0
GetProcessVersion.KERNELBASE(00000000,?,?,?,0042F464), ref: 0042F51D
LoadCursorA.USER32(00000000,00007F02), ref: 0042F54B
LoadCursorA.USER32(00000000,00007F00), ref: 0042F556

Strings

0DE, xrefs: 0042F469

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID: 0DE
API String ID: 2246821583-1233716124
Opcode ID: ab16a2b3afd4cd1b4c7e856091d9ceeea21ac5e27a883bd0de3a3656eb6cac8b
Instruction ID: a9d71c6fe3e927353179423b7064376f64feb01009672ef156977568e25c4602
Opcode Fuzzy Hash: ab16a2b3afd4cd1b4c7e856091d9ceeea21ac5e27a883bd0de3a3656eb6cac8b
Instruction Fuzzy Hash: 71118FB1A00B508FD724DF3A998466ABBE5FF887057404D3FE18BC6B50D778A445CB54

Function 0040AB70 Relevance: 6.1, APIs: 4, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 0040AB96

Part of subcall function 0040D906: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040ABCE,00000001), ref: 0040D917
Part of subcall function 0040D906: HeapDestroy.KERNEL32 ref: 0040D956

GetCommandLineA.KERNEL32 ref: 0040ABF6
GetStartupInfoA.KERNEL32(?), ref: 0040AC21
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040AC44

Part of subcall function 0040AC9D: ExitProcess.KERNEL32 ref: 0040ACBA

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 1cb1fdbc09b28400fd379be09374161b8d38fc97b9f046c64e1b7ba198244bf9
Instruction ID: 4e60150630a16c5719749b4abb308ae7f1db03ba93a828d33c039877af9c0485
Opcode Fuzzy Hash: 1cb1fdbc09b28400fd379be09374161b8d38fc97b9f046c64e1b7ba198244bf9
Instruction Fuzzy Hash: CB2193B1840709AFDB04AFA6DC09A6E7BB8AF44744F10053FF501BA2D1DB388450CB59

Function 0040AE2F Relevance: 4.6, APIs: 3, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0040AE1A,?,00000000,00000000,0040AC59,00000000,00000000), ref: 0040AE44
TerminateProcess.KERNEL32(00000000,?,0040AE1A,?,00000000,00000000,0040AC59,00000000,00000000), ref: 0040AE4B
ExitProcess.KERNEL32 ref: 0040AECC

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e0c3b4a8a4af9a85aad23f7cfe8d35688fd5e2ba26a6faaf5be03714e3bab740
Instruction ID: e987e20b2b74d6441040e306482e48ec04ae606b887794da4c04455d8f96bcb2
Opcode Fuzzy Hash: e0c3b4a8a4af9a85aad23f7cfe8d35688fd5e2ba26a6faaf5be03714e3bab740
Instruction Fuzzy Hash: BB01C831584300AFEB21AF65FC8566B77A4ABD0356710043FF544661E1DB78A8D0C69F

Function 004017AA Relevance: 4.5, APIs: 3, Instructions: 31
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00000458,00000000,?,00401B8D,00000001,00441158,?,00000458), ref: 004017C0
WriteFile.KERNELBASE(00000000,00441158,0000CC00,?,00000000,?,00401B8D,00000001,00441158,?,00000458), ref: 004017D8
CloseHandle.KERNEL32(00000000,?,00401B8D,00000001,00441158,?,00000458), ref: 004017E5

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 96a56e667dd384a7afec03a3ae8fa3c3aa587876dbaf786fb5fcf65a3f43113d
Instruction ID: 51156494b9f89566f41b380f3ff552d8a5d36dc05546ce33f629bed432926409
Opcode Fuzzy Hash: 96a56e667dd384a7afec03a3ae8fa3c3aa587876dbaf786fb5fcf65a3f43113d
Instruction Fuzzy Hash: 8FE0DFB13812187FFB202B91ACCAFE77B5CEB017D8F000032FE09A7290C6616C0086B8

Function 0040D906 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0040ABCE,00000001), ref: 0040D917

Part of subcall function 0040D7BE: GetVersionExA.KERNEL32 ref: 0040D7DD

HeapDestroy.KERNEL32 ref: 0040D956

Part of subcall function 0040D963: HeapAlloc.KERNEL32(00000000,00000140,0040D93F,000003F8), ref: 0040D970

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: d9f2ef4fffe6ea09ea837f107cbe9947e0590daf83edb832b132a38daf13a15c
Instruction ID: 0bc681230d3be9cc1c487b5691e394fedbd9d5fb1d565f7a72930b142be50153
Opcode Fuzzy Hash: d9f2ef4fffe6ea09ea837f107cbe9947e0590daf83edb832b132a38daf13a15c
Instruction Fuzzy Hash: 45F09BB0E153029ADF202FB15C4577A3A94AB50766F140437F401E92E6EB78C9C4E70D

Function 00401958 Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(00000001,00401BA0,00000001), ref: 0040195C
GetLastError.KERNEL32 ref: 00401967

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 561b67daf40a350f98f661a2b3e73128ac8e3a90678803e90c6b4a03d47ef4fd
Instruction ID: 0d531cab702acc615b5baff349756b9bcff41b0ae92af3546a2bee5483639887
Opcode Fuzzy Hash: 561b67daf40a350f98f661a2b3e73128ac8e3a90678803e90c6b4a03d47ef4fd
Instruction Fuzzy Hash: ADC08CB120000066DA600730BC59ACB3623AF92332F200B35F132C00F0CB309C80F508

Function 0040A47A Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0040A561

Part of subcall function 0040EBA0: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0040C8D3,00000009,00000000,00000000,00000001,0040D698,00000001,00000074,?,?,00000000,00000001), ref: 0040EBDD
Part of subcall function 0040EBA0: EnterCriticalSection.KERNEL32(?,?,?,0040C8D3,00000009,00000000,00000000,00000001,0040D698,00000001,00000074,?,?,00000000,00000001), ref: 0040EBF8

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 6b175af447c32cc6e44918429516408e452d3da64828247e352536b495abacea
Instruction ID: 8a81674eba5a4b9668df92cf3328c3355dc5fb2609b64302b04ab97f79e5e143
Opcode Fuzzy Hash: 6b175af447c32cc6e44918429516408e452d3da64828247e352536b495abacea
Instruction Fuzzy Hash: 13218332A00714BBDB10EB699C42B9EB764FB00764F14463BF411FB2D1C77CA951965E

Non-executed Functions

Function 00421104 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00421109
GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?,?,?), ref: 00421170
GetFileTime.KERNEL32(?,?,?,?,?), ref: 00421203
SetFileTime.KERNEL32(?,?,?,?), ref: 0042122E
GetFileSecurityA.ADVAPI32(?,00000004,00000000,00000000,?), ref: 00421248
GetFileSecurityA.ADVAPI32(?,00000004,00000000,?,?), ref: 00421266
SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00421271

Part of subcall function 0041E442: lstrcpynA.KERNEL32(00000000,?,00000104,?,?), ref: 0041E469

Strings

DD, xrefs: 00421144

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: File$Security$Time$DiskFreeH_prologSpacelstrcpyn
String ID: DD
API String ID: 726943650-194360491
Opcode ID: b12fce8f5da00e8820a2a92695b6d609eb8bc618c05d7bf0a0161683110dedb6
Instruction ID: bf0b7279e5369f8b1299b7476def8ccf701e92b392c6c18445cb1e03e42ede84
Opcode Fuzzy Hash: b12fce8f5da00e8820a2a92695b6d609eb8bc618c05d7bf0a0161683110dedb6
Instruction Fuzzy Hash: 65514D72A00119AFDF01EFA1DD85EEEBBBDFF08344F00402AF915A61A1DB349A54CB64

Function 0042B17A Relevance: 10.6, APIs: 7, Instructions: 67windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0042B18B
GetKeyState.USER32(00000010), ref: 0042B19B
GetFocus.USER32 ref: 0042B1AB
GetDesktopWindow.USER32 ref: 0042B1B3
SendMessageA.USER32(?,0000020A,?,?), ref: 0042B1D7
SendMessageA.USER32(00000000,0000020A,?,?), ref: 0042B1F6
GetParent.USER32(00000000), ref: 0042B1FF

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: MessageSendState$DesktopFocusParentWindow
String ID:
API String ID: 4150626516-0
Opcode ID: 6bb3ab0aa938db4f1c2e67b5a664b0027ace542446627be524c3789b6ab52d10
Instruction ID: e36b63b1a2dab582ae4618b4020a24e79d6deebe97d59e682bd4ec38e6b1128a
Opcode Fuzzy Hash: 6bb3ab0aa938db4f1c2e67b5a664b0027ace542446627be524c3789b6ab52d10
Instruction Fuzzy Hash: C511E332B00324BFEB001BA5AC48EBA7BA8EB547E0F510537FA41D7241D7B4AD5196F8

Function 0042B165 Relevance: 7.6, APIs: 5, Instructions: 52keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0042B18B
GetKeyState.USER32(00000010), ref: 0042B19B
GetFocus.USER32 ref: 0042B1AB
GetDesktopWindow.USER32 ref: 0042B1B3
SendMessageA.USER32(?,0000020A,?,?), ref: 0042B1D7

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: State$DesktopFocusMessageSendWindow
String ID:
API String ID: 2814764316-0
Opcode ID: da8259600469277c80a9c770a9401a3e868c4831f23239d9874a5b9b050f103a
Instruction ID: 975ee90d7c77537f4dbaed89e4cad44ed4bb3c407fba807930581d5e600200b9
Opcode Fuzzy Hash: da8259600469277c80a9c770a9401a3e868c4831f23239d9874a5b9b050f103a
Instruction Fuzzy Hash: 4601D875B00314AFEB001A94AC55FB47B98DB507E4F500537EA42D7181D7A8AC5296A8

Function 0042C074 Relevance: 53.0, APIs: 28, Strings: 2, Instructions: 479COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042C079
GetWindowRect.USER32(?,?), ref: 0042C0BD
OffsetRect.USER32(?,?,?), ref: 0042C0D3
GetSysColor.USER32(00000006), ref: 0042C0F0
CreateSolidBrush.GDI32(00000000), ref: 0042C0F9
GetSysColor.USER32(?), ref: 0042C120
CreateSolidBrush.GDI32(00000000), ref: 0042C123
GetSysColor.USER32(?), ref: 0042C14A
CreateSolidBrush.GDI32(00000000), ref: 0042C14D
GetSystemMetrics.USER32(00000006), ref: 0042C160
GetSystemMetrics.USER32(00000005), ref: 0042C167
GetSystemMetrics.USER32(00000021), ref: 0042C16E
GetSystemMetrics.USER32(00000020), ref: 0042C174
InflateRect.USER32(?,?,?), ref: 0042C1AC

Strings

DD, xrefs: 0042C382
teC, xrefs: 0042C0DC

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: MetricsSystem$BrushColorCreateRectSolid$H_prologInflateOffsetWindow
String ID: DD$teC
API String ID: 1266645593-1768605486
Opcode ID: 3ddc5f23da503b7c7cdf8104d98daf19e79463584090ffc96435a5e92cf910e5
Instruction ID: 0d2fadb070d88655ca329136d3d9c15b0ea3d91ed83fde05bff45e1595fef0de
Opcode Fuzzy Hash: 3ddc5f23da503b7c7cdf8104d98daf19e79463584090ffc96435a5e92cf910e5
Instruction Fuzzy Hash: B3022A72E00229AFCF10DBE4DD85EEEBBB9AF48704F14411AE501F7291DB74AA45CB64

Function 00430126 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 47registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(Native), ref: 00430144
RegisterClipboardFormatA.USER32(OwnerLink), ref: 0043014D
RegisterClipboardFormatA.USER32(ObjectLink), ref: 00430157
RegisterClipboardFormatA.USER32(Embedded Object), ref: 00430161
RegisterClipboardFormatA.USER32(Embed Source), ref: 0043016B
RegisterClipboardFormatA.USER32(Link Source), ref: 00430175
RegisterClipboardFormatA.USER32(Object Descriptor), ref: 0043017F
RegisterClipboardFormatA.USER32(Link Source Descriptor), ref: 00430189
RegisterClipboardFormatA.USER32(FileName), ref: 00430193
RegisterClipboardFormatA.USER32(FileNameW), ref: 0043019D
RegisterClipboardFormatA.USER32(Rich Text Format), ref: 004301A7
RegisterClipboardFormatA.USER32(RichEdit Text and Objects), ref: 004301B1

Strings

FileNameW, xrefs: 00430195
RichEdit Text and Objects, xrefs: 004301A9
ObjectLink, xrefs: 0043014F
Embed Source, xrefs: 00430163
Object Descriptor, xrefs: 00430177
Link Source, xrefs: 0043016D
Native, xrefs: 0043013F
Link Source Descriptor, xrefs: 00430181
Embedded Object, xrefs: 00430159
OwnerLink, xrefs: 00430146
Rich Text Format, xrefs: 0043019F
FileName, xrefs: 0043018B

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: c701336221758a48e27b5f8c6fd3d839f24fb0845f284f4a91e3dc8eeea9ee5e
Instruction ID: de8b3575df22b96577828d073298370b646079c3a8cbd2f6e3c954f187013f03
Opcode Fuzzy Hash: c701336221758a48e27b5f8c6fd3d839f24fb0845f284f4a91e3dc8eeea9ee5e
Instruction Fuzzy Hash: 87017D70A407455ACF306F769C0990BFAE0EEC9B107216D2FF18587650EABC9406CF4C

Function 004240DB Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000800,?,00000800,?,00000000,?,00000800), ref: 004240EA
LockResource.KERNEL32(00000000,?,00000800), ref: 004240F5
GetSysColor.USER32 ref: 00424177
GetSysColor.USER32(00000000), ref: 00424185
GetSysColor.USER32(00000000), ref: 00424195
GetDC.USER32(00000000), ref: 004241BB
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004241C7
CreateCompatibleDC.GDI32(00000000), ref: 004241D7
SelectObject.GDI32(00000000,00000000), ref: 004241E9
StretchDIBits.GDI32(00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000800,00000000,?,00000000,00000000,00CC0020), ref: 00424218
SelectObject.GDI32(00000000,00000000), ref: 00424222
DeleteDC.GDI32(00000000), ref: 00424225
ReleaseDC.USER32(00000000,00000000), ref: 00424230

Strings

DllGetVersion, xrefs: 00424144

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: Color$CompatibleCreateObjectResourceSelect$BitmapBitsDeleteLoadLockReleaseStretch
String ID: DllGetVersion
API String ID: 257281507-2861820592
Opcode ID: 2d36c35b7b1c0a563e332d6119bbabf4ca2530dcf855e9999793eabb764456e1
Instruction ID: 65ff7add9e3ef6c87f47ea79ae47ffcadb3f1f9fbf0d8d47f6849ba9d815834a
Opcode Fuzzy Hash: 2d36c35b7b1c0a563e332d6119bbabf4ca2530dcf855e9999793eabb764456e1
Instruction Fuzzy Hash: 8B410572600215FFDB118F64EC88AEF7BB5FFC9350B118029F905972A0C738A961DB68

Function 0042D140 Relevance: 18.1, APIs: 7, Strings: 5, Instructions: 66stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(00000000,00434FB4,?,?,?,?,0042D12A,00000000), ref: 0042D156
lstrcmpA.KERNEL32(00000000,00434FB0,?,?,?,?,0042D12A,00000000), ref: 0042D16E

Strings

Unregister, xrefs: 0042D183
dde, xrefs: 0042D19B
Unregserver, xrefs: 0042D18F
Automation, xrefs: 0042D1D1
Embedding, xrefs: 0042D1B6

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: lstrcmp
String ID: Automation$Embedding$Unregister$Unregserver$dde
API String ID: 1534048567-1842294661
Opcode ID: 9d940cbe8ef830cf0c560c18d9049f1b4d254298edeabbebbf6c7cc9c5f7e340
Instruction ID: ac2968ce1de11b8cb94c513a877dc3dfe4e0a0583414e41a2695cd8cc802a55b
Opcode Fuzzy Hash: 9d940cbe8ef830cf0c560c18d9049f1b4d254298edeabbebbf6c7cc9c5f7e340
Instruction Fuzzy Hash: AE1129F17043126AD7206B71AC05F7376EC9FA4788F51591BB00292981DBFCF410876D

Function 004150C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00455CA0,?,0041451F), ref: 004150C6
GlobalDeleteAtom.KERNEL32(00000000), ref: 00415102
GlobalDeleteAtom.KERNEL32(00000000), ref: 0041511D
GlobalDeleteAtom.KERNEL32(00000000), ref: 00415130
GlobalDeleteAtom.KERNEL32(00000000), ref: 00415143
GlobalDeleteAtom.KERNEL32(00000000), ref: 00415156
GlobalDeleteAtom.KERNEL32(00000000), ref: 00415169
GlobalDeleteAtom.KERNEL32(00000000), ref: 0041517C
LeaveCriticalSection.KERNEL32(00455CA0,?,0041451F), ref: 0041518D

Strings

gE, xrefs: 004150CC

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: AtomDeleteGlobal$CriticalSection$EnterLeave
String ID: gE
API String ID: 3843206905-3943094157
Opcode ID: cee0cc74e34eaa18c53a0a96b827e47d2bc57b488168c074401dc6be78415e6d
Instruction ID: bd524ed03294e6ee963bc13494c5d852958be8c899209323a2681d6492b0e3dd
Opcode Fuzzy Hash: cee0cc74e34eaa18c53a0a96b827e47d2bc57b488168c074401dc6be78415e6d
Instruction Fuzzy Hash: A8114C69C00F11E5C7136BA4EC1C3FA2AB4B748306F544022E420977B2EBBC98C5CBAC

Function 00417010 Relevance: 16.6, APIs: 11, Instructions: 140windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0041701E
GetClientRect.USER32(?,?), ref: 00417039
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0041706B
SelectObject.GDI32(?,00000000), ref: 00417079
SetBkMode.GDI32(?,00000002), ref: 0041708A
GetParent.USER32(?), ref: 00417098
SendMessageA.USER32(00000000), ref: 0041709F
SelectObject.GDI32(?,00000000), ref: 004170A9
SelectObject.GDI32(?,00000000), ref: 004170CB
SelectObject.GDI32(?,00000000), ref: 004170DB
OffsetRect.USER32(?,000000FF,000000FF), ref: 00417132

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: ObjectSelect$MessageRectSend$ClientLongModeOffsetParentWindow
String ID:
API String ID: 3606012576-0
Opcode ID: 52cb36dd7ec1598d403ffa0ea9eb1c816150ff7fbc5e9de84f9ffa0664250cf6
Instruction ID: c7e8f003bc16a1e3d2b43c246ec8b779bdfa85bad0c2b0da56ccf5602d71032f
Opcode Fuzzy Hash: 52cb36dd7ec1598d403ffa0ea9eb1c816150ff7fbc5e9de84f9ffa0664250cf6
Instruction Fuzzy Hash: 554119722483057BD210AB94AC46FFF777CEBC5B14F44012AFB0196282D7A9E94587BA

Function 0042510F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 209windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,0000F000), ref: 00425127
EqualRect.USER32(0000F000,?), ref: 00425144

Part of subcall function 0041A9D5: SetWindowPos.USER32(?,?,000000F9,00000800,?,00000000,?,?,004252AE,00000000,00000002,00000002,00000000,00000000,00000115,?), ref: 0041A9FC

IsWindowVisible.USER32(?), ref: 004251CD
CopyRect.USER32(00000080,?), ref: 004251FF
GetParent.USER32(?), ref: 004252B1
SetParent.USER32(?,?), ref: 004252D0

Strings

@, xrefs: 00425161
4(@P, xrefs: 0042521E, 00425249

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: RectWindow$Parent$CopyEqualVisible
String ID: 4(@P$@
API String ID: 3103310903-2936297062
Opcode ID: 4d38686095e1cb7416a51bc79a054498187f8d047c9e187b88ffcd456fc680ab
Instruction ID: e0c1d024d0882c1e8d4b120b4ca72821bb4324857222dc4d1a2201c03750fdc1
Opcode Fuzzy Hash: 4d38686095e1cb7416a51bc79a054498187f8d047c9e187b88ffcd456fc680ab
Instruction Fuzzy Hash: E261C031A00A15EFCF10DF65EC85ABF7BB9AF84314F50052AF916E6291CB38A941CB54

Function 0042F16E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(004541FC,004540C0,00000000,!@,004541FC,!@,0042F2E4,004540C0,00000000,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2), ref: 0042F179
EnterCriticalSection.KERNEL32(00454218,00000010,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2,!@,?,00000100,?,?), ref: 0042F1C8
LeaveCriticalSection.KERNEL32(00454218,00000000,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2,!@,?,00000100,?,?), ref: 0042F1DB
LocalAlloc.KERNEL32(00000000,00000003,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2,!@,?,00000100,?,?), ref: 0042F1F1
LocalReAlloc.KERNEL32(?,00000003,00000002,?,00000100,0042EE17,0042D502,0041FB59,00000100,0041FAF2,!@,?,00000100,?,?), ref: 0042F203
TlsSetValue.KERNEL32(004541FC,00000000,00000100,?,?), ref: 0042F23F

Strings

!@, xrefs: 0042F172
!@, xrefs: 0042F16E

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID: !@$!@
API String ID: 4117633390-740718224
Opcode ID: 25faaa94b2b3643953fdde55dbb543869867de0602f0b7001dd0e68a52cf309a
Instruction ID: a4e716fd85a0ba00664651dc9fea03eee9ba41a9ab3df599747ccfbbf63b1fcd
Opcode Fuzzy Hash: 25faaa94b2b3643953fdde55dbb543869867de0602f0b7001dd0e68a52cf309a
Instruction Fuzzy Hash: 0431DA35200615EFDB24CF15E889FA6B7B8FB85354F80C53AE41687280EB74F919CB64

Function 00414160 Relevance: 10.6, APIs: 7, Instructions: 109COMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?), ref: 0041417D
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004141CA
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004141F9
SetBkColor.GDI32(?,?), ref: 00414217
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00414242
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041427C
SetBkColor.GDI32(?,00000000), ref: 00414284

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: Text$Color
String ID:
API String ID: 3751486306-0
Opcode ID: 143eea28ac6abe26819acf3eac33c26e60b1747a48124b06424391830207ed27
Instruction ID: 8fe4f6ac348b59a6160b8fb8d5478df766050dc7ef2c54252ef710796752a18b
Opcode Fuzzy Hash: 143eea28ac6abe26819acf3eac33c26e60b1747a48124b06424391830207ed27
Instruction Fuzzy Hash: 79417C70244301AFE320DF14DC86F6AB7E4FB84B40F144859FA549A2D1D7B5F949CB6A

Function 00409055 Relevance: 10.6, APIs: 7, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000002), ref: 00409070
GetParent.USER32(?), ref: 00409083

Part of subcall function 00408FFC: GetWindowLongA.USER32(?,000000F0), ref: 00409014
Part of subcall function 00408FFC: GetParent.USER32(?), ref: 0040902D
Part of subcall function 00408FFC: GetWindowLongA.USER32(?,000000EC), ref: 00409040

GetWindow.USER32(?,00000002), ref: 004090A6
GetWindow.USER32(?,00000002), ref: 004090B8
GetWindowLongA.USER32(?,000000EC), ref: 004090C8
IsWindowVisible.USER32(?), ref: 004090E1
GetTopWindow.USER32(?), ref: 00409107

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: Window$Long$Parent$Visible
String ID:
API String ID: 3473418232-0
Opcode ID: 1c759e58b1649239635668cbe97ca2de7164fc0e72aa4ce957cc693d4f986d59
Instruction ID: 4f9ebac0ce8c07dc3deee157a9b6651a5f7f8985a7d496d2f1557e4cf606d09b
Opcode Fuzzy Hash: 1c759e58b1649239635668cbe97ca2de7164fc0e72aa4ce957cc693d4f986d59
Instruction Fuzzy Hash: 3621A4317007256BE7316A759C09FAB769C9F84350F05493AF951FB2D2C739EC1187A8

Function 00429092 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25registryclipboardCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0042909F
GetVersion.KERNEL32 ref: 004290AA
GetVersion.KERNEL32 ref: 004290B2
GetVersion.KERNEL32 ref: 004290B8
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 004290C5

Strings

MSWHEEL_ROLLMSG, xrefs: 004290C0

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: Version$ClipboardFormatRegister
String ID: MSWHEEL_ROLLMSG
API String ID: 2888461884-2485103130
Opcode ID: 809ad23b70c0cc5ae4bd98d3052204a777f746112d4972b9bfc993748f9b30fe
Instruction ID: fe64e054aeb5c5e4204fdd222b61cabddda66750ee09fa6b7045f49638103523
Opcode Fuzzy Hash: 809ad23b70c0cc5ae4bd98d3052204a777f746112d4972b9bfc993748f9b30fe
Instruction Fuzzy Hash: 1BE08037A0023A56D7112778BC0177635988BAC3A1FE9003BD901D3254566C5C838A7E

Function 0042105E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00421063
GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00421096
GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000,00000105), ref: 004210BC

Part of subcall function 0041ED11: lstrlenA.KERNEL32(?,00000100,0041FB45,000000FF,?,00000000,000000FF,00000100,!@,!@,?,00000100,?,?), ref: 0041ED24

Part of subcall function 0041E038: DeleteFileA.KERNEL32(?), ref: 0041E03C
Part of subcall function 0041E038: GetLastError.KERNEL32(00000000), ref: 0041E047

Strings

MFC, xrefs: 004210B6
DD, xrefs: 0042106E

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: FileName$DeleteErrorFullH_prologLastPathTemplstrlen
String ID: DD$MFC
API String ID: 501224598-4235816528
Opcode ID: 6f0bd91c69ac536005dc40a0cd9df38c5ab5fbe11ddec5e22ddeb6592ffb08d9
Instruction ID: b7b423d4066e0e42f38e23701d8de6534b43f0a966a8ee769da90b4e7dbbfebd
Opcode Fuzzy Hash: 6f0bd91c69ac536005dc40a0cd9df38c5ab5fbe11ddec5e22ddeb6592ffb08d9
Instruction Fuzzy Hash: 5A118CB5900219EFCF00EFA5CC819EEBB78FB08314F40456AF921A7290DB789A44CB94

Function 0041E098 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041E09D

Part of subcall function 0041E135: wsprintfA.USER32 ref: 0041E185

Part of subcall function 0041E1A4: RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 0041E1C5
Part of subcall function 0041E1A4: RegOpenKeyA.ADVAPI32(?,?,00000001), ref: 0041E1D9
Part of subcall function 0041E1A4: RegOpenKeyA.ADVAPI32(00000001,InProcServer32,?), ref: 0041E1F4
Part of subcall function 0041E1A4: RegQueryValueExA.ADVAPI32(?,00436190,00000000,?,00000000,?,00000104), ref: 0041E21D
Part of subcall function 0041E1A4: RegCloseKey.ADVAPI32(?,000000FF), ref: 0041E23B
Part of subcall function 0041E1A4: RegCloseKey.ADVAPI32(00000001), ref: 0041E240
Part of subcall function 0041E1A4: RegCloseKey.ADVAPI32(?), ref: 0041E245

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,0041E06F,?,00439220,00000000), ref: 0041E0E0
GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 0041E0F0

Strings

DllGetClassObject, xrefs: 0041E0EA
DD, xrefs: 0041E0B6

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: CloseOpen$AddressH_prologLibraryLoadProcQueryValuewsprintf
String ID: DllGetClassObject$DD
API String ID: 821125782-2963330934
Opcode ID: 9148ce0098ccf80584cf19e90e512ff166df046f081a61387f4e7e8edd3d6f21
Instruction ID: 2e55f8a243d6812df1a3d971d12a3b42bd95ed2042a3f576b1ad41a6136cc526
Opcode Fuzzy Hash: 9148ce0098ccf80584cf19e90e512ff166df046f081a61387f4e7e8edd3d6f21
Instruction Fuzzy Hash: 82115E3591025AABCF11EF52CC05BEE7B78BF04354F10456AFC11A31A1D7789A50DB58

Function 0041F153 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 0041F16F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 0041F1C2
GlobalUnlock.KERNEL32(?), ref: 0041F259

Strings

@, xrefs: 0041F1AC

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: @
API String ID: 231414890-2766056989
Opcode ID: f49e28b08f989b91c9164d6729214be4e1c2409d13b3296e688fde8bef530f78
Instruction ID: cd37ece3ce6020cea2285b19addd882ee18e5ad5c3cb976ee60b2ceafbf1fff2
Opcode Fuzzy Hash: f49e28b08f989b91c9164d6729214be4e1c2409d13b3296e688fde8bef530f78
Instruction Fuzzy Hash: 7841C876800205EBCB11DF94C8419EF7BB4FF44354B14817AE815AB294D3399E8BCB98

Function 0042A15F Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 0042A16E
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 0042A189
DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 0042A1AB
DragFinish.SHELL32(?), ref: 0042A1C4

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 4cd287a8c855992615870ea2b7974c82dac590508f08ee5ae92fc0dd08fcca46
Instruction ID: 108b5619dc16aecb212f131e3c56ec81a65b44d26c62b69662b82c5c41f34d9e
Opcode Fuzzy Hash: 4cd287a8c855992615870ea2b7974c82dac590508f08ee5ae92fc0dd08fcca46
Instruction Fuzzy Hash: 2D016271600118BFDB01AFA4DC84CEE7B7DEF44368B114166F55597061CB74AD91CB64

Function 0041D101 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 0041D13F
SetBkColor.GDI32(00000000,00000000), ref: 0041D14B
GetSysColor.USER32(00000008), ref: 0041D15B
SetTextColor.GDI32(00000000,?), ref: 0041D165

Part of subcall function 00422B07: GetWindowLongA.USER32(00000000,000000F0), ref: 00422B18

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 864d072a8f80cd4b2d0686846c315ff497bd32117a5c2fd3526d8f5ddf559190
Instruction ID: 1e797d0ee0013cf17687fc1d9566e62d98bbe7ce0821cd40f344347b27655da1
Opcode Fuzzy Hash: 864d072a8f80cd4b2d0686846c315ff497bd32117a5c2fd3526d8f5ddf559190
Instruction Fuzzy Hash: B60146B4900218BBDF219F64EC89AEB3B79AB10350F104622FA01C42F0C778DDD0DAA9

Function 00423113 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00423118
lstrcmpiA.KERNEL32(00000000,?), ref: 00423191

Part of subcall function 0041E508: lstrcmpiA.KERNEL32(?,?), ref: 0041E51B
Part of subcall function 0041E508: GetSystemMetrics.USER32(0000002A), ref: 0041E52B
Part of subcall function 0041E508: lstrlenA.KERNEL32(?), ref: 0041E540
Part of subcall function 0041E508: lstrlenA.KERNEL32(?), ref: 0041E547
Part of subcall function 0041E508: GetThreadLocale.KERNEL32 ref: 0041E54D
Part of subcall function 0041E508: GetStringTypeA.KERNEL32(00000000,00000001,?,000000FF,?), ref: 0041E568
Part of subcall function 0041E508: GetStringTypeA.KERNEL32(00000000,00000004,?,000000FF,?), ref: 0041E577
Part of subcall function 0041E508: GetStringTypeA.KERNEL32(00000000,00000001,?,000000FF,?), ref: 0041E588

Strings

DD, xrefs: 00423157

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: StringType$lstrcmpilstrlen$H_prologLocaleMetricsSystemThread
String ID: DD
API String ID: 3097575430-194360491
Opcode ID: a75f79da513a266e21e936daa3ffa2ab2827f604bbfb2ec08a645f7f6148cba8
Instruction ID: f7a10a45aee5e804e5554c0c84cfad89ab48cdf9e4ce43fb18ba53d8ba0778da
Opcode Fuzzy Hash: a75f79da513a266e21e936daa3ffa2ab2827f604bbfb2ec08a645f7f6148cba8
Instruction Fuzzy Hash: 09219A35700214AFDB249F59D844BAE77B8AF04366F10812AF515DA290DB7CCA00CB18

Function 00401065 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040106A

Part of subcall function 0042CF96: __EH_prolog.LIBCMT ref: 0042CF9B

Part of subcall function 0041AA24: ShowWindow.USER32(?,?,0042567E,00000000,?,00425307,00000800,000000FF), ref: 0041AA32

UpdateWindow.USER32(?), ref: 00401114

Strings

Local AppWizard-Generated Applications, xrefs: 00401085

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: H_prologWindow$ShowUpdate
String ID: Local AppWizard-Generated Applications
API String ID: 3134774084-3869840320
Opcode ID: aee13531ef85e989eab3f896029f95cb0aec5ffb2427248da2dae0fd544f760d
Instruction ID: eb3b9fcdc81eb187aeda14bdc4a92a3655f99a8a23c5c227c07eb78f889adc0a
Opcode Fuzzy Hash: aee13531ef85e989eab3f896029f95cb0aec5ffb2427248da2dae0fd544f760d
Instruction Fuzzy Hash: 89110531B01210ABCB18FBA6E913B9E76B59F84714F10012FF112A32E1DFBC5A01C65D

Function 004290E2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004290E7
SetRectEmpty.USER32(?), ref: 0042916B

Strings

DD, xrefs: 00429108

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: EmptyH_prologRect
String ID: DD
API String ID: 3423232085-194360491
Opcode ID: 6a6e61a623a00964436f836d32c6ed32e132278a6d5cbc13ac7fe8a2e2b92db8
Instruction ID: 0f0370e7f53ffa22ed5a8dbb317500a8413348f35a1b1fbbb851ead9399ff110
Opcode Fuzzy Hash: 6a6e61a623a00964436f836d32c6ed32e132278a6d5cbc13ac7fe8a2e2b92db8
Instruction Fuzzy Hash: 9F21CBB0A01B509FD3209F6AC54179AFBF8BFA1314F008A1FD1EA826A1CBB46540CF52

Function 0040E008 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,0040DDD0,00000000,00000000,00000000,0040A4C8,00000000,00000000,?,00000000,00000000,00000000), ref: 0040E030
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,0040DDD0,00000000,00000000,00000000,0040A4C8,00000000,00000000,?,00000000,00000000,00000000), ref: 0040E064
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0040E07E
HeapFree.KERNEL32(00000000,?), ref: 0040E095

Memory Dump Source

Source File: 00000003.00000002.1301253469.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1301232236.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301307548.0000000000434000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301337803.0000000000441000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301383719.0000000000446000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301406495.000000000044B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301434374.000000000044C000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301454176.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000451000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301477923.0000000000454000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1301524591.0000000000457000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_look2.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 36025868dbcf288fbceeb8b1ad5db0684caf53a44205f3853954b93baf7b72bb
Instruction ID: ab96931628ef73639624908ce36ffc80b87ec16b123623a92d249a54e411fdb9
Opcode Fuzzy Hash: 36025868dbcf288fbceeb8b1ad5db0684caf53a44205f3853954b93baf7b72bb
Instruction Fuzzy Hash: 76112B70200B019FCB218F69EC95D627BB5FB957227601A39E252D69B1D371EC55CF08

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U4ee3#U7406.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Windows Analysis Report
#U4ee3#U7406.exe

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre